Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

COEN 250 Computer Forensics Unix System Life Response.
Thank you to IT Training at Indiana University Computer Malware.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli.
Operating System Security : David Phillips A Study of Windows Rootkits.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Rootkits.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Windows Security and Rootkits Mike Willard January 2007.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Linux Networking and Security Chapter 10 File Security.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
By, Anish Shanmugasundaram Yashwanth Sainath Jammi.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
CIS 450 – Network Security Chapter 15 – Preserving Access.
Honeypot and Intrusion Detection System
Virus and Antivirus Team members: - Muzaffar Malik - Kiran Karki.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
COEN 250 Computer Forensics Unix System Life Response.
CSC414 “Introduction to UNIX/ Linux” Lecture 2. Schedule 1. Introduction to Unix/ Linux 2. Kernel Structure and Device Drivers. 3. System and Storage.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
W elcome to our Presentation. Presentation Topic Virus.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Securing Network Servers
I have edited and added material.
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
Chap 10 Malicious Software.
I have edited and added material.
Security.
Chap 10 Malicious Software.
Linux and TCP/IP Networking
Attacks and More Attacks
Operating System Concepts
Crisis and Aftermath Morris worm.
Test 3 review FTP & Cybersecurity
Preventing Privilege Escalation
Presentation transcript:

Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

Replaces key system components Less detectable than application-level Trojan Horse Backdoors Traditionally focus on UNIX systems Root access is required initially T raditional R oot K its

On Windows systems… RootKits Replace Dynamic Link Libraries or alters the system On UNIX systems… RootKits replace /bin/login with a backdoor version of /bin/login T raditional R oot K its

When an attacker enters the backdoor password access is given to the system Backdoor password still works if other passwords are changed Login is not recorded in wtmp or utmp files for the backdoor user T raditional R oot K its

Some other programs replaced: du - shows free disk space RootKits hides space used by attacking tools find - finds files Hides attacker’s files ifconfig - shows status of interfaces masks promiscuous mode ls - shows contents of directories Hides attacker’s files T raditional R oot K its

Linux RootKit 5 (lrk5) written by Lord Somer one of the most full-featured RootKits includes Trojan versions of the following: chfn, chsh, crontab, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, and su T raditional R oot K its

Try harder to stop attackers from getting root access Remember root-level access is needed to install a RootKit Use “echo *” command to look for changes D efending against T raditional R oot K its

Get a program to scan /bin/login and see if it has been corrupted Use a File Integrity Checker such as Tripwire Save hashes on read-only media D efending against T raditional R oot K its

Tripwire Available from First of the file integrity checkers Unix and NT versions available Network capable versions available Academic version is free. Commercial versions are not. Useful in finding trojan programs

Tripwire Generates a “signature” for each file based on checksums and other characteristics. These signatures are stored in a database file that should be kept offline. This is the baseline. Latest threat involves dynamic exec redirection. This is part of the newer Kernel Module Rootkits.

Tripwire List of files to check: tw.config All files in a directory will be checked. Can prune directories from the check step. Can examine just the directory and nothing else. Can check by access time but not recommended since you’ll get a report of everything that changed. Everything!

Tripwire To initialize the DB: tripwire –initialize Update DB interactively: tripwire -interactive Non-interactive DB update: tripwire – update

Security Configuration Management Video – Open Source Video Video – Proprietary Video Choose “Before and After Views”

Tripwire Advantages Simple interface, good choice of crypto hash functions, good all-around tool Security Issues How to protect DBs…? Need to protect tripwire executables? Disadvantages Kernel mod attacks, initial config takes quite some time to customize, no network security

Makes the Kernel the Trojan Horse Most difficult to detect Gives the attacker complete control of the underlying system Nothing on the system can be trusted K ernel -L evel R oot K its

Most common feature is execution redirection Instead of changing other programs to hide files, the kernel hides them Kernel may also hide processes that are running Port usage is often masked K ernel -L evel R oot K its

Some early Kernel-level RootKits are:Kernel-level RootKits Knark (Linux) Knark Adore (Linux) Plasmoid’s Solaris Loadable Kernel Module (Solaris) The Windows NT kernel-level RootKit (Windows) K ernel -L evel R oot K its

Implemented with Loadable Kernel Modules (LKM) LKM is used to extend the capabilities of the system only for some UNIX systems LKM makes it easy! To install the Knark RootKit type: “insmod knark.o,” no reboot necessary K ernel -L evel R oot K its

