1. 2006 Black Security1 Rootkits: the basics Tim Shelton [BL4CK] Black Security redsand@blacksecurity.org http://blacksecurity.org

2. 2006 Black Security2 Introduction Black Security Research Group  Exploitation  Windows  Linux / BSD / *NIX  Embedded Systems  Information Security Research & Analysis  Application Security Development

3. 2006 Black Security3 Rootkits Rootkits: Common Techniques  Windows Rootkits & Malware  DLL Injection  Process Injection  User-land / Kernel-land Attacks  Linux / *BSD Rootkits  User-land Rootkit  Kernel-land Rootkit  Mac OSX Rootkits  User-land Rootkit  Kernel-land Rootkit

4. 2006 Black Security4 User-Land vs. Kernel- Land Multi-Layers of an Operating System  User-Land  Your personal applications run within this space  In case your application crashes, it will not affect the stability of the entire system.  Kernel-Land  This is the “heart” of your O/S.  Kernel Drivers  Virtual Memory Manager

5. 2006 Black Security5 Windows User-Land vs. Kernel-Land Executive Device Drivers Hardware Abstraction Layer (HAL) Kernel User Kernel Win32 User Apps Subsystem DLL System & Service Processes POSIXOS/2 Win32 User/GDI Environment Subsystems

6. 2006 Black Security6 Kernel-Land  Kernel Drivers  Virtual Memory Manager  Hardware Abstraction Layer  Startup/Shutdown Procedure

7. 2006 Black Security7 Windows User-Land vs. Kernel-Land

8. 2006 Black Security8 Windows Rootkits History  User-Land  NTIllusion DLL User-Land Rootkit  Vanquish – DLL Injection based Romanian rootkit – Detour Patching Example  IAT Rootkit by Darkeagle (http://eagle.blacksecurity.org)  Kernel-Land  Greg Hoglund’s NT Rootkit  FU by fuzen_op

9. 2006 Black Security9 Windows Rootkits Expected Behaviors  Resource Hooking & Monitoring  Registry/Process Hiding  File I/O (ZwOpen,ZwClose, etc)  Network NDIS/TDI  MSGina Hooking  Keystroke Logger (simple)  Theft of Personal Data  Remote Communication/Control

10. 2006 Black Security10 Windows User-Land Rootkits How does it work?  Patching Static Binaries  Modifying binaries to hide results Task Manager / Process Explorer Netstat / ipconfig More  Remote Code Injection  Remote Thread Injection / DLL Injection Controlling each User-Land processes

11. 2006 Black Security11 Windows User-Land Rootkits How does it work?  Patching Static Binaries  The Oldest “trick” in the book Replacing common Operating System utilities used for tracking down malicious activity, hindering those local tools from finding out what is “really happening”.  Common Issues Can become tedious, may miss some of the tools available. Your rootkit package will become increasingly larger and may risk being noticed. Cannot bypass file-system integrity checks. (Tripwire, Determina, etc)

12. 2006 Black Security12 Windows User-Land Rootkits How does it work?  Remote Code Injection  Remote DLL Injection Attacking each User-Land process will allow us to control those processes. What’s stopping us from recursively injecting ourselves into every process we can?

13. 2006 Black Security13 Windows User-Land Rootkits Remote Code Injection  Remote Thread Injection  Foundational building block of DLL Injection  Maximum size of remote thread is 4k (Default size of a page of virtual memory) One way to copy some code to another process's address space and then execute it in the context of this process involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.

14. 2006 Black Security14 Windows User-Land Rootkits

15. 2006 Black Security15 Windows User-Land Rootkits Remote Code Injection  How Can We Inject Our Thread?  Windows NT/2k/XP/2k3 Methodology Our objective: copy some code to another process's address space and then execute it in the context of this process. This technique involves the use of remote threads and the WriteProcessMemory API. Basically you copy the code to the remote process directly now - via WriteProcessMemory - and start its execution with CreateRemoteThread.

16. 2006 Black Security16 Windows User-Land Rootkits Remote Code Injection  What is the IAT Table?  PE (Portable Executable) Format A global table that contains a list of all the function pointers to any function mapped into the running process This table is unique per process so it must be duplicated within all processes.

17. 2006 Black Security17 Windows User-Land Rootkits Remote Code Injection  What is function “hooking”?  Redirecting the “pointer” of the function to your malicious “fake” function.  Also called function proxying  Two methods of Function Proxying  Pointer Patching (easily detected)  Detour Patching (harder to detect)

18. 2006 Black Security18 Rootkit Basics Pointer Patching  Operating Systems use Global Tables to keep track of all the functions available from within a process.  By modifying one of these pointers to a function with a pointer to our “proxy” function, we can intercept the request and parse the results.

19. 2006 Black Security19 Rootkit Basics Pointer Patching  Why is this so bad?  Rootkit detectors can read the operating system and compare those tables to original copies, looking for changes.  If it finds a discrepancy, it will report as “hooked”

20. 2006 Black Security20 Rootkit Basics Detour Patching  What is detour patching?  By directly modifying the first few bytes immediately after the function located in memory, we can insert a “detour”  Detour: FAR JMP 0xDEADBEAF Where 0xDEADBEAF is a 4-byte pointer to your malicious proxy function Total patch size: 7 bytes

21. 2006 Black Security21 Rootkit Basics Detour Patching  Why is this so bad?  Rootkit detectors can read the first few bytes looking for “inappropriate” FAR JMP calls.  So will rootkits ever be undetectable? That’s why blackhats are driven to continue our research for 0day

