Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hiding Malware Rootkits

Published byJohannes Schulz Modified over 6 years ago

Similar presentations

Presentation on theme: "Hiding Malware Rootkits"— Presentation transcript:

1 Hiding Malware Rootkits
CS-695 Host Forensics Georgios Portokalidis 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

2 CS-695 Host Forensics Hiding Malware/Rootkits
Why Hide? The longer you stay undetected Avoid: Removal Analysis (How it works?) Blame (Who Dunnit?) 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

3 CS-695 Host Forensics Hiding Malware/Rootkits
How Would you Hide? Deception Present a fake image of how things are How do we examine the system? We’ve seen some tools earlier in this course Possibilities Modify programs to lie Modify the kernel to lie Modify VM to lie Modify the HW to lie? 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

4 CS-695 Host Forensics Hiding Malware/Rootkits
Malicious software designed to hide malware related data Files Processes Logins Network connections The inner the level controlled, the better! Because… Hypervisor-level rootkits Bootkits Firmware-level bootkits Kernel-level rootkits User-level rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

5 CS-695 Host Forensics Hiding Malware/Rootkits
User-level Rootkits Modify Utilities  ps, netstat, top, sshd API hooks  replace system calls, etc. Applications  Alter behavior (e.g., modify Windows Explorer to hide a file) 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

6 CS-695 Host Forensics Hiding Malware/Rootkits
4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

7 Kernel-level Rootkits
Mostly implemented as Loadable Kernel Modules Modify or add Kernel code (Phantasmagoria adds instructions in system calls) Kernel data structures (remove malware from process lists, FU) APIs (Knark adds entries in the proc file system, SuckIT adds new system calls) 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

8 Hypervisor Rootkits Runs with higher privilege than the kernel
Developed in academia SubVirt paper Blue pill Rootkit Applications Ring 3 Unused Rings 1 and 2 Kernel Ring 0 Ring -1 (Intel VT-x AMD-V) Reserved for hypervisor Rootkit 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

9 Firmware-level Rootkits
Firmware is the lowest-level of software that controls certain operations of hardware Till recently the integrity of firmware was not checked Companies have only recently started using signed firmware updates Examples: Organized crime tampers with European card swipe device Attacks on BIOS anti-theft devices turn them into rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

10 CS-695 Host Forensics Hiding Malware/Rootkits
Defenses Check for file integrity  Tripwire, chkrootkit Check for divergent results  checkps Protecting hooks  system calls, internal kernel APIs Code integrity checks  page-level signing 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

11 File Integrity Testing
Example Create MD5s of binaries on the system Periodically check installed binaries vs stored MD5s Challenges? Storing the MD5s out of reach Keeping up with updates Storing the tools out of reach! Limitations? In-memory modifications Lower-level rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

12 Looking for Divergent Results
Example Run binaries and collect results ps, top, netcat Collect results from other sources Directly access /proc filesystem Compare results to find discrepancies Challenges? Find other sources of information False alerts, system state is dynamic Storing the tools out of reach! Limitations? In-memory modifications Lower-level rootkits Frequently rootkit specific 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

13 CS-695 Host Forensics Hiding Malware/Rootkits
Monitor API Hooks Example Store currently used, good set of hooks Periodically read the values of hooks Compare values to identify hooks being replaced Challenges? Which APIs should be monitored False alerts, hooks can be placed for legitimate reasons That’s usually the problem with running multiple antivirus engines on your PC Storing the tools out of reach! Limitations? Cannot detect changes in … Kernel code Kernel data structures besides APIs Lower-level rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

14 Code-integrity Checking
Example Upon loading a page of code hash its contents Periodically re-hash every page and check it against previously taken hash Can be done By the kernel A hypervisor A coprocessor Challenges Storing the hashes out of reach Keeping up with code updates Code provenance Limitations Pages containing both code and data Lower-level rootkits 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

15 Countering Kernel Rootkits with Lightweight Hook Protection
4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

16 Protecting Kernel Hooks
What are hooks? Function callbacks that are dynamically set and called when certain conditions occur E.g., event_callback(void *ptr) The system call table contains hooks Hooks can be distributed around the kernel Example: Heap allocated structures containing callbacks struct io_struct { callback_t readf, writef} 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

