Xcon2005_Profiling_Malware_and_Rootkits_from_Ke..

AgendaBasics about RootkitsCurrent rootkit detectionRootkit techniquesA better way…

Rootkit IntroductionRootkit first appeared on Windows in1999 (NTRootkit, Hoglund):Different agenda than virusesNon-destructive information gatherersUsually running in the kernel (easierto hide)

Rootkit DetectionAt the beginning of this year, there was almost nocommercial productsRootkit detection has suddenly become popular. F-Secure, Microsoft, etc. have all released products.Rootkit products will not be very useful unless theyadapt as quickly as the rootkitsRootkit evasion techniques are advancing muchfaster than rootkit detection

Rootkit DetectionThree current detection mechanisms:Anti-virus software approachHIPS (Host Intrusion Prevention Systems)Execution Path Analysis (EPA)The newcomer: Differential testing

Rootkit Detection Anti-VirusVery effective at preventing use of knownrootkitsNew signatures are made as new variantsand rootkits come outDetects the rootkit’s fingerprint before ithas a chance to run

Rootkit DetectionProblems with Anti-VirusFew rootkits are observed in the wildThis gives them a low priorityRootkits are evasive and non-destructiveFew samples of rootkits are sent to AVcompaniesToo late…Rootkits will just unhook antivirus (usually afilter driver over the file system)Then when an AV definition comes out, it istoo late J

Rootkit Detection Host IPSTwo layers of defenseTries to prevent exploitation of the machine(stop buffer overflows, RLIBC attacks, etc.)If hackers get past that defense, then try toblock the hacker from getting into the kernel

Rootkit DetectionProblems with Host IPSMany weaknesses outlined in a Phrack 62 (Butler)API hooks are easy to evadeMost HIPS cover only those that are likely to beused by an exploitHard to cover all ways a rootkit can be introduced:Crazylord evaded a rootkit detector by using asymbolic link \Device\PhysicalMemoryDefenseless against use of new kernel privilegeescalation vulnerabilities

Rootkit DetectionExecution Path Analysis (EPA)Discussed at BlackHat Las Vegas 2003 by JoannaRutkowskiAn old idea now applied specifically to rootkitsUses instruction trapping to profile system callsGoes through a learning period when the systemis known to be cleanRemembers the instruction counts or code pathsof the system callsDetects rootkit when the execution path of a systemcall differs

Rootkit DetectionProblems with the EPALarge performance degradation tracingthrough all system callsDifficult to implement correctly (many waysto disable):Overwriting the trap handler in the IDTOverwriting EFLAGS.TF in the TSSOverwriting EFLAGS.TF via POPF

Rootkit Detection DifferentialQuery same information from toplocations:First use user-mode APIsThen use low-level methods (looking atthe registry file, NTFS directly, etc.)If these differ, something is hidinginformation

Rootkit DetectionProblems with DifferentialWas quickly defeated (see rootkit.com)They are easy targets for rootkitsThese methods are too basicRootkits can make special cases to handlethese tools

Rootkit Technologies IntroductionUser-mode rootkits (not covered here)Hide in other processesKeyboard sniffingMay be “diskless” (AV cannot detect)Metasploit, CANVAS, and CORE IMPACT are alldisklessWon’t be discussed in this presentationKernel-mode rootkitsComing up next…

Rootkit Technologies IntroductionFirst, get into kernel-modeSecond, hook into kernelThird, try to become permanent

Rootkit TechnologiesGetting into Kernel #1Using ZwSetSystemInformation or ZwLoadDriverEnable SeLoadDriverPrivilegeThe problem is that it will be pageable (asHoglund/Butler note)But there is a magic trick: MmResetDriverPaging JService Control Manager (the normal way)No special tricks requiredThis will require creating a registry keyBoth require a physical file be presentMakes the rootkit an easy target for antivirus detection

Rootkit TechnologiesGetting into Kernel #2Use a kernel-mode exploit.. someexamples:LPC (local): 原 创 (eyas)Norton Antivirus (local): s.k. chongSymDNS (remote): barnaby jack

Rootkit TechnologiesGetting into Kernel #3Install Ring3->Ring0 call gate fromuser modeSee paper by crazylordNo disk access (AV can’t detect)Less complicated than kernel-modeexploitsModify x86 GDT directly from user modeMay not work for newer versions ofWindows

Rootkit TechnologiesHooking into the KernelOnce your code is running the kernel, now what?Hooking system call tableUsed to either add new system calls or hideinformation like files, registry keys, etc.Hooking interrupt handlersManipulate page tables entries (executable, noreadable)Hooking driver dispatch tablesAdd filter drivers

Better Method…IntroductionCan be used to detect rootkitsCan be used to monitor system activity(helpful to profile malware)

Better Method…Windows Executive ObjectsWindows uses “executive objects”Controlled by an Object ManagerHandles are all indirect references toobjectsEverything is an object

Better Method…Windows Executive ObjectsMemorysectionsLPC portsI/O completionWMIDesktopsMutexesEventsSemaphoresI/O ControllersFilesRegistry keysDevicesDriversProcessesThreadsJobsSocketsSecuritytokensThese are allobjects!