KNARK Background Written by Creed Released in 1999 Versions exist for Linux 2.2 and 2.4 kernels Very popular in ‘script kiddie’ community

KNARK Capabilities Hide/Unhide files or directories Hide TCP/UDP connections Execution Redirection Unauthenticated privilege escalation via the rootme program within knark Ability to change UID/GID of a running process Unauthenticated, privileged remote execution daemon Kill –31 to hide a running process

Installing KNARK KNARK IS installed as a Loadable Kernel Module (LKM) System must have LKM enabled in order to be able to load KNARK Can be defeated if LKM is disabled, HOWEVER, updating system becomes much more complicated The KNARK rootkit has an additional LKM module to hide the presence of KNARK from the insmod (installed module) command.

What does KNARK Change? KNARK modifies the system call table (sys_call_table) within kernel memory by redirecting some system calls (sys_read, sys_getdents) to malicous system calls written by CREED. These new malicious system calls function as normal except in certain circumstances.

What does KNARK change?

What does KNARK Change? Can no longer trust the output of the system calls? Very difficult to detect rootkits such as KNARK using conventional methods System utility files (ls, ps) are not modified Kernel Output to system utility files IS modified.

Detecting KNARK Cyptographic Checksums of system utilities will NOT change when KNARK is installed May be possible to take cryptographic checksum of selected region of kernel in order to detect rootkit modification of kernel (StMichael) Can detect presence of KNARK type rootkits by examining sys_call_table

Detecting KNARK The file /boot/System.map is created when system is initially compiled /boot/System.map contains correct address of kernel system calls /boot/system map can be archived or retrieved from a known good system for comparison Must have Superuser (ROOT) privilege in order to read /dev/kmem (kernel memory)

Detecting KNARK using the kern_checkprogram Developed by Samhain labs GPL (‘free’) software Compares /boot/System.map file against the system call table in kernel memory Will not work against later versions of Red Hat Linux 2.4 or the Linux 2.6 kernel

KNARK Summary KNARK is a very powerful tool that was very popular with ‘script kiddies’ Very difficult to detect with conventional methods Can no longer trust system output once kernel is compromised Other kernel rootkits can defeat kern_check program (SuckIT)

Rootkit Summary Prevent hackers from gaining root access in order to prevent rootkits from being installed Must check systems on a periodic basis for rootkit exploits Current advice for a rootkitted system: Wipe out files and re-install operating system. Is it possible to re-establish trust on a Rootkited System?

Trojan Horse Backdoors Type of Trojan horse backdoor CharacteristicsAnalogyExample tools in this category Application-Level Trojan Horse Backdoor A separate application runs on the system An attacker adds poison to your soup. Sub7, BO2K, Tini, etc. Traditional RootKitsCritical Operating System components are replaced. An attacker replaces your potatoes with poison ones Lrk6, T0rnkit, etc. Kernel-Level RootKitsKernel is patched.An attacker replaces your tongue with a poison one. Knark, adore, Kernel Intrusion System, rootkit.com, etc. Traditional RootKit Kernel Trojan login Trojan ps Trojan ifconfig good tripwire Kernel-level RootKit Kernel good login good ps good ifconfig good tripwire Trojan Kernel Module Application-level Kernel Evil Program good program good program good program good program

Here Come the Worms! Compromising systems one-by-one can be such a chore Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses Worms automate the process Take over systems Scan for new vulnerable systems Self-replicate by moving across the network to another vulnerable system Each instance of a worm is a “segment”

2001: Year of the Worm? In 2001, we saw: Ramen L10n Cheese Sadmind/IIS Code Red and Code Red II Nimda To date, worms haven’t been nearly as nasty as they could be Most damage is a result of worm resource consumption New generations of worms arrive every 2 to 6 months

Coming Soon - Super Worms Be on the lookout for very nasty new worms Multi-functional Spread, steal, erase, etc. Multi-platform Win, Linux, Solaris, BSD, AIX, HP-UX… Multi-exploit Many buffer overflows, etc. Zero-Day exploits Just discovered; no patch available Polymorphic Metamorphic We’ve seen many of these pieces, but no one has rolled them all together… yet!

Worm Defenses Buffer overflow defenses help a lot here Rapidly deploy patches Anti-virus solutions At the desktop… …AND at the mail server …AND at the file server Incident response capabilities, linked with network management

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.