Recent Rootkit History

Download Report

Transcript Recent Rootkit History

Rootkits

What are they?

What do they do?

Where do they come from?

Introduction

  Bill Richards • Adjunct Professor at Rose Since 2004 Defense Information Systems Agency • Defense Enterprise Computing Center – Oklahoma City (Tinker AFB) since 1995 • Network Security Officer since 2002 • Responsible for the security for 9 remote networks  45+ Mainframes (IBM, UNISYS and TANDEM)   1400+ Mid-Tier Servers (UNIX and Windows) 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, etc)

Rootkits are a serious threat to network and system security and most administrators know little about them     Defining characteristic is Stealth • Viruses reproduce but rootkits hide!

Difficult to detect Difficult to remove Carry a variety of payloads • Key loggers • Password Sniffers • Remote Consoles • Back doors • And more!!!

What is a Rootkit

?

   

The term rootkit MS Windows is old and pre-dates It gets it’s name from the UNIX superuser UserID - root aka administrator for windoze users A rootkit does not typically not cause deliberate damage

What is a Rootkit

?

   A collection files designed to hide from normal detection by hiding processes, ports, files, etc.

Typically used to hide malicious software from detection while simultaneously collecting information: • userid’s • Password • ip addresses, etc Some rootkits phone a backdoors home and/or set up

What is a Rootkit

?

   A rootkit itself does NOT compromise a host by A vulnerability must be exploited to gain access to the host before a rootkit can be deployed The purpose of a rootkit is NOT to gain access to a system, but after being installed, to preserve existing access and support the goals of the bad guy

Recent Rootkit History

NAME

Troj/Stex-A Troj/NTRootK-AS Troj/RusDrp-D Troj/Lager-R Troj/Shellot-L Troj/Dloadr-APN Troj/Agent-DPN Troj/Small-DLH Troj/NetAtk-Gen Troj/Goldun-EH

~ ~ OS Discovered Alias

Windows 10-Nov-06 TROJ_DLOADER.ESG

Windows 8-Nov-06 Generic RootKit.a

Windows Windows 7-Nov-06 7-Nov-06 Win32/Rustock.NAE

Windows Windows Windows 6-Nov-06 4-Nov-06 4-Nov-06 Trojan-Downloader.Win32.Tiny.eo

Win32/TrojanDropper.Small.APR

Windows Windows Windows

~

Linux/Rootkit-V

~

Linux

~

SunOS/Rootkit-B SunOS

~

4-Nov-06 2-Nov-06 2-Nov-06

~

Jan-06

~

Dec-05

~

Win32/TrojanClicker.Small.KJ

Backdoor.Win32.Zosu.a

~ ~ ~

Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm

Rootkit History 1998 to 2002

NAME ~

Troj/RootKit-I Linux/Rootkit-FKit

OS ~

SunOS Linux FreeBSD.Rootkit FreeBSD Linux/Kokain Troj/Rootkit-A Linux Linux Troj/Rootkit-C Beastkit 7.0 Linux/RootKit-BTM Linux Hacktool.Rootkit Windows Linux/Rootkit Troj/Lrk4 Linux Linux Linux Linux Troj/T0rn-Kit Linux Linux/Rootkit-Knark Linux Linux/Rootkit-Lrk Linux

Discovered ~

Nov-02 Nov-02 Oct-02 Aug-02 Jun-02

Alias ~

Backdoor.HackDefender, Feb-02 Jan-02 Oct-01 Sep-01 Apr-01 Mar-01 Mar-01 Mar-01 Nov-98

Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm

How rootkits work

     A vulnerable system is detected and targeted • unpatched, zero-day exploit, poor configuration, etc.

The targeted system is exploited host via automated or manual means Root or Administrator access is obtained Payload is installed Rootkit is activated and redirects system calls • Prevents the OS from “seeing” rootkit processes and files EVEN AFTER host is patched and original malware is removed

How

rootkits

work

docs rootkit windows rootkit filters the results to hide itself Rootkit DLL dir c:\ ReadFile() DLL “tricked” into thinking it can’t execute command, calls rootkit

DLL

NTFS command docs rootkit windows

C:\

Common Windows rootkits

• Hacker Defender ( Hxdef ) • • • • A rootkit for Windows NT 4.0, Windows 2000 and Windows XP Avoids antivirus detection Is able to hook into the Logon API to capture passwords The developers accept money for custom versions that avoid all detectors • FU • • • Nullifies Windows Event Viewer Hides Device Drivers Recently added “Shadow Walking” (Read Phrack63)

  

Common UNIX rootkits

SucKIT

• Loaded through /dev/kmem • Provides a password protected remote access connect-back shell initiated by a spoofed packet • This method bypasses most of firewall configurations) • Hides processes, files and connections

Adore

• Hides files, processes, services, etc.

• Can execute a process (e.g. /bin/sh) with root privileges. • Controlled with a helper program ava • Cannot be removed by the rmmod command

kis

• A client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machine • It can hide processes, files, connections, redirect execution, and execute commands. • It hides itself and can remove security modules already loaded

Detection & Removal

Detection that doesn’t always work:

Antivirus (Norton, McAfee, AVG, etc.)

Anti-Spyware (AdAware, Giant, Spybot, etc.)

Port Scanning

Manually Looking

Detection that can work:

Sudden System Instability/Sluggishness

Sudden Spike in Traffic

MS RootkitRevealer

F-Secure Black Light

Detection & Removal

“list running processes” “nothing to see here”

“Hooked” DLL

Compromised OS Rootkit “Online” detection (ex: virus scans) relies on the OS’s API to report files and processes. The API has been “hooked,” however, so the rootkit remains concealed.

Detection & Removal

“list running processes” “nothing found”

“Hooked” DLL

Compromised OS Black Light Rootkit Revealer Etc.

Results != Possible Rootkit

Alternate API

“something found” Rootkit Detection compares the results of the OS’s API with the results of a clean API (Raw) provided by the tool. Discrepancies are potentially rootkits

Detection & Removal

“list running processes” Compromised OS Knoppix WindowsPE W.O.L.F.

Etc.

Alternate OS

“rootkit detected” Rootkit Doing an “Offline” detection with a different OS to report files and processes. If the alternate OS is clean, the rootkit will be detected.

Detection & Removal

   Only 100% sure removal: • Format drive and a clean install Some tools can remove some rootkits • But what was hidden may not get cleaned • You cannot trust a system that’s been rootkit’ed Passwords on the rootkit’ed system are suspect • So change your passwords on the clean host

Prevention

   

Keep hosts updated

• OS • Applications

Limit host exposure

• Un-needed services

Use Firewalls Situational Awareness

• CERT, Bugtraq, Security Web sites, etc.

Some Reference Sites

   http://www.rootkit.com

http://www.packetstormsecurity.org

http://www.rootkit.nl

Questions?

Questions?