I have edited and added material.

Slides:



Advertisements
Similar presentations
COEN 250 Computer Forensics Unix System Life Response.
Advertisements

Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Rootkits.
Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Windows Security and Rootkits Mike Willard January 2007.
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
Network+ Guide to Networks, Fourth Edition Chapter 10 Netware-Based Networking.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Low level CASE: Source Code Management. Source Code Management  Also known as Configuration Management  Source Code Managers are tools that: –Archive.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Linux Networking and Security Chapter 10 File Security.
Linux Operations and Administration
Guide to Linux Installation and Administration, 2e1 Chapter 3 Installing Linux.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
CIS 450 – Network Security Chapter 15 – Preserving Access.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Guide To UNIX Using Linux Third Edition Chapter 8: Exploring the UNIX/Linux Utilities.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.
1 CHAPTER 5 DIFFING. 2 What is Diffing? Practice of comparing two sets of data, before and after a changed has occurred Practice of comparing two sets.
Module 8 : Configuration II Jong S. Bok
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
COEN 250 Computer Forensics Unix System Life Response.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Rootkits.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
A Solution for Maintaining File Integrity within an Online Data Archive Dan Scholes PDS Geosciences Node Washington University 1.
Securing Network Servers
Chapter Objectives In this chapter, you will learn:
Guide to Linux Installation and Administration, 2e
I have edited and added material.
A Guide to Unix Using Linux Fourth Edition
Introduction to Operating System (OS)
Introduction to Computers
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Networks Software.
I have edited and added material.
Chapter 2: System Structures
Chapter 2: The Linux System Part 1
IS3440 Linux Security Unit 7 Securing the Linux Kernel
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Microsoft Office Access 2003
Chapter 2: Operating-System Structures
Security.
Outline Chapter 2 (cont) OS Design OS structure
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Attacks and More Attacks
Crisis and Aftermath Morris worm.
Chapter 2: Operating-System Structures
Preventing Privilege Escalation
Presentation transcript:

I have edited and added material. Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

Traditional RootKits Replaces key system components Less detectable than application-level Trojan Horse Backdoors Traditionally focus on UNIX systems Root access is required initially

Traditional RootKits On Windows systems… On UNIX systems… RootKits Replace Dynamic Link Libraries or alters the system On UNIX systems… RootKits replace /bin/login with a backdoor version of /bin/login

Traditional RootKits When an attacker enters the backdoor password access is given to the system Backdoor password still works if other passwords are changed Login is not recorded in log files for the backdoor user

Traditional RootKits Some other programs replaced: du - shows free disk space RootKits hides space used by attacking tools find - finds files Hides attacker’s files ifconfig - shows status of interfaces masks promiscuous mode ls - shows contents of directories

Traditional RootKits “Original” Linux RootKit 5 (lrk5) written by Lord Somer one of the most full-featured RootKits includes Trojan versions of the following: chfn, chsh, crontab, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, and su

Defending against Traditional RootKits Remember root-level access is needed to install a RootKit… Use “echo *” command to look for changes Get a program to scan /bin/login and see if it has been corrupted Use a File Integrity Checker such as Tripwire Save hashes on read-only media

Tripwire Available from www.tripwire.org First of the file integrity checkers Unix and Windows versions available Network capable versions available Useful in finding trojan programs The integrity checker class of tools are most useful in finding rootkits on a system. Tripwire is the one of the first file integrity checkers. Basically, tripwire compares file signatures against previous tripwire runs in order to determine what files have changed. There are 2 important things to remember when using this tool. First, you must run tripwire just before your system goes into production. This establishes a baseline database and you must place this database in some protected area, usually another system or media. Second, you should make periodic tripwire runs to maintain a current database. If you run tripwire infrequently then your output file will be fairly large. Commercial versions of tripwire now have a remote management facility that will allow you to run tripwire on multiple machines and collect the data from the runs to a central site.

Tripwire Generates a “signature” for each file based on checksums and other characteristics. These signatures are stored in a database file that should be kept offline. This is the baseline. If you use tripwire properly, you should be able to quickly find and isolate trojan programs that have been installed on your systems by hackers. Kernel module attacks are about the only threat to tripwire if you use it properly.

Tripwire List of files to check: tw.config All files in a directory will be checked. Can prune directories from the check step. Can examine just the directory and nothing else. Can check by access time but not recommended since you’ll get a report of everything that changed. Everything! Tripwire lets you decide which files should be checked. Obviously, you don’t want to check EVERY file on the system since there are temporary files that change constantly. It is good practice to check the system binaries and directories.

