Presentation is loading. Please wait.

Presentation is loading. Please wait.

16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli.

Published byAndres Douthitt Modified over 9 years ago

Similar presentations

Presentation on theme: "16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli."— Presentation transcript:

1 16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli

2 16/03/2009Igor Neri - Sicurezza Informatica2/34 Definition of Rootkit A rootkit is malware which consists of a set of programs designed to hide or obscure the fact that a system has been compromised.

3 16/03/2009Igor Neri - Sicurezza Informatica3/34 What does a Rootkit do? Hides Attacker Activities

4 16/03/2009Igor Neri - Sicurezza Informatica4/34 What does a Rootkit do? Hides Attacker Activities Provides unauthorized access

5 16/03/2009Igor Neri - Sicurezza Informatica5/34 What does a Rootkit do? Hides Attacker Activities Provides unauthorized access Cleans Logs

6 16/03/2009Igor Neri - Sicurezza Informatica6/34 Classification User SpaceKernel Space

7 16/03/2009Igor Neri - Sicurezza Informatica7/34 Classification Ring 0 - full access to all memory and the entire instruction set Ring 3 - restricted memory access and instruction set availability

8 16/03/2009Igor Neri - Sicurezza Informatica8/34 User Space Replace specific system program used to extract information from the system Can include additional tools like sniffers and password crackers

9 16/03/2009Igor Neri - Sicurezza Informatica9/34 User Space: Hiding File Hiding: du, find, sync, ls, df, lsof, netstat Processes Hiding: killall, pidof, ps, top, lsof Connections Hiding: netstat, tcpd, lsof, route, arp Logs Hiding: syslogd, tcpd Logins Hiding: w, who, last

10 16/03/2009Igor Neri - Sicurezza Informatica10/34 User Space: Grant Access Backdoors: inetd, login, rlogin, rshd, telnetd, sshd, su, chfn, passwd, chsh, sudo SNIFFING & data acquisitions: ifconfig (hide the PROMISC flag), passwd

11 16/03/2009Igor Neri - Sicurezza Informatica11/34 User Space: Clean addlen: tool to fit the trojaned file size to the original one fix: changes the creation date and checksum of any program wted: has edit capabilities of wtmp and utmp log files zap: zeroes out log files entries zap2 (z2): erases log files entries: utmp, wtmp, lastlog

12 16/03/2009Igor Neri - Sicurezza Informatica12/34 User Space: summary Easy to write/install Too many binaries to replace thus prone to mistakes Verifications through checksums is easy and OS dependent Old type

13 16/03/2009Igor Neri - Sicurezza Informatica13/34 Kernel Space The goal of a kernel rootkit is placing the malicious code inside the kernel by manipulating the kernel source / structure No need to substitute binaries, kernel modification affects all binaries system call Complex to write Complex to identify

14 16/03/2009Igor Neri - Sicurezza Informatica14/34 How is the flow of execution intercepted? The flow of execution needs to be intercepted or modified at some point The manipulation can take place at many different levels Example: ls command

15 16/03/2009Igor Neri - Sicurezza Informatica15/34 Normal Execution Flow Executing a syscall in the kernel: Interrupt handler consults the IDT System call handler consults Syscall Table Function implementing the system call execute other kernel functions

16 16/03/2009Igor Neri - Sicurezza Informatica16/34 Manipulating the Syscall Table The rootkit is called instead of original function Rootkit acts as a wrapper Method used by first kernel rootkits Example: Adore

17 16/03/2009Igor Neri - Sicurezza Informatica17/34 Copying the syscall table/handler Original syscall table is not modified Modified syscall handler uses manipulated copy Example: SucKIT

18 16/03/2009Igor Neri - Sicurezza Informatica18/34 Manipulating the IDT A different syscall handler is used, which calls rootkit No need to modify syscall handler or syscall table

19 16/03/2009Igor Neri - Sicurezza Informatica19/34 Manipulation deeper inside the kernel Less central kernel structures are manipulated Hard to detect since many kernel structures need to be monitored

20 16/03/2009Igor Neri - Sicurezza Informatica20/34 Kernel rootkit example Target Program: netstat netstat provide information about network connection root@localhost# netstat −an [cut] tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:1025 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN We want to hide the service on 8080

21 16/03/2009Igor Neri - Sicurezza Informatica21/34 How netstat works root@localhost# strace netstat -an [cut] open("/proc/net/tcp", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0444, st_size=0,...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, −1, 0) = 0x40191000 read(3, " sl local_address rem_address "..., 4096) = 900 write(1, "tcp 0 0 0.0.0.0:8080"..., 81tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN) = 81 write(1, "tcp 0 0 127.0.0.1:10"..., 81 [cut] close(3)