22. 2006 Black Security22 Windows Kernel-Land Rootkits Kernel-Land Rootkits  A malicious Kernel Driver  Most of the functions you need to monitor are all accessible directly from Kernel-Land  Functions found in the SSDT (System Service Descriptor Table) similar to the User-Land IAT Table

23. 2006 Black Security23 Windows Kernel-Land Rootkits Kernel-Land Rootkits  A malicious Kernel Driver  “Hook” any exported Kernel API functions in order to monitor the results it returns  Detour Patching Kernel API functions  Hooking interrupts

24. 2006 Black Security24 Linux Rootkits History  User-Land  SSHEater-1.1 by Carlos Barros  Kernel-Land  Static-X’s Adore-NG 2.4/2.6 kernel rootkit  Rebel’s phalanx (patches /dev/mem) rebel@blacksecurity.org

25. 2006 Black Security25 Linux Rootkits User-Land  Patch User binaries (as before)  Contains same faults as Windows User- Land binary patching  Can still hook the GOT (Global Offset table) Kernel-Land 2.4/2.6  Hook the SYS_CALL Table, Interrupt Descriptor Table, and Global Descriptor Table  Detour Patching  Directly patch /dev/mem or /dev/kmem

26. 2006 Black Security26 Linux Rootkits User-Land  Signal Injection – Injecting your own thread into a running process using PTRACE_ATTACH and PTRACE_DETACH will allow your remote-thread to hook the GOT and other functions for a complete user-land runtime rootkit.  Example: SSHeater-1.1

27. 2006 Black Security27 Linux User-Land Rootkits Remote Code Injection  How Can We Inject Our Thread?  Linux / BSD Methodology Our objective: copy some code to another process's address space and then execute it in the context of this process. This technique involves the use of injecting remote signal handlers to take over the flow of execution (similar to how a debugger functions) By using ptrace-injection, we are able to PTRACE_ATTACH to the target process, inject our own malicious code, and then finally PTRACE_DETACH http://linuxgazette.net/issue83/sandeep.html http://linuxgazette.net/issue85/sandeep.html http://linuxgazette.net/issue83/sandeep.html http://linuxgazette.net/issue85/sandeep.html

28. 2006 Black Security28 Linux User-Land Rootkits Remote Code Injection  Linux Fluffy-Virus  First public linux user-land injection proof of concept code  http://www.tty64.org/doc/infschedvirii.txt http://www.tty64.org/doc/infschedvirii.txt  Methodology  Loader Attach to process & Inject both pre-virus and virus code Set EIP to pre-virus code  Pre-Virus Register SIGALRM Signal Handler Hand control back to process  Virus SIGALRM Handler invoked Begin our malicious code Jump back to pre-virus code

29. 2006 Black Security29 Linux Rootkits Issues with User-Land Rootkits  File Integrity tools such as Tripwire cannot be tricked by changing your backdoored binaries alone  One Way to trick Tripwire  Write your own remote patching thread to inject into Tripwire to hide the results (this would take research)

30. 2006 Black Security30 Linux Rootkits Kernel-Land  2.4 Kernel – SYS_CALL table is exported (so its easy to hook functions)  2.6 Kernel – SYS_CALL table is hidden  SuckIT – scans the IDT (Interrupt Descriptor Table) for FAR JMP *0xSCT[eax]

31. 2006 Black Security31 Linux Rootkits Kernel-Land  Proxy system calls necessary to trick the user  File I/O Functions Look for read() of /etc/shadow Hide other processes from /proc snooping  Socket I/O Functions (sniffing) Sniff username/passwords

32. 2006 Black Security32 Linux Rootkits Kernel-Land  What does this mean?  Rootkits target specific installs Rootkit targeting GRSEC Rootkit targeting SELINUX etc

33. 2006 Black Security33 Linux Rootkits Issues with Kernel-Land Rootkits  Requires a stealthy way to load your rootkit into the kernel.  Rootkit is vulnerable to detection if loader is not written properly  What can we patch that is reliable?  hostname  uname  other binaries executed on startup

34. 2006 Black Security34 Mac OSX Rootkits History  Still in early stages of research  Nemo released WeaponX as an original Proof-of-Concept  Mac responded by hardening their O/S Internals  Nemo responded (like any self- respecting blackhat) with his own improved rootkit

35. 2006 Black Security35 Mac OSX Rootkits Remote Code Injection  How Can We Inject Our Thread?  Mac OSX Methodology Our objective: copy some code to another process's address space and then execute it in the context of this process. This technique involves the use of injecting remote signal handlers to take over the flow of execution (similar to how a debugger functions)

36. 2006 Black Security36 Mach OsX Remote Injection /* get the task for the pid */ … [ Open Up the Process ] … /* allocate memory for shellcode */ vm_allocate(task_address, size) /* write shellcode */ vm_write(task,address,shellcode) /* overwrite pointer */ vm_write(task + offset,pointer address)

37. 2006 Black Security37 Mac OSX Rootkits Kernel-Land  WeaponX  SYSENT Table – exported so its easy to locate and “hook” Shortly after Nemo released WeaponX, Mac no longer exported the SYSENT Table  SYSENT – possible to utilize unix_syscall() which is an exported symbol to locate the unique location of the SYSENT Table.

38. 2006 Black Security38 Extended Rootkits to hide files in your  Video Driver’s memory  NIC Memory  Sound Card memory  BIOS/CMOS (eEye bootLoader)  the sky is the limit

39. 2006 Black Security39 Questions? O /\

40. 2006 Black Security40 About Us Black Security Research  http://blacksecurity.org  redsand@blacksecurity.org  Tim Shelton  Thanks to:  Nemo & AndrewG http://felinemenace.org  Rebel  Izik – TTY64 Project http://tty64.org  #black crew