Copyright Microsoft Corp Dhiresh Salian Regional Information Security Manager Microsoft Corporation. Rootkit’s and protection against them.

Copyright Microsoft Corp Agenda Internet Security Threat Report* Understanding The Landscape Rootkits – Defined Root Problem Types of rootkits Defending against rootkits Rootkits in limelight Microsoft Ghostbuster – Strider Recap * Symantec Internet security threat report Vol VIII

Copyright Microsoft Corp Internet Security Threat Report Key Findings Attackers motivated by financial gains Traditional Perimeter defenses not enough Web applications and Web browsers increasingly targeted BOT networks again on the rise BOT network activity increased 143% over the last reporting period DOS attacks grew 680% to an average of 927 attacks per day 59% of all vulnerabilities reported to Symantec were web application vulnerabilities Web browser most vulnerable – Mozilla Family (25)

Copyright Microsoft Corp Internet Security Threat Report Changing Trends 10,866 new virus and worm variants. Reps 48% increase over the previous reporting period Number of new virus and worm is slowing Variants of them are growing Changing Threat landscape : Motivated by financial gain BOT networks for rent GPcoder Trojan

Copyright Microsoft Corp Internet Security Threat Report Changing Trends Mobile Malicious Code: Advent of first MMS worms Commwarrior Skulls Trojan – affects Symbian Additional Security Risks Phishing messages: Volume grew from 2.9 million a day to 5.7 Million a day 1 out of every 125 messages a phishing attack General trend way from Hacking for fame to hacking for fortune Identity theft ring was able to net over $2M in one instance (FBI)

Copyright Microsoft Corp Internet Security Threat Report Additional Security Risks Average percentage of that is spam is 61%. Spammers use BOT’s to try and obscure their actual location Adware and Spyware Shotathome agent accounted for 19% of adware reported Webenhancer: Most reported spyware, accounting for 29% Concern over their installation, end user licensing agreement (EULA), updation and removal

Copyright Microsoft Corp Understanding The Landscape National Interest Personal Gain Personal Fame Curiosity Script-Kiddy Hobbyist Hacker Expert Specialist Vandal Thief Spy Trespasser Tools created by experts now used by less skilled attackers and criminals Fastestgrowingsegment Author

Copyright Microsoft Corp Rootkits - Defined Rootkit Definition.(as per Symantec) “Rootkit A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on the machine. Actions performed by a rootkit, such as installation and any form of code execution, are done without end user consent or knowledge. Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to provide an undetectable environment for malicious code to execute. Attackers will typically leverage vulnerabilities in the target machine, or use social engineering techniques, to manually install rootkits. Or, in some cases, rootkits can be installed automatically upon execution of a virus or worm or simply even by browsing to a malicious website. Once installed, an attacker can perform virtually any function on the system to include remote access, eavesdropping, as well as hide processes, files, registry keys and communication channels. “

Copyright Microsoft Corp Root Problem Common in UNIX platforms, Rootkits on Windows OS recent phenomenon. Trojanize Key system files. In Windows: Different approach Registers with OS and intercepts program requests made to standard Windows APIs Since it intercepts system calls and filters results – anti malware tools are not effective.

Copyright Microsoft Corp Root Problem In Unix: Replaces standard Unix system files like ps Some rootkits more sophisticated: Adds its own code to every process currently running on a computer. Some rootkits use polymorphic wrapper that constantly changes the appearance of the spyware file. Very difficult to detect by anti spyware/malware programs How does Rootkit infect anyone: Same way as other malware—a malicious Web site or someone may copy them directly onto your computer or through trojan means.

Copyright Microsoft Corp Types of Rootkits File or User Level Rootkits Basic Type of Rootkits – Operate at application level Intercepts standard User mode API’s Can affect user with lower privilege Legitimate program replaced with Trojaned version. Common files usually trozanized are – login, ls, ps, find, who, netstat Targets files usually used by administrators Kernel Level rootkits More advanced and difficult to detect Operate at kernel level. Lives in kernel mode as device driver Require administrator level access. Do not modify system files – Integrity checkers will not be able to detect. Attacker can intercept system calls Operates at lower levels within the Windows architecture

Copyright Microsoft Corp Types of Rootkits (cont’d) Kernel mode data structure manipulation Instead of attacking API’s it attacks data structure It requires admin privileges It can causes crashes and hence can be detected More advanced variations possible: Example: FU Process Hijacking Hide a legitimate process Code sits inside legitimate process Doesn’t survive reboot Extremely hard to detect Code Red used this stealth technique.

Copyright Microsoft Corp Windows Architecture Service Control Manager Task Manager NTDLL.DLL Security Reference Monitor Processes & Threads Config Manager(registry) (Kernel mode callable interfaces) I/O Mgr User Mode System ProcessesServicesApplications LSASSExplorer Winlogon User applications Session Manager Services.exe Kernel Mode Device & File Sys Drivers Kernel Hardware Abstraction Layer NTDLL.DLL – User mode rootkit hooks Kernel – Kernel mode rootkit hooks

Copyright Microsoft Corp Defending against Rootkits. All stealth mechanisms used by rootkits do have holes Cloaking not possible when OS is offline Induces system anomalies Leaves some API’s unfiltered Simple way of detecting rootkits – comparing offline and online win diff results. Most Effective defense: Nail it before it gets installed. Up-to-date Security Practices Good Practices Virus Protection Rootkit Detection Tools: Standard part of security toolkit.

