Transcript Rootkits

Students: Jacek Czeszewski and
Marcos Verdini Rosa
Professor: José Manuel Magalhães Cruz
o Introduction
o How
a rootkit works
o Detection
o Preventing and Removing
o Attack damage
o References
A rootkit is a suite of one or more
programs that allows a third party
to hide files and activities from the
administrator
of
a
computer
system.
The original intent of rootkits (1996) appears
to have centered simply on hiding programs
that would allow an attacker to “sniff” or spy
on traffic going to and from a computer
system.









Provide an attacker with full access via a backdoor,
permitting unauthorized access to, for example, steal
or falsify documents.
Conceal other malware, notably password-stealing
key loggers and computer viruses.
Appropriate the compromised machine as a zombie
computer for attacks on other computers.
Enforcement of digital rights management (DRM).
Conceal cheating in online games.
Detect attacks, for example, in a honeypot.
Enhance emulation software and security software.
Anti-theft protection.
Bypassing Microsoft Product Activation
 User
mode
 Kernel mode
 Bootkits
 Hypervisor level
 Hardware/Firmware
 run
in Ring 3
 many installation vectors
 Make to execute inside any target
process or overwrite the memory
of a target application
 run
in Ring 0
 adding code or replacing portions
of the core operating system,
including both the kernel and
associated device drivers
 unrestricted security access


lows the malicious program to be executed
before the operating system boots
cannot be detected by standard means of
an operating system because all its
components reside outside of the standard
file systemserating system boots



uses hardware virtualization
trap a running instance of the operating
system by starting a thin hypervisor and
virtualizing the rest of the machine under it
dont have to load before the OS
 hidden
in BIOS, network card etc.
 only way to remove is to replace
infected hardware
 could be hidden outside the
computer for example in network
printer

•
•

•
•
•
Installation
Physical access to the target system
Privilege Escalation
Cloaking
Obscure its presence from security tools
Modify the behavior of OS core parts
Load code into other processes




Stoned is the name of a boot sector computer
virus created in 1987, apparently in New
Zealand. It was one of the very first viruses.
A memory resident bootkit up to the Windows
kernel
Boot applications executed on startup
Drivers executed beside the Windows kernel


Your PC is now Stoned! (1987)
Your PC is now Stoned! ..again (2010)
Windows Boot Process

Windows boot system assumes an already
secure environment when starting
Hooking and Patching


Interrupt 13h hooked
Ntldr hooked for calling 32bit code and patching the
code integrity verification

Patching the NT kernel

Executing pay loads(driver)
Installation

Live CD

Infected PDF
Demonstration
 Signature-Based
 File
Integrity Monitoring
 Cross-View Analysis
 Hooking Detection
 Heuristics-Based Detection
 Network-Based Detection
3.1 Signature-Based Detection
•
•
•
analyzing rootkit to define fingerprint
integrating fingerprint in to the database
fingerprint can be used for rootkits detection
3.2 File Integrity Monitoring
•
calculates cryptographic hashes for critical,
unchanging operating system files and compares
them to known values that are stored in a database
3.3 Cross-View Analysis
•
It involves looking at the system from the high
level “user”, or API view, and comparing it to the
actual low level hardware view.
3.4 Hooking Detection
•
When the rootkit modifies a hook to point to a
malicious service or interrupt routine, the memory
location almost invariably is located outside this
specific range of the “clean” system, and is easily
detected.
3.5 Heuristics-Based Detection
•
Heuristics-Based detection of malware attempts to
classify malicious behavior according to certain
pre-determined rules.
3.6 Network-Based Detection
•
•
System periodically send a snapshot of the network
traffic and open ports to a trusted gateway for
analysis.
The gateway compare this data with its “external”
view of the system’s network activity
 Operating
system updates
 Automatic updates
 Personal firewalls
 Host-based intrusion prevention
systems
 Rootkit prevention techniques




number of security-software vendors offer
tools to automatically detect and remove
some rootkits
Some antivirus scanners can bypass file
system APIs, which are vulnerable to
manipulation by a rootkit
There are experts who believe that the only
reliable way to remove them is to re-install
the operating system from trusted media
in some cases the only possibility is to
replace some hardware
Home Users

Stealing Identity and private information

Turning Home User's computers into zombies

Loss of time, money and confidence
Enterprise and Government



•
Loss of confidential information, theft of
intellectual property
Reputation and customer trust
Additional costs of purchasing, installing, and
administering security measures
Increases system complexity

Stallings & Brown - Computer Security: Principles and
Practice

A comparative analysis of rootkit detection
techniques by Thomas Martin Arnold

Ric Vieler - Professional Rootkits

http://en.wikipedia.org/wiki/Rootkit

http://opensecuritytraining.info/Rootkits.html

http://www.stoned-vienna.com