Better Method…Windows Executive ObjectsHow does the Object Manager track so manytypes of objects?It doesn’t “memorize” all these executive objecttypesInstead, executive object types are registereddynamicallyThere are set of callbacks for each object type,and it is responsible for opening, creating,securing, and closing that object type

Better Method…ExampleDuring system initialization, IoInitSytsem()registers the FILE_OBJECT typeLater you call NtCreateFile() to create a new file:This calls ObCreateObject(name, FILE_OBJECT)The Object Manager calls the Open callbackwith the mode set to Create routine registed forthe FILE_OBJECTIf the Open callback returns successfully, thenthe handle is returned to NtCreateFile

Better Method…We can replace the callbacks for all object typeswe’re interested inIf we’re interested in finding out every time aprocess or file is opened:Find the FILE_OBJECT object type andreplace the Open callbackFind the EPROCESS object type and replacethe Open callback

Better Method…In the callback, we analyze the event andthen call the original callbackIf we’re just profiling:We record the event and allow it to passIf we’re doing rootkit detection:We check if there are any matching signaturesIf a signature matches, we execute the signatureaction (e.g., report, block, etc.)

Better Method…BenefitsSaves on performance big timeCan be isolated to specific object types, specificprocesses, or just the kernelAttempts to open an object that doesn’t exist don’teven reach the Open callback (thus no overhead)Attempts to create an object when the callerdoesn’t have adequate permission doesn’t evenreach the Open callback (thus no overhead)New possibilities!Able to monitor almost all aspects of the systemsbehaviorRemember, almost everything is an object!

Better Method…How ToIf we want to profile malware:Start the malware in a suspended stateMonitor all object typesApply it only to the malware processIf we want to detect rootkits:Process signatures and only monitor theobject types that has a matching signatureApply it only to kernel mode (e.g., ignoreuser-mode processes)

Profiling: Demo

Detecting Driver LoadingCreating section in kernel with SEC_IMAGE flag

Detecting FiltersDetect creation of I/O completion port fromkernelEnumerate DEVICE_OBJECTs

Detecting Dispatch HooksEnumerate DRIVER_OBJECTs

Detecting Hidden RootkitsSome of the things rootkits do make themeasier to detect JReturn address into non-readable pageReturn address into non-paged memory pool

Removing a Rootkit…Still experimental…Creates instability to remove rootkit (unknownhooks)Replace all rootkit code with INT 3 (breakpoint)Add INT3 handlerIf the return address is to a suspicious place,add INT 3 to that page alsoAfter we no longer see any new pages for awhile, replace INT 3 with NOP

Self-PreservationSince this is a cat and mouse game, rootkits willimprove to hide from this methodWe need to protect ourselves from when therootkit authors begin specifically targeting thisdetection mechanismThus, we need to take whatever selfpreservationmechanisms we can to stay incontrol

Self-Preservation: Step 1Prevent a rootkit from being loaded inthe first placeDisable access to\Device\PhysicalMemoryDisable driver loading methodsLimitations:The attacker will use a new kernelprivilege escalation vulnerability, andget past this step

Self-Preservation: Step 2Prevent a rootkit from making itself permanentDisable any attempt to createHKLM\SYSTEM\CurrentControlSet\*\Type withtype 0 or 1 (change to 4 for disabled)Disable any attempt to modify an existing anHKLM\SYSTEM\CurrentControlSet\*\TypeLimitations:The rootkit may physically patch hal.dll,ntoskrnl.exe, etc.Be wary of accessing the registry keys throughsymbolic links

Self-Preservation: Step 3Ensure no driver except FAT/NTFS loads before usInstall ourselves at the beginning of the “BootBus Extender”Prevent any changes toHKLM\SYTSEM\CurrentControlSet\GroupOrderList

Self-Preservation: Step 4Ensure no one changed the object type callbacksKeep a thread in an infinite loop watching thehooked callbacks every few 100 millisecondsor soRestore callbacks if they are changed andreport an attackFind out where the callbacks pointed to (thislets us know who did it)If it is not a known system driver, unload it

SummaryPresented a method of observing system behaviorUser-mode and kernel-modePresented a method to block certain behaviorsSignature language can be used to detect knownrootkitsPresented self-preservation methodsNeeded if new rootkits come out that aren’trecognizedIn the end, this is just a step in the cat and mousegame

AcknowledgementsMany kung fu masters for Windows kernel-modeexploitation and rootkits:Joanna Rutkowska, Jamie Butler, flashsky,S.K. Chong,Barnaby Jack, Greg Hoglund, Derek Soder,crazylord

STKIT– Shok Toolkit JRemember this URL…Remember this URL…Remember this URL…Remember this URL…http://www.cybertech.net/~sh0ksh0kWill not be publicly announced, so you must rememberCode will be put there in the next 2 weeks

The EndThanks for listening JSend email to shok1234 msn.com