Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006.

Published byTracy Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006."— Presentation transcript:

1 Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006

2 Copyright Security-Assessment.com 2006 Disclaimer This presentation is not designed to scare you (but it might) Using these tools within your organisation without explicit permission is a bad idea

3 Copyright Security-Assessment.com 2006 Overview Introduction What is a rootkit? How rootkits work Rootkit capabilities Rootkit demo Detection methodologies Detection demo Mitigations Hardware rootkits Conclusion

4 Copyright Security-Assessment.com 2006 Sony Rootkit First mainstream media coverage of a rootkit Discovered by Mark Russinovich when using his rootkit detection software Sony used “rootkit” technology to protect their copy protection mechanism from users – Anything that was named $SYS was hidden from the system, even the Administrator

5 Copyright Security-Assessment.com 2006 What is a Rootkit? “A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system.“ – G. Hoglund (www.rootkit.com) A toolkit used for preservation of remote access or “root” “A tool used to protect backdoors and other tools from detection by administrators” A rootkit is not – An exploit of any kind – A virus or worm

6 Copyright Security-Assessment.com 2006 Rootkits - Why Should You Care? Your current methods for investigating a suspicious machine could be defunct If you can’t detect a backdoor on any given machine, how do you know your machine is clean? New viruses will use new rootkit technology

7 Copyright Security-Assessment.com 2006 Rootkits - How They Work To hide in a system you have to control a system Act as a gatekeeper between what a user sees and what the system sees Whoever hooks lowest wins Requires administrator privileges to install

8 Copyright Security-Assessment.com 2006 Rootkits – How They Work To hide what is taking place an attacker wants to: – Survive system restart – Hide processes – Hide services – Hide listening TCP/UDP ports – Hide kernel modules – Hide drivers

9 Copyright Security-Assessment.com 2006 Levels of Access in Windows Ring 3 – User Land – User – Administrator – System Ring 0 – Kernel Land – Drivers

10 Copyright Security-Assessment.com 2006 What Happens When You Read a File? Readfile() called on File1.txt Transition to Ring 0 NtReadFile() processed I/O Subsystem called IRP generated Data at File1.txt requested from ntfs.sys Data on D: requested from dmio.sys Data on disk 2 requested from disk.sys

11 Copyright Security-Assessment.com 2006 Userland (Ring 3) Rootkits Binary replacement eg modified Exe or Dll Binary modification in memory eg He4Hook User land hooking eg Hacker Defender – IAT hooking

12 Copyright Security-Assessment.com 2006 Kernel (Ring 0) Rootkits Kernel Hooking E.g. NtRootkit Driver replacement E.g. replace ntfs.sys with ntfss.sys Direct Kernel Object Manipulation – DKOM E.g. Fu, FuTo

13 Copyright Security-Assessment.com 2006 Kernel (Ring 0) Rootkits IO Request Packet (IRP) Hooking – IRP Dispatch Table E.g. He4Hook (some versions)

14 Copyright Security-Assessment.com 2006 Kernel (Ring 0) Rootkits Filter Drivers – The official Microsoft method Types – File system filter – Volume filter – Disk Filter – Bus Filter E.g. Clandestine File System Driver (CFSD)

15 Copyright Security-Assessment.com 2006 Current Rootkit Capabilities Hide processes Hide files Hide registry entries Hide services Completely bypass personal firewalls Undetectable by anti virus Remotely undetectable Covert channels - undetectable on the network Defeat cryptographic hash checking Install silently All capabilities ever used by viruses or worms

16 Copyright Security-Assessment.com 2006 Ring 3 Rootkit: Hacker Defender Hacker Defender – Most widely used rootkit on Windows – Hides processes – Hides TCP / UDP port bindings – Uses simple INI file configuration – Easy to detect and remove with defaults – Not too difficult to modify to avoid detection Commercial Hacker Defender No longer available

17 Copyright Security-Assessment.com 2006 Hacker Defender - Demo

18 Copyright Security-Assessment.com 2006

19 Ring 3 Rootkit: FU FU Rootkit – Utilises Direct Kernel Object Manipulation (DKOM) – Hide processes specified in a file – Escalate privileges of processes – Hooks calls and rewrites dlls in memory – Event Viewer modification – Hides device drivers Other examples: He4Hook, Klog, ShadowWalker, Adore, Suckit

20 Copyright Security-Assessment.com 2006 FU Rootkit - Demo

21 Copyright Security-Assessment.com 2006 Detecting Rootkits

22 Copyright Security-Assessment.com 2006 Common Giveaways Something weird is happening… Rootkits often cause system instability – Bluescreens on normally stable systems – Errors when you attempt to shutdown or reboot Detected bad network traffic Antivirus/IDS alerts

23 Copyright Security-Assessment.com 2006 Detection Methodologies Traditional Detection – Check integrity of important OS elements against a hash database (sigcheck) – Look for unidentified processes (task manager) – Check for open ports (netstat) Problems – Can be subverted easily

