16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli.

Slides:

Advertisements

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

Advertisements

Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Operating System Security : David Phillips A Study of Windows Rootkits.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Windows Security and Rootkits Mike Willard January 2007.

電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許富皓.

1 電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許富皓.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

COEN 252: Computer Forensics Router Investigation.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Linux Networking and Security Chapter 10 File Security.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Rootkits Brent Boe Vasanthanag Vasili.

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.

CIS 450 – Network Security Chapter 15 – Preserving Access.

COEN 252 Computer Forensics Collecting Network-based Evidence.

CIS 450 – Network Security Chapter 16 – Covering the Tracks.

Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.

Rootkits in Windows XP  What they are and how they work.

Securing Operating Systems Rootkits - TAPTI SAHA.

Maryland Information Systems Security Lab Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor Nick L. Petroni, Jr. Timothy.

Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services.

Anatomy of attacks Buffer Overflow attacks & Rootkits.

Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.

Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion.

Intrusion Detection (ID) Intrusion detection is the ART of detecting inappropriate, incorrect, or anomalous activity There are two methods of doing ID.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

CHAPTER 9 Sniffing.

Hidden Processes: The Implication for Intrusion Detection

REMOTE LOGIN. TEAM MEMBERS AMULYA GURURAJ 1MS07IS006 AMULYA GURURAJ 1MS07IS006 BHARGAVI C.S 1MS07IS013 BHARGAVI C.S 1MS07IS013 MEGHANA N. 1MS07IS050 MEGHANA.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.

COEN 250 Computer Forensics Unix System Life Response.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Rootkits.

Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)

VMM Based Rootkit Detection on Android

An Evening with Berferd Bill Cheswick, USENIX 1990 Presented by Chris Grier.

Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

CSCE 548 Student Presentation By Manasa Suthram

I have edited and added material.

Operating System Structure

Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

I have edited and added material.

Rootkits Jonathan Hobbs.

Hiding Malware Rootkits

Attacks and More Attacks

Operating System Concepts

Preventing Privilege Escalation

Dirty COW Race Condition Attack

Presentation transcript:

16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli

16/03/2009Igor Neri - Sicurezza Informatica2/34 Definition of Rootkit A rootkit is malware which consists of a set of programs designed to hide or obscure the fact that a system has been compromised.

16/03/2009Igor Neri - Sicurezza Informatica3/34 What does a Rootkit do? Hides Attacker Activities

16/03/2009Igor Neri - Sicurezza Informatica4/34 What does a Rootkit do? Hides Attacker Activities Provides unauthorized access

16/03/2009Igor Neri - Sicurezza Informatica5/34 What does a Rootkit do? Hides Attacker Activities Provides unauthorized access Cleans Logs

16/03/2009Igor Neri - Sicurezza Informatica6/34 Classification User SpaceKernel Space

16/03/2009Igor Neri - Sicurezza Informatica7/34 Classification Ring 0 - full access to all memory and the entire instruction set Ring 3 - restricted memory access and instruction set availability

16/03/2009Igor Neri - Sicurezza Informatica8/34 User Space Replace specific system program used to extract information from the system Can include additional tools like sniffers and password crackers

16/03/2009Igor Neri - Sicurezza Informatica9/34 User Space: Hiding File Hiding: du, find, sync, ls, df, lsof, netstat Processes Hiding: killall, pidof, ps, top, lsof Connections Hiding: netstat, tcpd, lsof, route, arp Logs Hiding: syslogd, tcpd Logins Hiding: w, who, last

16/03/2009Igor Neri - Sicurezza Informatica10/34 User Space: Grant Access Backdoors: inetd, login, rlogin, rshd, telnetd, sshd, su, chfn, passwd, chsh, sudo SNIFFING & data acquisitions: ifconfig (hide the PROMISC flag), passwd

16/03/2009Igor Neri - Sicurezza Informatica11/34 User Space: Clean addlen: tool to fit the trojaned file size to the original one fix: changes the creation date and checksum of any program wted: has edit capabilities of wtmp and utmp log files zap: zeroes out log files entries zap2 (z2): erases log files entries: utmp, wtmp, lastlog

16/03/2009Igor Neri - Sicurezza Informatica12/34 User Space: summary Easy to write/install Too many binaries to replace thus prone to mistakes Verifications through checksums is easy and OS dependent Old type

16/03/2009Igor Neri - Sicurezza Informatica13/34 Kernel Space The goal of a kernel rootkit is placing the malicious code inside the kernel by manipulating the kernel source / structure No need to substitute binaries, kernel modification affects all binaries system call Complex to write Complex to identify

16/03/2009Igor Neri - Sicurezza Informatica14/34 How is the flow of execution intercepted? The flow of execution needs to be intercepted or modified at some point The manipulation can take place at many different levels Example: ls command

16/03/2009Igor Neri - Sicurezza Informatica15/34 Normal Execution Flow Executing a syscall in the kernel: Interrupt handler consults the IDT System call handler consults Syscall Table Function implementing the system call execute other kernel functions

16/03/2009Igor Neri - Sicurezza Informatica16/34 Manipulating the Syscall Table The rootkit is called instead of original function Rootkit acts as a wrapper Method used by first kernel rootkits Example: Adore