Copyright Microsoft Corp Defending against Rootkits File or User-level Rootkits Using kernel mode API and comparing this with user mode API results Creating Message Digest Using tools like Tripwire Other programs – Chkrootkit (Unix, Linux), Data Sentinel (Windows), Kernel-level Rootkits Proper Defense mechanisms LPA: Least Privilege access Difference in offline – online scans Other Tools: Microsoft’s antispyware, RootkitRevealer from Sysinternals; BlackLight from F-Secure

Copyright Microsoft Corp Malware/Spyware/Rootkit Tools Sigcheck ( MSConfig.exe Autorun ( Process Explorer ( Rootkit Revealer (

Copyright Microsoft Corp Rootkits in Limelight ContextPlus, Inc., makers of the Apropos and PeopleOnPage adware programs. Apropos, a spyware program, collects users' browsing habits and system information and reports back to the ContextPlus servers Data used to serve targeted pop-up advertisements while the user is surfing the Web Sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes FU rootkit extremely widespread in 2005 FU only hides processes, elevate process privileges, fake out the Windows Event Viewer. FU among the top-five pieces of malware deleted by Microsoft’s free Windows malicious software removal tool.

Copyright Microsoft Corp Rootkits in Limelight Hack Defender A user mode rootkit Author – “Holy Father” Hides many things Files, Processes, Services, Registry values,Ports Is able to hook into logon API to capture passwords You can pay developers money ($100-$900) for a custom version of software to avoid detectors

Copyright Microsoft Corp Rootkits in Limelight Customized hack defender

Copyright Microsoft Corp Rootkits in Limelight Symantec Corp : admitted using a rootkit- type feature in Norton SystemWorks Hides directory from Windows APIs: To stop customers from accidentally deleting files Norton Systemwork’s Norton Protected Recycle Bin with a director called NProtect is hidden from Windows APIs. Since it is, files in the NProtect directory might not be scanned during virus scans Norton recommends SystemWorks users update the product immediately to ensure greater protection

Copyright Microsoft Corp Rootkits in Limelight Sony BMG’s DRM rootkit Rootkit like cloaking techniques used in First 4 Internet DRM software Sony ships on its CDs Extended Copy Protection (XCP) is a CD/DVD copy protection technology created by First 4 Internet Ltd Software is designed to prevent protected CDs being played with anything other than an included Media Player DRM software will hide files, processes and registry keys DRM service named as Plug and Play Device Manager The DRM software hides it information by modifying the execution path of several Native API functions Comes with no uninstall feature EULA does not mention about this cloaking or that it comes with uninstall feature Need to open a support call to uninstall the rootkit – possibility of crashing the computer

Copyright Microsoft Corp Demo :Malware detection tools

Copyright Microsoft Corp Rootkits in Limelight Detecting Sony DRM rootkit

Copyright Microsoft Corp Microsoft Ghostbuster - Strider Clever prototype developed by Microsoft. It detects arbitrary persistent and stealthy software, such as rootkits, Trojans, and software keyloggers How does it work? Checker runs stopping all services, flushing caches and does checksum Now machine boots with the CD and does the same checksum again. How to fool Ghostbuster? Detect that such a checking program is running and either not lie to it or change the output as it's written to disk Integrate into the BIOS rather than the OS Give up on either being persistent or stealthy.

Copyright Microsoft Corp Microsoft Ghostbuster - Strider Effective against keyloggers – add key strokes to the fist scan. Will increase the size of keyloogers log and will be detected by clean scan To detect non stealth malware- compare the file output with a know good list. Compute a cryptographic hash of every file on infected disk and match it against the Strider Known-* Database Step #3 WinDiff Files Hidden By RootKit “dir /s /a” Clean Scan Clean Boot From WinPE CD Step #2 Infected Drive “dir /s /a” Infected Scan Infected Boot Step #1

Copyright Microsoft Corp Microsoft Ghostbuster - Strider Characteristics of Ghostbuster Scan Deterministically, efficiently, and effectively detect today’s file-hiding software; It will help computer users gain back trustworthy file- query operations and force malware programs to give up file hiding and therefore always expose themselves to Gatekeeper ASEP scan and anti-virus-style known- bad signature-based scans Does not require known-bad signatures hence no signature updates Assumes that any data gathered through any apps or OS components running inside an infected OS cannot be trusted.

Copyright Microsoft Corp Recap Rootkit - Definition Rootkit Defense Defense in Depth Multilayered approach Secure your perimeter and protect your internal clients Patch Updates Security Awareness No_execute hardware support Usage of DEP Firewalled internal zones and desktops Usage of antispyware and antivirus software Messaging Hygiene (Frontbridge and Sybari Antigen) LPA: Running as non-admin

Copyright Microsoft Corp Recap Rootkit Defense Antispyware Kit: Microsoft Antispyware, Rootkit Revealer, RK detect, F Secure Blacklight, Chkrootkit Other tools for malware detection and investigation – sigcheck, autorun and Process explorer If Infected – Format and reinstall 

Copyright Microsoft Corp Resources Microsoft Anti Spyware - e/software/default.mspx e/software/default.mspx e/software/default.mspx Malicious Software removal tool - e/default.mspx e/default.mspx e/default.mspx Sysinternals –

Copyright Microsoft Corp © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.