24 Copyright Security-Assessment.com 2006 Detection Methodologies Signature based – Look for known rootkits, viruses, backdoors – Antivirus – Look for “bad things” living in memory Problems – Requires updated databases – Doesn’t detect anything it hasn’t seen before

25 Copyright Security-Assessment.com 2006 Detection Methodologies Hook detection – Look for modified IAT tables – Look for inline hooks – Look for modification to important tables E.g. – VICE – System Virginity Verifier – SDT Restore – IceSword Problems – False positives – AV products

26 Copyright Security-Assessment.com 2006 How Rootkits Work - Hooking A standard application

27 Copyright Security-Assessment.com 2006 How Rootkits Work - Hooking A hooked application

28 Copyright Security-Assessment.com 2006 Detection Methodologies Code verification – Code sections are read only in all modern OSes – Programs should not modify their own code – Check to see if the files on disk match what is running in memory E.g. – System Virginity Verifier (SVV) – VICE

29 Copyright Security-Assessment.com 2006 Detection Methodologies: Code Verification

30 Copyright Security-Assessment.com 2006 Detection Methodologies Cross View Detection – Take a view of a system at a high level. e.g. Windows Explorer – Take a view of the system at a low (trusted) level. e.g. Raw Disk – Registry, Files, Processes – Compare the two Examples – Sysinternals - Rootkit Revealer – Microsoft Research – Strider Ghostbuster Problems – What if someone hooks below your “trusted” level

31 Copyright Security-Assessment.com 2006 Good Tools Sysinternals – Autoruns – Procexp – Rootkit Revealer Icesword F-Secure Blacklight System Virginity Verifier Dark Spy RKDetector

32 Copyright Security-Assessment.com 2006 Detection Demo Detecting the Hacker Defender rootkit – Rootkit Revealer – Icesword

33 Copyright Security-Assessment.com 2006 Rootkit RevealerRootkit Revealer Icesword

34 Copyright Security-Assessment.com 2006 Mitigation Don’t let an attacker get system level access… EVER! Host Intrusion Prevention Up to date antivirus and spyware protections Utilise the operating system tools available – Windows XP SP2 DEP – Vista new technology

35 Copyright Security-Assessment.com 2006 So where else can attackers hide? Hardware based rootkits Yes, they do exist in the wild!

36 Copyright Security-Assessment.com 2006 Hardware Rootkits A OS reinstall won’t save you Hard to remove. – Device is usually destroyed Difficult to implement Very hard to detect With more and more memory on devices they are becoming prevalent with time VideoCardKit (http://www.rootkit.com) – Stores code in FLASH or EEPROM EEye Bootroot – Installs in real mode via network PXE boot

37 Copyright Security-Assessment.com 2006 Conclusions Rootkit technology is an arms race Hard to tell who is winning Staying on top of developments is difficult Antivirus may catch up (one day…) Vista may solve some problems Firewalls do not provide protection

38 Copyright Security-Assessment.com 2006 Conclusions No one tool will detect all rootkits, run at least 3 tools Rootkit Revealer Fsecure Blacklight IceSword System Virginity Verifier An updated Antivirus It is impossible to re-establish trust on a compromised system If you are targeted with a custom rootkit you have very little chance of detecting it Network segregation, least privilege, internal host hardening all become extremely important

39 Copyright Security-Assessment.com 2006 Resources Windows System Internals 4 th Edition– D. Solomon, M. Russinovich Rootkits – G. Hoglund, J. Butler Primary Windows Rootkit Resource http://www.rootkit.com Joanna Rutkowska – Stealth Malware Detection http://www.invisiblethings.org F-Secure Blacklight – http://www.f-secure.com/blacklight/ Sysinternals – http://www.sysinternals.com http://www.sysinternals.com Rootkit Detector – http://www.rootkitdetector.com/

40 Copyright Security-Assessment.com 2006 Questions ? http://www.security-assessment.com darren.bilby@security-assessment.com

Download ppt "Copyright Security-Assessment.com 2006 Rootkits – Advanced Malware Presented by Darren Bilby Brightstar, IT Security Summit, April 2006."

Similar presentations

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
شناسايي سيستم روند نماي کلي انجام يک حملة کامپيوتري شناسايي مواضع و نقاط ضعف سيستم هدف هجوم اوليه تثبيت مواضع برنامه ريزي مرحله بعد عمليات دسترسی جلوگيري.

شناسايي سيستم روند نماي کلي انجام يک حملة کامپيوتري شناسايي مواضع و نقاط ضعف سيستم هدف هجوم اوليه تثبيت مواضع برنامه ريزي مرحله بعد عمليات دسترسی جلوگيري.
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.

Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
Rootkits: Sneaky, Stealthy Toolboxes

Rootkits: Sneaky, Stealthy Toolboxes
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright John “Four” Flynn This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.

Root Kits and Windows Hardening Team BAM! Scott Amack Everett Bloch Maxine Major.
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.

Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google