Rootkits: the basics

1
Rootkits the basics

• Tim Shelton
• BL4CK Black Security
• redsand_at_blacksecurity.org
• http//blacksecurity.org

2
Introduction

• Black Security Research Group
• Exploitation
• Windows
• Linux / BSD / NIX
• Embedded Systems
• Information Security Research Analysis
• Application Security Development

3
Rootkits

• Rootkits Common Techniques
• Windows Rootkits Malware
• DLL Injection
• Process Injection
• User-land / Kernel-land Attacks
• Linux / BSD Rootkits
• User-land Rootkit
• Kernel-land Rootkit
• Mac OSX Rootkits
• User-land Rootkit
• Kernel-land Rootkit

4
User-Land vs. Kernel-Land

• Multi-Layers of an Operating System
• User-Land
• Your personal applications run within this space
• In case your application crashes, it will not
  affect the stability of the entire system.
• Kernel-Land
• This is the heart of your O/S.
• Kernel Drivers
• Virtual Memory Manager

5
Windows User-Land vs. Kernel-Land
Environment Subsystems
System Service Processes
User Apps
POSIX
OS/2
Win32
Subsystem DLL
User
Kernel
Executive
Win32 User/GDI
Device Drivers
Kernel
Hardware Abstraction Layer (HAL)
6
Kernel-Land

• Kernel-Land
• Kernel Drivers
• Virtual Memory Manager
• Hardware Abstraction Layer
• Startup/Shutdown Procedure

7
Windows User-Land vs. Kernel-Land
8
Windows Rootkits

• History
• User-Land
• NTIllusion DLL User-Land Rootkit
• Vanquish DLL Injection based Romanian rootkit
  Detour Patching Example
• IAT Rootkit by Darkeagle(http//eagle.blacksecur
  ity.org)
• Kernel-Land
• Greg Hoglunds NT Rootkit
• FU by fuzen_op

9
Windows Rootkits

• Expected Behaviors
• Resource Hooking Monitoring
• Registry/Process Hiding
• File I/O (ZwOpen,ZwClose, etc)
• Network NDIS/TDI
• MSGina Hooking
• Keystroke Logger (simple)
• Theft of Personal Data
• Remote Communication/Control

10
Windows User-Land Rootkits

• How does it work?
• Patching Static Binaries
• Modifying binaries to hide results
• Task Manager / Process Explorer
• Netstat / ipconfig
• More
• Remote Code Injection
• Remote Thread Injection / DLL Injection
• Controlling each User-Land processes

11
Windows User-Land Rootkits

• How does it work?
• Patching Static Binaries
• The Oldest trick in the book
• Replacing common Operating System utilities used
  for tracking down malicious activity, hindering
  those local tools from finding out what is
  really happening.
• Common Issues
• Can become tedious, may miss some of the tools
  available.
• Your rootkit package will become increasingly
  larger and may risk being noticed.
• Cannot bypass file-system integrity checks.
  (Tripwire, Determina, etc)

12
Windows User-Land Rootkits

• How does it work?
• Remote Code Injection
• Remote DLL Injection
• Attacking each User-Land process will allow us to
  control those processes.
• Whats stopping us from recursively injecting
  ourselves into every process we can?

13
Windows User-Land Rootkits

• Remote Code Injection
• Remote Thread Injection
• Foundational building block of DLL Injection
• Maximum size of remote thread is 4k (Default
  size of a page of virtual memory)
• One way to copy some code to another process's
  address space and then execute it in the context
  of this process involves the use of remote
  threads and the WriteProcessMemory API. Basically
  you copy the code to the remote process directly
  now - via WriteProcessMemory - and start its
  execution with CreateRemoteThread.

14
Windows User-Land Rootkits
15
Windows User-Land Rootkits

• Remote Code Injection
• How Can We Inject Our Thread?
• Windows NT/2k/XP/2k3 Methodology
• Our objective copy some code to another
  process's address space and then execute it in
  the context of this process.
• This technique involves the use of remote threads
  and the WriteProcessMemory API.
• Basically you copy the code to the remote process
  directly now - via WriteProcessMemory - and start
  its execution with CreateRemoteThread.

16
Windows User-Land Rootkits

• Remote Code Injection
• What is the IAT Table?
• PE (Portable Executable) Format
• A global table that contains a list of all the
  function pointers to any function mapped into the
  running process
• This table is unique per process so it must be
  duplicated within all processes.

17
Windows User-Land Rootkits

• Remote Code Injection
• What is function hooking?
• Redirecting the pointer of the function to
  your malicious fake function.
• Also called function proxying
• Two methods of Function Proxying
• Pointer Patching (easily detected)
• Detour Patching (harder to detect)

18
Rootkit Basics

• Pointer Patching
• Operating Systems use Global Tables to keep track
  of all the functions available from within a
  process.
• By modifying one of these pointers to a function
  with a pointer to our proxy function, we can
  intercept the request and parse the results.

