Hiding Malware Rootkits

Slides:



Advertisements
Similar presentations
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.
Efficient VM Introspection in KVM and Performance Comparison with Xen
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Windows Security and Rootkits Mike Willard January 2007.
Presented by Boris Yurovitsky
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Tanenbaum 8.3 See references
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 UCR Firmware Attacks and Security introduction.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
CIS 450 – Network Security Chapter 15 – Preserving Access.
Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.
Virtualization Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation is licensed.
Rootkits in Windows XP  What they are and how they work.
Virtual Machine Security Systems Presented by Long Song 08/01/2013 Xin Zhao, Kevin Borders, Atul Prakash.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.
C OUNTERING K ERNEL R OOTKITS WITH L IGHTWEIGHT H OOK P ROTECTION Presented by: Ruaa Abdulrahman CAP Malware and Software Vulnerability Analysis.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
 Introduction  Prior research  Problem overview  HookSafe Design  Implementation  Evaluation  Experiment result Conclusion.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Operating Systems Security
Full and Para Virtualization
SubVirt: Implementing malware with virtual machines Authors: Samuel T. King, Peter M. Chen University of Michigan Yi-Min Wang, Chad Verbowski, Helen J.
Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Cloud Computing – UNIT - II. VIRTUALIZATION Virtualization Hiding the reality The mantra of smart computing is to intelligently hide the reality Binary->
Lecture 8 Rootkits Hoglund/Butler (Chapter 7-8). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Secure Offloading of Legacy IDSes Using Remote VM Introspection in Semi-trusted IaaS Clouds Kenichi Kourai Kazuki Juda Kyushu Institute of Technology.
Virtualization.
Introduction to Operating Systems
Malware Reverse Engineering Process
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
OS Virtualization.
Practical Rootkit Detection with RAI
Introduction to Operating Systems
Chap 10 Malicious Software.
Page Replacement.
Virtualization Techniques
Lecture Topics: 11/1 General Operating System Concepts Processes
Hardware Security – Highlevel Survey Review for Exam 4
Chapter 2: Operating-System Structures
CSE 451: Operating Systems Autumn 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 596 Allen Center 1.
Chap 10 Malicious Software.
SCONE: Secure Linux Containers Environments with Intel SGX
Shielding applications from an untrusted cloud with Haven
Countering Kernel Rootkits with Lightweight Hook Protection
CSE 451: Operating Systems Winter 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 412 Sieg Hall 1.
Basic Dynamic Analysis VMs and Sandboxes
Operating System Concepts
Operating System Concepts
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
COMP755 Advanced Operating Systems
System Virtualization
Presentation transcript:

Hiding Malware Rootkits CS-695 Host Forensics Georgios Portokalidis 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Why Hide? The longer you stay undetected Avoid: Removal Analysis (How it works?) Blame (Who Dunnit?) 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits How Would you Hide? Deception Present a fake image of how things are How do we examine the system? We’ve seen some tools earlier in this course Possibilities Modify programs to lie Modify the kernel to lie Modify VM to lie Modify the HW to lie? 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Malicious software designed to hide malware related data Files Processes Logins Network connections The inner the level controlled, the better! Because… Hypervisor-level rootkits Bootkits Firmware-level bootkits Kernel-level rootkits User-level rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits User-level Rootkits Modify Utilities  ps, netstat, top, sshd API hooks  replace system calls, etc. Applications  Alter behavior (e.g., modify Windows Explorer to hide a file) 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Kernel-level Rootkits Mostly implemented as Loadable Kernel Modules Modify or add Kernel code (Phantasmagoria adds instructions in system calls) Kernel data structures (remove malware from process lists, FU) APIs (Knark adds entries in the proc file system, SuckIT adds new system calls) 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Hypervisor Rootkits Runs with higher privilege than the kernel Developed in academia SubVirt paper Blue pill Rootkit Applications Ring 3 Unused Rings 1 and 2 Kernel Ring 0 Ring -1 (Intel VT-x AMD-V) Reserved for hypervisor Rootkit 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Firmware-level Rootkits Firmware is the lowest-level of software that controls certain operations of hardware Till recently the integrity of firmware was not checked Companies have only recently started using signed firmware updates Examples: Organized crime tampers with European card swipe device http://www.theregister.co.uk/2008/10/10/organized_crime_doctors_chip_and_pin_machines Attacks on BIOS anti-theft devices turn them into rootkits http://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Defenses Check for file integrity  Tripwire, chkrootkit Check for divergent results  checkps Protecting hooks  system calls, internal kernel APIs Code integrity checks  page-level signing 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