17 Protecting Kernel Hooks
Rootkits can modify hooks to receive control of certain events How can we protect these hooks from being overwritten? Make them read only for the kernel We need to find them first! This is what this paper proposes Why is this possible? 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

18 CS-695 Host Forensics Hiding Malware/Rootkits
Find the Hooks 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

19 CS-695 Host Forensics Hiding Malware/Rootkits
Find the Hooks We need to find The function pointers The instruction accessing them Accomplished through a combination of static and dynamic analysis Analyze source code statically Execute the kernel in an emulator (QEMU) 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

20 CS-695 Host Forensics Hiding Malware/Rootkits
Protect the Hooks Move hooks to memory protected area The can no longer be overwritten arbitrarily Control how they are used by legitimate code Hook indirection 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

21 CS-695 Host Forensics Hiding Malware/Rootkits
SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

22 CS-695 Host Forensics Hiding Malware/Rootkits
SecVisor Goal: Ensure code integrity even if kernel has been compromised Code can be injected but not executed Why tiny? Smaller attack surface Less changes required for adoption Faster 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

23 Virtualized Page Tables
Hypervisor page tables enforce stricter memory permissions Shadow page tables! Nested page tables! Intercept boundary crosses to update protections How can we load new code? Target memory protection 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

24 CS-695 Host Forensics Hiding Malware/Rootkits
What About? Loadable kernel modules Loading goes through SecVisor Requires symbol relocation support Hardware devices that can write to memory DMA 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

25 CS-695 Host Forensics Hiding Malware/Rootkits
How Tiny? Limitations Only single CPU systems supported Self-modifying code Code provenance 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

26 SubVirt: Implementing malware with virtual machines
4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

27 CS-695 Host Forensics Hiding Malware/Rootkits
Rootkits as VMs Kernel Process VM 1 Kernel Process VM 2 Kernel Process VM n Hypervisor Hardware Regular Virtualization Configuration 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

28 CS-695 Host Forensics Hiding Malware/Rootkits
Rootkits as VMs Process Process Process Kernel Hypervisor Hardware On most PCs 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

29 CS-695 Host Forensics Hiding Malware/Rootkits
Rootkits as VMs Kernel Process VM 1 Undetectable Rootkit Hardware With a Hypervisor Rootkit 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

30 CS-695 Host Forensics Hiding Malware/Rootkits
How Is It Done? 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

31 How Is It Done? Getting the rootkit to run Store to disk
Antiviruses scan for this Getting the rootkit to run Store to disk Modify boot sequence to execute rootkit Only do it at the last possible moment Could this be bypassed? Reboot 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

32 CS-695 Host Forensics Hiding Malware/Rootkits
How Is It Done? Install malicious services Why? Control the rootkit Modify the user (target) operating system 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

33 Removing Such Rootkits?
Be a level lower Boot from alternative medium How about just detecting? 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

34 CS-695 Host Forensics Hiding Malware/Rootkits
Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

35 Return-Oriented Programming
Stack Code Actions 0xb 0x 0xb 0x 0xb 0x 0xb 0xb : pop eax ret ... 0xb : pop ebx 0xb : add eax, ebx 0xb : mov [ebx], eax esp eax = 1 ebx = 2 eax += ebx ebx = 0x400000 *ebx = eax 4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

36 ROP-based Rootkits as Easy as Compiling
4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

37 CS-695 Host Forensics Hiding Malware/Rootkits
4/2/2013 CS-695 Host Forensics Hiding Malware/Rootkits

Download ppt "Hiding Malware Rootkits"

Similar presentations

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.

Information Security and Cloud Computing Naresh K. Sehgal, Sohum Sohoni, Ying Xiong, David Fritz, Wira Mulia, and John M. Acken 1 NKS.
Efficient VM Introspection in KVM and Performance Comparison with Xen

Efficient VM Introspection in KVM and Performance Comparison with Xen
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.

Virtual Machine Security Design of Secure Operating Systems Summer 2012 Presented By: Musaad Alzahrani.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 UCR Firmware Attacks and Security introduction.

1 UCR Firmware Attacks and Security introduction.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.

Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.

Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.

Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
CIS 450 – Network Security Chapter 15 – Preserving Access.

CIS 450 – Network Security Chapter 15 – Preserving Access.
Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.

Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.

Similar presentations

Ads by Google