Root-kit - Clemson

Download Report

Transcript Root-kit - Clemson 

By,
Nimish Agarwal
Graduate Student,
School of Computing
Clemson







What is Root-Kit
Important Dates
Types of Root-Kit
How Root-Kit Works
Windows based Root-Kit
Detection
Removal






Root-Kit= “Root” + “Kit”.
Originally designed for Unix.
Maliciously enables privileged or root access to
a computer.
Hide its presence from Administrator.
Toolkit used for Preservation of Remote Access
or root.
Root-Kit is not a Virus or a Worm







1990 :- Earliest Root-Kitby Lane Davis and Steven Dake for Sun OS
4.1.1.
1999 :- Created by Greg Hoglund, was the first Root-Kit to be
written for Windows NT.
2000 :- Designed by Russian Programmer. Behaves like Root-Kit.
Works in Kernel Mode. Not malicious.
2002 :- Hack Defender, more powerful that he hook. Works in user
mode.
2003 :- Vanquish. Used to hide files, directories, and registry keys.
Logs password. Works in user mode.
2003 :- Haxdor. Backdoor that uses Root-Kit to conceal its
presence. Works in Kernel Mode.
2004 :- FU, A tool to conceal processes. Introduces technique for
modifying system structure itself. Works in Kernel Mode.
There are many more, but these early versions were the key to
understanding the evolution of Root-Kit

Memory RootKit




Persistent RootKit



Loaded into memory
No Persistent Programming Code
Do not survive Reboot
Persistent Code and storage (Registry or System File)
Avoid user intervention (can be at startup)
Kernel RootKit


Worst among all above
Modifies data structure on Kernel




Vulnerable system is detected and targeted.
Admin access gained on the targeted system.
Root-Kit installed.
Root-Kit activated, by either force restart, or
delayed until scheduled restart.
Hide from Processes
 Hide from Services
 Hide listening from TCP/UDP Ports
 Hide Kernel Modules
 Hide Drivers


Kernel Mode Root-Kit


Ring 0 :- Kernel Mode
User Mode Root-Kit
Ring 1 :- Device Drivers
 Ring 2 :- Device Drivers
 Ring 3 :- Applications


Ring 0 is the most privileged and Ring 3 is the least
privileged.






Operates in Ring 3.
Hooks in user or application space.
Hijacks a predefined path to execute a system
call.
Can be done by modification or injection of a
library (DLL).
Patch every program running in user space.
Monitor for any new application and patch
before they fully execute.





Hooking or modification in Kernel Space.
Ideal place, since it is lowest level.
Can be invoked by Interrupts or Model Specific
Registers.
System Service Descriptor Table (function
pointer table in kernel memory).
Direct Kernel Object Modification (Modify the
data structure in kernel memory).
docs
rootkit
windows
rootkit filters the
results to hide itself
Rootkit
DLL
dir c:\
docs
ReadFile()
DLL “tricked” into
thinking it can’t
execute command,
calls rootkit
rootkit
windows
NTFS command
DLL
C:\
Methods to detect the presence of Root-Kit are as
follows
Alternative trusted medium
 Behavioral Medium
 Signature Based
 Difference Based
 Memory Dumps




Alternative Trusted Medium :- Shut down the
infected system and boot the storage on a
trusted machine. Almost all the Root-Kit
cannot function properly when not active.
Behavioral Medium :- Infers by detecting any
Root-Kit like behavior. Complex and High
Incidence of False Positive.
Signature Based :- Antivirus which use
fingerprints detection, stealthy detector can be
useful. Effective against well-published RootKit.


Difference Based :- Compares the trusted raw
data with the one returned from the Root-Kit
filter.
Memory Dumps :- A memory dump of the
entire system and offline analysis will avoid
Root-Kit to take any measures to cloak itself.

There are a lot of tools that can be used for
Detection and Removal of Root-Kit

Behavioral Detection
 PatchFinder
 VICE

Signature Scanner
 Antivirus and Anti-Spyware Applications

Integrity Checker
 TripWire
 Microsoft Strider Troubleshooter

Difference Scanner
 Microsoft Ghost Buster
 F-Secure Backlight

Apart from the earlier mentioned tools there
are some techniques that can be used.



Clean from another Kernel
Use Technologies that revert to previous state if the
environment allows.
Though some experts claim that once the
machine has been compromised, the best and
the true method is a low level format.
Thank You




http://en.wikipedia.org/wiki/Rootkit
http://www.symantec.com/avcenter/referenc
e/windows.rootkit.overview.pdf
http://en.wikipedia.org/wiki/File:CPU_ring_
scheme.svg
http://www.netsecurity.org/article.php?id=1173&p=2