Tripwire To initialize the DB: tripwire –initialize Update DB interactively: tripwire -interactive Non-interactive DB update: tripwire – update <FN>

This is an example of Tripwire output This is an example of Tripwire output. The right arrow points to the column that says what it thought the file’s signature should be. The left arrow points to what it is on the target system. Just because a file shows up in this report doesn’t mean there is a problem. The /etc/.mnttab.lock file is a temporary file and you would expect it to change over time. /etc/inetd.conf, on the other hand, is a critical system file and any changes to it should be well documented in your changelog. If you can’t account for a change, assume the worst.

Security Configuration Management Video – Open Source Video – Proprietary Choose “Before and After Views”

Tripwire Advantages Security Issues Disadvantages Simple interface, good choice of crypto hash functions, good all-around tool Security Issues How to protect DBs…? Need to protect tripwire executables? Disadvantages Kernel mod attacks, initial config takes quite some time to customize, no network security Protecting the Tripwire database is the most important item on your checklist. This usually means storing a copy of the file offline either on tape or CD.

Kernel-Level RootKits Trojan Horse becomes the Kernel Most difficult to detect Gives the attacker complete control of the underlying system Nothing on the system can be trusted

Kernel-Level RootKits Most common feature is execution redirection Instead of changing other programs to hide files, the kernel hides them Kernel may also hide processes that are running Port usage is often masked

Kernel-Level RootKits Some early Kernel-level RootKits are: Knark (Linux) Adore (Linux) Plasmoid’s Solaris Loadable Kernel Module (Solaris) The Windows NT kernel-level RootKit (Windows)

Kernel-Level RootKits Implemented with Loadable Kernel Modules (LKM) LKM is used to extend the capabilities of the system only for some UNIX systems LKM makes it easy! To install the Knark RootKit type: “insmod knark.o,” no reboot necessary

KNARK Background Written by Creed Released in 1999 Versions exist for Linux 2.2 and 2.4 kernels Very popular in ‘script kiddie’ community

KNARK Capabilities Hide/Unhide files or directories Hide TCP/UDP connections Execution Redirection Unauthenticated privilege escalation via the rootme program within knark Ability to change UID/GID of a running process Unauthenticated, privileged remote execution daemon Kill –31 to hide a running process

Installing KNARK KNARK IS installed as a Loadable Kernel Module (LKM) System must have LKM enabled in order to be able to load KNARK Can be defeated if LKM is disabled, HOWEVER, updating system becomes much more complicated The KNARK rootkit has an additional LKM module to hide the presence of KNARK from the insmod (installed module) command.

What does KNARK Change? KNARK modifies the system call table (sys_call_table) within kernel memory by redirecting some system calls (sys_read, sys_getdents) to malicous system calls written by CREED. These new malicious system calls function as normal except in certain circumstances.

What does KNARK change?

What does KNARK Change? Can no longer trust the output of the system calls? Very difficult to detect rootkits such as KNARK using conventional methods System utility files (ls, ps) are not modified Kernel Output to system utility files IS modified.

Detecting KNARK Cyptographic Checksums of system utilities will NOT change when KNARK is installed May be possible to take cryptographic checksum of selected region of kernel in order to detect rootkit modification of kernel (StMichael) Can detect presence of KNARK type rootkits by examining sys_call_table

Detecting KNARK The file /boot/System.map is created when system is initially compiled /boot/System.map contains correct address of kernel system calls /boot/system map can be archived or retrieved from a known good system for comparison Must have Superuser (ROOT) privilege in order to read /dev/kmem (kernel memory)

Detecting KNARK using the kern_check program Developed by Samhain labs GPL (‘free’) software Compares /boot/System.map file against the system call table in kernel memory Will not work against later versions of Red Hat Linux 2.4 or the Linux 2.6 kernel

KNARK Summary KNARK is a very powerful tool that was very popular with ‘script kiddies’ Very difficult to detect with conventional methods Can no longer trust system output once kernel is compromised Other kernel rootkits can defeat kern_check program (SuckIT)

Rootkit Summary Prevent hackers from gaining root access in order to prevent rootkits from being installed Must check systems on a periodic basis for rootkit exploits Current advice for a rootkitted system: Wipe out files and re-install operating system. Is it possible to re-establish trust on a Rootkited System?

Trojan Horse / Rootkit Kernel Kernel Kernel Type of Trojan horse backdoor Characteristics Analogy Example tools in this category Application-Level Trojan Horse Backdoor A separate application runs on the system An attacker adds poison to your soup. Sub7, BO2K, Tini, etc. Traditional RootKits Critical Operating System components are replaced. An attacker replaces your potatoes with poison ones Lrk6, T0rnkit, etc. Kernel-Level RootKits Kernel is patched. An attacker replaces your tongue with a poison one. Knark, adore, Kernel Intrusion System, rootkit.com, etc. Application-level Traditional RootKit Kernel-level RootKit Evil Program good login good ps good ifconfig good tripwire Trojan login Trojan ps Trojan ifconfig good tripwire good program good program good program good program Kernel Trojan Kernel Module Kernel Kernel