Transcript Hacker Attack Methods

Prepared by
CMS Consulting Inc.
Confidential
:
CMS Consulting Inc.
Hidden Rootkits in Windows
Presented by:
Brian Bourne, CISSP, MCSE:Security
DISCLAIMER
• The contents of this presentation are the property of
CMS Consulting Inc. No portion, in whole or in part
can be used without the express written consent of
CMS. You may email [email protected] for permission to
re-post or re-use any of this content.
CMS Consulting Inc.
Microsoft Infrastructure and Security Experts
Active Directory - Windows Server - Exchange - SMS - ISA
MOM - Clustering - Office – Desktop Deployment - SQL –
Terminal Services - Security Assessments - Lockdown – Wireless
Training by Experts for Experts
MS Infrastructure – Security - Vista and Office Deployment
Visit us online: www.cms.ca
Downloads – Resources – White Papers
For Security Solutions
For Advanced Infrastructure
For Network Solutions
For Information Worker
AGENDA
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
What is a rootkit?
Kernal mode vs user mode
Popular and New rootkits
History of Rootkits
What can they hide
DEMO – Hacker Defender Anatomy 101
How they hide and go undetected
DEMO - Hacker Defender In Action!
DEMO – Covert Channels
DEMO – FUTo
Detection, Protection and Removal
DEMO – Detection
Hardware Virtualization Rootkits
Vista
Trends
Overview
What is a rootkit?
• A root kit is a set of tools used by an intruder after
cracking a computer system. These tools can help
the attacker maintain his or her access to the
system and use it for malicious purposes.
Root kits exist for a variety of operating systems
such as Linux, Solaris, and versions of Microsoft
Windows
Reference: http://en.wikipedia.org/wiki/Rootkit
Types of rootkits 1 of 3
Persistent Rootkits
A persistent rootkit is one associated with malware
that activates each time the system boots. Because
such malware contain code that must be executed
automatically each system start or when a user logs
in, they must store code in a persistent store, such as
the Registry or file system, and configure a method by
which the code executes without user intervention.
Memory-Based Rootkits
Memory-based rootkits are malware that has no
persistent code and therefore does not survive a
reboot.
Types of rootkits 2 of 3
User-mode Rootkits
There are many methods by which rootkits
attempt to evade detection.
Example:
• a user-mode rootkit might intercept all calls to the
Windows FindFirstFile/FindNextFile APIs, which
are used by file system exploration utilities,
including Explorer and the command prompt, to
enumerate the contents of file system directories.
• When an application performs a directory listing
that would otherwise return results that contain
entries identifying the files associated with the
rootkit, the rootkit intercepts and modifies the
output to remove the entries.
Types of rootkits 3 of 3
Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful
since, not only can they intercept the native API in
kernel-mode, but they can also directly manipulate
kernel-mode data structures. A common technique for
hiding the presence of a malware process is to remove
the process from the kernel's list of active processes.
Since process management APIs rely on the contents
of the list, the malware process will not display in
process management tools like Task Manager or
Process Explorer.
Reference: http://www.sysinternals.com
Windows Architecture
Applications
·
Explorer
·
Task manager
·
User applications
Subsystems
·
OS/2
·
POSIX
·
Windows
·
Windows DLLs
Services
·
Services.exe
·
Spoolsvc.exe
·
Svchost.exe
·
Winmgt.exe
System Processes
·
LSASS
·
Service Control Manager
·
Session manager
·
Winlogon
Ring 3
User Mode
NTDLL.DLL
Ring 0
Kernel Mode
System threads
System Service Dispatcher
(Kernel mode callable interfaces)
I/O
Manager
File
System
Cache
Config
Manager
(registry)
Device &
File Sys
Drivers
Local
Procedure
Call
Object
Manager
Plug &
Play
Kernel
Hardware Abstraction Layer
Reference: http://www.microsoft.com
Processess
& Threads
Security
Reference
Monitor
Virtual
Memory
Windows
USER,
GDI
Graphics
drivers
History of Rootkits
First
Generation
Second
Generation
Fifth
Generation
Third
Generation
Fourth
Generation
Primitive
Binary file replacement (password logging / UNIX)
Hiding traces/tracks (log cleaners)
More advanced hiding - “stealthy”
(Hxdef,HE4Hook)
Hardware Virtualization
Hooking techniques
Direct dynamic manipulation of kernel
structures (FU)
Difficult for detection software to identify
Advanced Memory hooking/hiding (Shadow
Walker)
Used in collusion with 3rd Generation rootkit
Extremely “stealthy”
Reference: http://www.phrack.org/archives/63/p630x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt
Popular Rootkits
•
•
•
•
•
AFX Rootkit 2005
FU
Hacker Defender
HE4Hook
NT Root
•
•
•
•
NTFSHider
NTIllusion
Vanquish
Winlogon Hijack
New Rootkits
•
•
•
•
•
FUTo
KIrcBot
SubVirt
Shadow Walker
BluePill (PoC)
Commercial Stealth
Commercially available products that use rootkit type technologies.
