Rootkits for Windows - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Rootkits for Windows

Description:

Continuing struggle between rootkit developers and rootkit adversaries ... Downloading rootkits from rootkit.com shows these examples. Functional tests ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 18
Provided by: tomn8
Category:

less

Transcript and Presenter's Notes

Title: Rootkits for Windows


1
Rootkits for Windows
  • Source Rootkits, Hoglund Butler
  • A rootkit is not an exploit
  • It is a tool used once an exploit has succeeded

2
Why can rootkits exist?
  • Windows is complex and flexible
  • Many entities are interested in developing and
    deploying rootkits hence serious effort, not
    just script kiddies
  • Other OS are also vulnerable
  • Continuing struggle between rootkit developers
    and rootkit adversaries
  • Rootkits are often parts of legitimate software
    e. g., antispyware and antivirus utilities
  • Languages and hardware are unsafe languages are
    not type-safe hardware has many places to hide

3
What can rootkits do?
  • Just about anything, and they can hide very well
  • Examples
  • Keystroke logging
  • Surreptitious internet connections
  • Concealed processes
  • Registry modifications
  • Processes that restart at boot time

4
Some basic types of rootkits
  • Byte patching
  • Direct modification of a running program
  • Can be done in userland or kernel if done with
    kernel access
  • Easter eggs
  • Built in by original programmer or vendor
  • hidden entry point, such as the game embedded in
    an Excel cell
  • Spyware modifications
  • Spyware inserted into browsers to track sites
    visited or broadcast other user activities
  • Source code modification
  • Really the same idea as easter eggs
  • Implanted backdoors or malicious software
  • Often occurs because of incomplete review or
    concept complexity

5
What a rootkit is not
  • Not a virus
  • It doesnt reproduce or propagate itself
  • Not an exploit
  • It may be installed after a successful exploit
  • But the technology can be used by viruses
  • Exploits are more generally known than rootkit
    technology
  • Typically 100 or so exploits exist for explorer
    alone
  • Microsoft and other vendors silently patch, if
    you are downloading updates frequently, but
    unfriendlies are also included

6
Types of rootkit offense and defense
  • Defense
  • HIDS (host-based intrusion detection)
  • NIDS (network-based intrusion detection)
  • Offense
  • Bypassing both of these methods
  • Bypassing forensic tools (forensics in this sense
    is evidence analysis)
  • Some commercial packages
  • Blink (eEye Digital Security, www.eEye.com)
  • Integrity Protection Driver (IPD,
    www.pedestal.com)
  • Entercept (www.networkassociates.com)
  • Cisco Security Agent (www.cisco.com)
  • LIDS (Linux Intrusion Detection System,
    www.lids.org)

7
Kernel Subversion Techniques
  • Relatively few OS are common
  • PC architecture
  • Windows
  • Linux
  • Embedded systems
  • VXWorks
  • Workstations
  • Solaris,
  • Gadgets cellphones
  • Symbian
  • Thus rootkits can have wide scope
  • Consider the effect of a cellphone virus -

8
The operating system services
9
Where do rootkits hide
  • Device drivers and devices
  • Network operations
  • NDIS
  • TDI
  • Registry
  • Effective, but many interactions have made it
    unreliable
  • Boot service
  • Bootrom , bootloader, NVRAM, forced restart to
    install rootkit
  • Process hiding
  • DKOM Direct Kernel Object Manipulation

10
Introducing rootkits
  • Device drivers (loadable module)
  • Windows readily introduces device drivers, even
    third party
  • Module includes an entry point for installation,
    also a cleanup for disinstall. So device driver
    can start and disappear.
  • Readily built from Windows DDK a freebie it
    can make regular executables also
  • Contains many libraries two advantages
  • Code reuse
  • Because they are used by other programs they may
    not be suspected by intrusion detection

11
Structure of a fusion rootkit
Stealth protection
Kernel driver
Keyboard sniffer
User mode program
Packet sniffer
Main OS Kernel
TCP portfor remotecontrol
Modifications
  • The fusion rootkit uses capabilities of both
    modes to reach the various access points
  • Note the driver is a fairly normal driver once
    inserted . The modifications register it
  • The user-mode program invokes it

12
The critical structures of the processor
  • Control registers
  • CR0 is the extended status register can be
    changed to disable much protection
  • CR3 is the Descriptor table base changing it
    gives an entire new set of descriptors and thus
    new segments
  • Memory descriptor table what CR3 points to
  • IDTR Interrupt table pointer register
  • IDT the interrupt table itself
  • The system service descriptor table
  • This is accessed by INT 2E or by the SYSENTER
    instruction
  • Only in supervisor mode
  • You can do IN, OUT and the special instructions
    that modify these registers

13
The critical OS structures
  • These are OS but not hardware supported

14
The age-old art of hookingTitle from book, not
from me
  • Hooking
  • Attaching oneself to an existing service
  • When trying to use the original service yours is
    used instead
  • generally the original link is preserved for
    restoring or concealing your use of the service
  • Example of what you hook into
  • Hooking into a FindNextFile call
  • In the user mode
  • User process calls FindNextFile which is in
    kernel32.dll
  • Preparing to enter kernel NtQueryDirectoryFile
    is in ntdll.dll
  • Now system call is made by INT2E or SYSENTER
  • In the kernel
  • KiSystemService
  • NtQueryDirectoryFile in ntoskrnel.exe

15
Hooking itself
  • API hooking
  • kernel32,.dll is copied into your address space,
    so you can overwrite its functions with your own
  • An example, you can then insert handcrafted
    machine code or overwrite the import table
  • Import table hooking
  • When an application uses functions from another
    binary the pointer to that function is usually
    inserted into the applications IAT (import
    address table)
  • This is still in user space, so can be modified
    to pick up your DLLs
  • Inline function hooking
  • Some basic assembly code is placed into the first
    5 bytes of the function preamble (most begin the
    same way, so can be corrupted)

16
More hooking
  • Registry hooking
  • Insert into HKEY_LOCAL_MACHINES\... A value that
    points to your own DLL
  • Injecting using Windows hooks
  • Injecting using CreateRemoteThread
  • Kernel hooks
  • The preceding are all installed in user space and
    are somewhat easy to detect
  • Kernel hooks are installed in kernel memory
  • This is done by installing a corrupt device
    driver that hooks into the System Service
    Descriptor table this is how system calls get
    routed immediately after SYSENTER
  • Note the similarity to the INT 21H ISR in DOS

17
Basics of rootkit detection
  • Tripwire, e. g. used rootkit image detection in
    the file system
  • Memory examination
  • Detected as it loads
  • The IPD program scanned a long list of functions
  • Periodic memory scans (rather than at load time)
  • Walking the module list (in the SSDT)
  • Finding the detour patches in the inline
    functions
  • These are in the first few bytes
  • Interrupt table based scans
  • Downloading rootkits from rootkit.com shows these
    examples
  • Functional tests
  • Detecting unusual return values from system calls
Write a Comment
User Comments (0)
About PowerShow.com