19
Rootkit Basics

• Pointer Patching
• Why is this so bad?
• Rootkit detectors can read the operating system
  and compare those tables to original copies,
  looking for changes.
• If it finds a discrepancy, it will report as
  hooked

20
Rootkit Basics

• Detour Patching
• What is detour patching?
• By directly modifying the first few bytes
  immediately after the function located in memory,
  we can insert a detour
• Detour FAR JMP 0xDEADBEAF
• Where 0xDEADBEAF is a 4-byte pointer to your
  malicious proxy function
• Total patch size 7 bytes

21
Rootkit Basics

• Detour Patching
• Why is this so bad?
• Rootkit detectors can read the first few bytes
  looking for inappropriate FAR JMP calls.
• So will rootkits ever be undetectable?
• Thats why blackhats are driven to continue our
  research for 0day

22
Windows Kernel-Land Rootkits

• Kernel-Land Rootkits
• A malicious Kernel Driver
• Most of the functions you need to monitor are
  all accessible directly from Kernel-Land
• Functions found in the SSDT (System Service
  Descriptor Table)
• similar to the User-Land IAT Table

23
Windows Kernel-Land Rootkits

• Kernel-Land Rootkits
• A malicious Kernel Driver
• Hook any exported Kernel API functions in
  order to monitor the results it returns
• Detour Patching Kernel API functions
• Hooking interrupts

24
Linux Rootkits

• History
• User-Land
• SSHEater-1.1 by Carlos Barros
• Kernel-Land
• Static-Xs Adore-NG 2.4/2.6 kernel rootkit
• Rebels phalanx (patches /dev/mem)rebel_at_blacksec
  urity.org

25
Linux Rootkits

• User-Land
• Patch User binaries (as before)
• Contains same faults as Windows User-Land binary
  patching
• Can still hook the GOT (Global Offset table)
• Kernel-Land 2.4/2.6
• Hook the SYS_CALL Table, Interrupt Descriptor
  Table, and Global Descriptor Table
• Detour Patching
• Directly patch /dev/mem or /dev/kmem

26
Linux Rootkits

• User-Land
• Signal Injection Injecting your own thread into
  a running process using PTRACE_ATTACH and
  PTRACE_DETACH will allow your remote-thread to
  hook the GOT and other functions for a complete
  user-land runtime rootkit.
• Example SSHeater-1.1

27
Linux User-Land Rootkits

• Remote Code Injection
• How Can We Inject Our Thread?
• Linux / BSD Methodology
• Our objective copy some code to another
  process's address space and then execute it in
  the context of this process.
• This technique involves the use of injecting
  remote signal handlers to take over the flow of
  execution(similar to how a debugger functions)
• By using ptrace-injection, we are able to
  PTRACE_ATTACH to the target process, inject our
  own malicious code, and then finally
  PTRACE_DETACHhttp//linuxgazette.net/issue83/san
  deep.htmlhttp//linuxgazette.net/issue85/sandeep.
  html

28
Linux User-Land Rootkits

• Remote Code Injection
• Linux Fluffy-Virus
• First public linux user-land injection proof of
  concept code
• http//www.tty64.org/doc/infschedvirii.txt
• Methodology
• Loader
• Attach to process Inject both pre-virus and
  virus code
• Set EIP to pre-virus code
• Pre-Virus
• Register SIGALRM Signal Handler
• Hand control back to process
• Virus
• SIGALRM Handler invoked
• Begin our malicious code
• Jump back to pre-virus code

29
Linux Rootkits

• Issues with User-Land Rootkits
• File Integrity tools such as Tripwire cannot be
  tricked by changing your backdoored binaries
  alone
• One Way to trick Tripwire
• Write your own remote patching thread to inject
  into Tripwire to hide the results(this would
  take research)

30
Linux Rootkits

• Kernel-Land
• 2.4 Kernel SYS_CALL table is exported (so its
  easy to hook functions)
• 2.6 Kernel SYS_CALL table is hidden
• SuckIT scans the IDT (Interrupt Descriptor
  Table) for FAR JMP 0xSCTeax

31
Linux Rootkits

• Kernel-Land
• Proxy system calls necessary to trick the user
• File I/O Functions
• Look for read() of /etc/shadow
• Hide other processes from /proc snooping
• Socket I/O Functions (sniffing)
• Sniff username/passwords

32
Linux Rootkits

• Kernel-Land
• What does this mean?
• Rootkits target specific installs
• Rootkit targeting GRSEC
• Rootkit targeting SELINUX
• etc

33
Linux Rootkits

• Issues with Kernel-Land Rootkits
• Requires a stealthy way to load your rootkit into
  the kernel.
• Rootkit is vulnerable to detection if loader is
  not written properly
• What can we patch that is reliable?
• hostname
• uname
• other binaries executed on startup

34
Mac OSX Rootkits

• History
• Still in early stages of research
• Nemo released WeaponX as an original
  Proof-of-Concept
• Mac responded by hardening their O/S Internals
• Nemo responded (like any self-respecting
  blackhat) with his own improved rootkit

35
Mac OSX Rootkits

• Remote Code Injection
• How Can We Inject Our Thread?
• Mac OSX Methodology
• Our objective copy some code to another
  process's address space and then execute it in
  the context of this process.
• This technique involves the use of injecting
  remote signal handlers to take over the flow of
  execution(similar to how a debugger functions)

36
Mach OsX Remote Injection

• / get the task for the pid /
• Open Up the Process
• / allocate memory for shellcode /
• vm_allocate(task_address, size)
• / write shellcode /
• vm_write(task,address,shellcode)
• / overwrite pointer /
• vm_write(task offset,pointer address)

37
Mac OSX Rootkits

• Kernel-Land
• WeaponX
• SYSENT Table exported so its easy to locate and
  hook
• Shortly after Nemo released WeaponX, Mac no
  longer exported the SYSENT Table
• SYSENT possible to utilize unix_syscall() which
  is an exported symbol to locate the unique
  location of the SYSENT Table.

38
Extended

• Rootkits to hide files in your
• Video Drivers memory
• NIC Memory
• Sound Card memory
• BIOS/CMOS (eEye bootLoader)
• the sky is the limit

39
Questions?

• O
• ltgt
• /\

40
About Us

• Black Security Research
• http//blacksecurity.org
• redsand_at_blacksecurity.org
• Tim Shelton
• Thanks to
• Nemo AndrewG http//felinemenace.org
• Rebel
• Izik TTY64 Project http//tty64.org
• black crew