• Sony DRM
• Mr. & Mrs. Smith DVD
(Alpha-Disc DRM)
• Norton System Works
• Hide Folders XP
• Tracking and Monitoring
software
What can they hide
•
•
•
•
•
•
•
•
•
Covert Channels
Custom GINA’s
Files and Directories
Processes
Registry Keys
Services
TCP/UPD ports
Memory pages (New)
VM’s (New)
How they hide and go undetected
•
•
•
•
•
•
Kernel Native API hooking
User Native API hooking
Dynamic Forking of Win32 EXE
Direct Kernel Object Manipulation (DKOM)
Interrupt Descriptor Table Hooking
Memory Hooking (Shadow Walker)
Reference: www.security.org.sg / www.hbgary.com / www.rootkit.com
DEMO Network
Windows Server 2003
SMTP Service
Domain Controller
IP: 172.16.0.1
rk-win2k3.domain.com
Windows XP
IP: 172.16.0.x
rk-winxp.domain.com
172.16.0.x
Windows Server 2003
ISA 2004 Firewall
IP: 172.16.0.10
rk-isa.domain.com
IP: 10.10.8.100
Internet
Windows XP
IP: 10.10.8.200
winxp.attacker.com
DEMO Introduction
• Hacker Defender - Anatomy 101
– Hxdef100.exe
– Hxdef100.ini
– Hxdefdrv.sys (Embedded in hxdef100.exe)
– Rdrbs100.exe
– Rdrbs100.ini
– Bdcli100.exe
Reference: http://hxdef.czweb.org
DEMO
Hacker Defender – In Action!
• Security Compromise - Exploit
• Avoiding Antivirus Detection
• Hiding Folders/Files
• Hiding Services
• Hiding TCP Ports
Hacker Defender – Covert Channel
• Backdoor shell access via SMTP
Covert Channel Summary
Backdoor Client
Internet
1
Port 25 is intercepted by Backdoor
2
Normal email is sent to the SMTP service
3
4
Firewall
1
2
3
Backdoor
Server
Intercept
TCP:25
4
Remote
Shell
TCP:100
Special 256 bit key is sent
SMTP
Service
TCP:25
Remote Shell on TCP:100 started
Windows 2003
DEMO
FUTo
• Security Compromise - Exploit
• Avoiding Antivirus Detection
• Changing Security Token
• Hiding Process
Detection
How to detect rootkits?
Darkspy
1.0.5
F-Secure BlackLight Beta
2.2.1050
GMER
1.0.11.11390
IceSword
1.20
KProcCheck
0.2-beta2
Malicious Software Removal Tool
V1.21 10/10/2006
Process Magic by WinEggDrop
V1.0
RootKit Shark
3.11
RootkitRevealer
1.7
Strider (Microsoft)
beta
System Virginity Verifier
2.3
Windows Defender
Beta 2
UnHackMe
3.1
DEMO
Detecting rootkits
• F-Secure Blacklight
• GMER
• Rootkit Revealer
• IceSword
Detection Results
Version
AFX Rootkit 2005
FU
Hacker
Defender
Vanquish
2.2.1037
Yes
Yes
Yes
Yes
Flister
0.1
Yes
No *1
Yes
Yes
Need to type in the exact dir path
Keensense
2.0
Yes
Yes
Yes
No
Installs system driver and requires a
reboot. Unstable.
3.150
Yes
Yes
Yes
Yes
Install requires a reboot. All Global
Protection optiosn manually turned on.
Needs to “learn” a baseline of the system.
1.0.10.10111
Yes
Yes
Yes
Yes
Choice of reboot for advanced features
IceSword
1.18
Yes
Yes
Yes
Yes
Choice of reboot for advanced features
Rootkit Revealer
1.55
Yes
No
Yes
Yes
Strider
beta
Yes
No *1
Yes
Yes
Name
Blacklight
Process Guard
GMER
Notes
Hidden directory/file compare of
comprimised state and clean state from a
WinPE boot CD using windiff.
*1 Could not detect FU because it does not hide folders/files. Only processes.
Detection Summary
• All “stock” rootkits discovered with various detection
tools
• Custom recompiled rootkits by pass antivirus
detection
• Commercially available customized
rootkits that hide files, services,
processes, registry keys would
not be detected in the
compromised OS
Hardware Virtualization Rootkits
• Dino Dai Zovi presented an essentially
undetectable hypervisor rootkit using:
• Intel VT processor
• Mac OS-X
• “Vitriol” to be demo’d at BlueHat
• Joanna Rutkowska presented an essentially
undetectable hypervisor rootkit using:
• AMD Pacifica processor
• Microsoft Vista Beta 2
• SUMMARY: THIS IS NOT AN AMD OR
INTEL NOR VISTA OR MAC ISSUE!
Hardware Virtualization Rootkits
• Preventing detection was a design goal:
– – “There is no software-visible bit whose setting indicates whether a
logical processor is in VMX non-root operation. This fact may allow a
VMM to prevent guest software from determining that it is running in
a virtual machine” -- Intel VT-x specification
• The design goals of AMD and Intel were to provide full
virtualization. This means FULL virtualization.