16/03/2009Igor Neri - Sicurezza Informatica17/34 Copying the syscall table/handler Original syscall table is not modified Modified syscall handler uses manipulated copy Example: SucKIT

16/03/2009Igor Neri - Sicurezza Informatica18/34 Manipulating the IDT A different syscall handler is used, which calls rootkit No need to modify syscall handler or syscall table

16/03/2009Igor Neri - Sicurezza Informatica19/34 Manipulation deeper inside the kernel Less central kernel structures are manipulated Hard to detect since many kernel structures need to be monitored

16/03/2009Igor Neri - Sicurezza Informatica20/34 Kernel rootkit example Target Program: netstat netstat provide information about network connection netstat −an [cut] tcp : :* LISTEN tcp : :* LISTEN tcp : :* LISTEN tcp : :* LISTEN We want to hide the service on 8080

16/03/2009Igor Neri - Sicurezza Informatica21/34 How netstat works strace netstat -an [cut] open("/proc/net/tcp", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0,...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, −1, 0) = 0x read(3, " sl local_address rem_address "..., 4096) = 900 write(1, "tcp :8080"..., 81tcp : :* LISTEN) = 81 write(1, "tcp :10"..., 81 [cut] close(3)

16/03/2009Igor Neri - Sicurezza Informatica22/34 Altering open and read syscall Hijacking on init module phase: old_open=sys_call_table[__NR_open]; sys_call_table[__NR_open]=new_open; old_read=sys_call_table[__NR_read]; sys_call_table[__NR_read]=new_read; Check on file opening: if (strstr (filename,"/proc/net/tcp")) ACTIVA = 1; r=old_open(filename,flags,mode); Variable ACTIVA useful on read syscall

16/03/2009Igor Neri - Sicurezza Informatica23/34 Altering open and read syscall Check on file reading, if process netstat and file /proc/net/tcp r=old_read(fd,buf,count); if(r comm,"netstat")!=0) ||(ACTIVA==0)) return r; Then we'll search for occurrence to hide and we'll remove that from r

16/03/2009Igor Neri - Sicurezza Informatica24/34 Load kernel module & try Load module insmod hide_netstat.ko re-run netstat netstat −an [cut] tcp : :* LISTEN tcp : :* LISTEN tcp : :* LISTEN [cut]

16/03/2009Igor Neri - Sicurezza Informatica25/34 Detection Checksums of important files (aide, tripwire, …) Rootkit detector programs using signatures (chkrootkit, rootkit hunter,...) Backups of central kernel structures (kstat) Runtime measurement of system calls (patchfinder) Anti-rootkit kernel modules (St Michael) Offline / forensic analysis (TCT, …) Watching the network traffic-flows from 3rd system Manual logfile analysis and search

16/03/2009Igor Neri - Sicurezza Informatica26/34 DEMO Login on remote host via SSH using Debian OpenSSL vulnerability (DSA-1571) Installation of homemade rootkit and Adore-NG rootkit with example of use Detection via system analysis and detection tools: chkrootkit e rkhunter+skdet

16/03/2009Igor Neri - Sicurezza Informatica27/34 DEMO: What's SSH SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Key Based Authentication:  First, a pair of cryptographic keys is generated.  One is the private key; the other is the public key. The public key is installed on the remote machine and is used by ssh to authenticate users which use private key.

16/03/2009Igor Neri - Sicurezza Informatica28/34 DEMO: DSA-1571 Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE ). As a result, cryptographic key material may be guessable.

16/03/2009Igor Neri - Sicurezza Informatica29/34 DEMO

16/03/2009Igor Neri - Sicurezza Informatica30/34 Protecting the system Applying runtime detection methods OS / Kernel Hardening Patching the vulnerabilities Restricted operations and capabilities LKM Protection

16/03/2009Igor Neri - Sicurezza Informatica31/34 Famous case: Ken Thompson vs. Naval Lab. compile(s) char *s; { if(match(s,”pattern1”)){ compile(“bug1”); return; } if(match(s,”pattern2”)){ compile(“bug2”); return; } … } Reflections on Trusting Trust Ken Thompson

16/03/2009Igor Neri - Sicurezza Informatica32/34 Famous Case: Sony BMG CD copy protection The copy protection scandal concerns the copy protection measures included by Sony BMG on compact discs in This software was automatically installed on Windows desktop computers when customers tried to play the CDs.

16/03/2009Igor Neri - Sicurezza Informatica33/34

16/03/2009Igor Neri - Sicurezza Informatica34/34 References “SHADOW WALKER” Raising The Bar For Rootkit Detection UNIX and Linux based Kernel Rootkits (DIMVA Andreas Bunten) Rootkits: Subverting the Windows Kernel Countering Trusting Trust through Diverse Double-Compiling (DDC), David A. Wheeler Reflections on Trusting Trust Ken Thompson Analysis of Rootkits: Attack Approaches and Detection Mechanisms - Alkesh Shah Come costruire un mini-rootkit I - Nascondiamoci da Netstat - blAAd!