22 16/03/2009Igor Neri - Sicurezza Informatica22/34 Altering open and read syscall Hijacking on init module phase: old_open=sys_call_table[__NR_open]; sys_call_table[__NR_open]=new_open; old_read=sys_call_table[__NR_read]; sys_call_table[__NR_read]=new_read; Check on file opening: if (strstr (filename,"/proc/net/tcp")) ACTIVA = 1; r=old_open(filename,flags,mode); Variable ACTIVA useful on read syscall

23 16/03/2009Igor Neri - Sicurezza Informatica23/34 Altering open and read syscall Check on file reading, if process netstat and file /proc/net/tcp r=old_read(fd,buf,count); if(r comm,"netstat")!=0) ||(ACTIVA==0)) return r; Then we'll search for occurrence to hide and we'll remove that from r

24 16/03/2009Igor Neri - Sicurezza Informatica24/34 Load kernel module & try Load module root@localhost# insmod hide_netstat.ko re-run netstat root@localhost# netstat −an [cut] tcp 0 0 127.0.0.1:1025 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN [cut]

25 16/03/2009Igor Neri - Sicurezza Informatica25/34 Detection Checksums of important files (aide, tripwire, …) Rootkit detector programs using signatures (chkrootkit, rootkit hunter,...) Backups of central kernel structures (kstat) Runtime measurement of system calls (patchfinder) Anti-rootkit kernel modules (St Michael) Offline / forensic analysis (TCT, …) Watching the network traffic-flows from 3rd system Manual logfile analysis and search

26 16/03/2009Igor Neri - Sicurezza Informatica26/34 DEMO Login on remote host via SSH using Debian OpenSSL vulnerability (DSA-1571) Installation of homemade rootkit and Adore-NG rootkit with example of use Detection via system analysis and detection tools: chkrootkit e rkhunter+skdet

27 16/03/2009Igor Neri - Sicurezza Informatica27/34 DEMO: What's SSH SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Key Based Authentication:  First, a pair of cryptographic keys is generated.  One is the private key; the other is the public key. The public key is installed on the remote machine and is used by ssh to authenticate users which use private key.

28 16/03/2009Igor Neri - Sicurezza Informatica28/34 DEMO: DSA-1571 Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

29 16/03/2009Igor Neri - Sicurezza Informatica29/34 DEMO

30 16/03/2009Igor Neri - Sicurezza Informatica30/34 Protecting the system Applying runtime detection methods OS / Kernel Hardening Patching the vulnerabilities Restricted operations and capabilities LKM Protection

31 16/03/2009Igor Neri - Sicurezza Informatica31/34 Famous case: Ken Thompson vs. Naval Lab. compile(s) char *s; { if(match(s,”pattern1”)){ compile(“bug1”); return; } if(match(s,”pattern2”)){ compile(“bug2”); return; } … } Reflections on Trusting Trust Ken Thompson

32 16/03/2009Igor Neri - Sicurezza Informatica32/34 Famous Case: Sony BMG CD copy protection The copy protection scandal concerns the copy protection measures included by Sony BMG on compact discs in 2005. This software was automatically installed on Windows desktop computers when customers tried to play the CDs.

33 16/03/2009Igor Neri - Sicurezza Informatica33/34

34 16/03/2009Igor Neri - Sicurezza Informatica34/34 References “SHADOW WALKER” Raising The Bar For Rootkit Detection UNIX and Linux based Kernel Rootkits (DIMVA 2004 - Andreas Bunten) Rootkits: Subverting the Windows Kernel Countering Trusting Trust through Diverse Double-Compiling (DDC), David A. Wheeler Reflections on Trusting Trust Ken Thompson Analysis of Rootkits: Attack Approaches and Detection Mechanisms - Alkesh Shah http://packetstormsecurity.org/UNIX/penetration/rootkits/ Come costruire un mini-rootkit I - Nascondiamoci da Netstat - blAAd!

Download ppt "16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli."

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr.

Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October 23 2003.

1 Future Technologies Group Shane Canon, canon at nersc dot govSummer Linux Kernel Class Root Kit Protection and Detection Shane Canon October
Rootkits.

Rootkits.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.

電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
1 電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.

1 電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Linux Networking and Security Chapter 10 File Security.

Linux Networking and Security Chapter 10 File Security.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Similar presentations

Ads by Google