• There is no hardware bit or register that indicates that the
processor is running in VMX non-root mode
• Read Dino and Joanna’s presentations for details regarding
new CPU instructions and how hypervisors work.
Bypassing Vista Kernel
Signed Drivers
• Well Joanna did have some extra complexity to deal with
because of Vista requiring all kernel drivers to be signed.
• Essentially, she figured out a way to cause it to page out
null.sys, then modified the pagefile.sys directly using raw
disk access to get Vista to run her rootkit. The process:
– Allocate lots of memory to cause unused drivers code to be
paged
– Replace the paged out code (inside pagefile) with some
shellcode
– Ask kernel to call the driver code which was just replaced
• “Fixed” in Vista RC2 – by disabling raw disk access from
user mode (including administrator)
BP Detection
• Some ideas for BluePill detection were presented by both
Dino and Joanna. Essentially they are:
– Attempt to use VMX to create a VM
• Bluepill a box with Bluepill – although this exception could be handled
and the second Bluepill to run would end up being virtualized also)
– Attempt to detect VM exit latency
• Dino demo’d using CPUID, but a number of instructions cause a VM
Exit and you could measure latency. Although the timer could be
altered by the Bluepill and hence would require an external time
source. How could is your stop watch?
– Joanna came up with an undisclosed method to blue screen a
BluePill’ed box, but that’s not really great detection.
Hardware Virtualization Rootkits Bottom line
• Arbitrary code can be injected into Vista x64 kernel despite code
signing requirement, and in really any other operating system.
• This could be abused to create “Blue Pill” based malware on
processors supporting virtualization
• BP installs itself on the fly and does not introduce any modifications
to BIOS nor hard disk
• BP can be used in many different ways to create the actual malware
• BP should be undetectable in any practical way (when fully
implemented)
• Blocking BP based attacks on software level will also prevent ISVs
from providing their own VMMs and security products based on
SVM technology
• Changes in hardware (processor) could allow for easy BP detection
Protection
• Defence in Depth practices!
• Application Layer firewalls
• Add rootkit detection and removal software to
your toolkit
• Baseline your systems in another kernel (WinPE)
using the Microsoft Strider technique for
comparing modified/added binaries
on a regular basis
Removal
• Rootkit removal tools (eg. “Unhackme” by Greatis
Software, F-Secure Blacklight, GMER, IceSword)
• Clean from another kernel (eg. BackTrack, WinPE, etc)
• Use technology that reverts back to a previous state if
your environment allows for it:
–
–
–
–
–
•
Undo disks in Microsoft Virtual PC/Server
Microsoft Shared Computer Toolkit v1.1
Faronics Deep Freeze
Symantec Norton GoBack
Winternals Recovery Manager
Once a machine has been compromised, the
only true cleaning method is to low-level format and reload!
Trends 1 of 2
It’s a cat and mouse game
• As rootkit detection methods/signatures are updated; so are the
techniques/methods of the rootkits evading detection; just like
viruses but much more sophisticated
• Encrypting the memory pages where the rootkit is running to
avoid detection
• Polymorphism
• Spyware and Viruses utilizing functions of rootkits to hide their
presence and payload; This has already happened and will
continue to escalate to an extremely “stealthy” version
Trends 2 of 2
• Memory Hiding (e.g. Shadow Walker)
• Using other system writeable memory locations.
(e.g. VideoCardKit, MTDWin, ACPI, BIOS)
• Boot sector rootkits (e.g. BootRootKit)
• Virtual Machine rootkits
• Database rootkits
(presented in concept by Alexander Kornbrust at BH2005)
• Hardware based rootkit detection
– Intel Rootkit detection (Code name: LaGrande)
• TPM (Trusted Platform Module)
– Co-Pilot (PCI card) http://www.komoku.com
VISTA
· Windows Defender (Beta 2)
· Microsoft plans to move device drivers out of the kernel
and in to the user level.
· Address Space Layout Randomization (ASLR)
· Digital Signatures for Kernel Modules on x64-based
Systems Running Windows Vista
· Microsoft Patch Guard on x64 Based Systems
Reference: http://www.microsoft.com
Need to Know
Prevention
Response
Learn
More
Stop rootkits from entering and executing in your
environment.
Non-critical systems can be cleaned and/or
reloaded.
Critical systems require professional assistance,
particularly if forensic evidence is desired.
http://www.rootkit.com
http://www.antirootkit.com
Participate in the Toronto Area Security Klatch
http://www.task.to
CMS Training Offerings
• INSPIRE Infrastructure Workshop
– 4 days of classroom training - demo intensive
AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
• Business Desktop Deployment – Deploying Vista/Office
– 3 days of classroom training - hands on labs (computers provide)
Business Desktop Deployment Concepts, Tools, Processes, etc. Vista
and Office
• Securing Internet Information Services
• Securing ActiveDirectory
• Securing Exchange 2003
– 1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
Contacting Us.
• Brian Bourne, President – [email protected]
• Robert Buren, VP Business Development – [email protected]
CMS Consulting Inc. – http://www.cms.ca/
CMS Training – http://www.cms.ca/training/
Toronto Area Security Klatch – http://www.task.to/