File Integrity Testing Example Create MD5s of binaries on the system Periodically check installed binaries vs stored MD5s Challenges? Storing the MD5s out of reach Keeping up with updates Storing the tools out of reach! Limitations? In-memory modifications Lower-level rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Looking for Divergent Results Example Run binaries and collect results ps, top, netcat Collect results from other sources Directly access /proc filesystem Compare results to find discrepancies Challenges? Find other sources of information False alerts, system state is dynamic Storing the tools out of reach! Limitations? In-memory modifications Lower-level rootkits Frequently rootkit specific 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Monitor API Hooks Example Store currently used, good set of hooks Periodically read the values of hooks Compare values to identify hooks being replaced Challenges? Which APIs should be monitored False alerts, hooks can be placed for legitimate reasons That’s usually the problem with running multiple antivirus engines on your PC Storing the tools out of reach! Limitations? Cannot detect changes in … Kernel code Kernel data structures besides APIs Lower-level rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Code-integrity Checking Example Upon loading a page of code hash its contents Periodically re-hash every page and check it against previously taken hash Can be done By the kernel A hypervisor A coprocessor Challenges Storing the hashes out of reach Keeping up with code updates Code provenance Limitations Pages containing both code and data Lower-level rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Countering Kernel Rootkits with Lightweight Hook Protection 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Protecting Kernel Hooks What are hooks? Function callbacks that are dynamically set and called when certain conditions occur E.g., event_callback(void *ptr) The system call table contains hooks Hooks can be distributed around the kernel Example: Heap allocated structures containing callbacks struct io_struct { callback_t readf, writef} 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Protecting Kernel Hooks Rootkits can modify hooks to receive control of certain events How can we protect these hooks from being overwritten? Make them read only for the kernel We need to find them first! This is what this paper proposes Why is this possible? 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Find the Hooks 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Find the Hooks We need to find The function pointers The instruction accessing them Accomplished through a combination of static and dynamic analysis Analyze source code statically Execute the kernel in an emulator (QEMU) 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Protect the Hooks Move hooks to memory protected area The can no longer be overwritten arbitrarily Control how they are used by legitimate code Hook indirection 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits SecVisor Goal: Ensure code integrity even if kernel has been compromised Code can be injected but not executed Why tiny? Smaller attack surface Less changes required for adoption Faster 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Virtualized Page Tables Hypervisor page tables enforce stricter memory permissions Shadow page tables! Nested page tables! Intercept boundary crosses to update protections How can we load new code? Target memory protection 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits What About? Loadable kernel modules Loading goes through SecVisor Requires symbol relocation support Hardware devices that can write to memory DMA 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits How Tiny? Limitations Only single CPU systems supported Self-modifying code Code provenance 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

SubVirt: Implementing malware with virtual machines 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Rootkits as VMs Kernel Process … VM 1 Kernel Process … VM 2 Kernel Process … VM n … Hypervisor Hardware Regular Virtualization Configuration 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Rootkits as VMs Process Process Process … Kernel Hypervisor Hardware On most PCs 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Rootkits as VMs Kernel Process … VM 1 Undetectable Rootkit Hardware With a Hypervisor Rootkit 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits How Is It Done? 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

How Is It Done? Getting the rootkit to run Store to disk Antiviruses scan for this Getting the rootkit to run Store to disk Modify boot sequence to execute rootkit Only do it at the last possible moment Could this be bypassed? Reboot 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits How Is It Done? Install malicious services Why? Control the rootkit Modify the user (target) operating system 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Removing Such Rootkits? Be a level lower Boot from alternative medium How about just detecting? 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Return-Oriented Programming Stack Code Actions 0xb8800000 0x00000001 0xb8800010 0x00000002 0xb8800020 0x00400000 0xb8800030 0xb8800000: pop eax ret ... 0xb8800010: pop ebx 0xb8800020: add eax, ebx 0xb8800030: mov [ebx], eax esp eax = 1 ebx = 2 eax += ebx ebx = 0x400000 *ebx = eax 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

ROP-based Rootkits as Easy as Compiling 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

CS-695 Host Forensics Hiding Malware/Rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.