0$1(2% - George Mason Universityastavrou/courses/ISA_785_F11/BHUSA09-Blunden...Rootkit monitored...

!

"#$%&'()&'*++),-&.),$/&0$1(2%

3

Anti-Forensics

The Rootkit ConnectionBlack Hat USA 2009

Las Vegas, Nevada

Bill BlundenPrincipal Investigator

Below Gotham Labs

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?

Below Gotham

LaboratoriesIntroduction

IntroductionThe Quandary of Live ResponseAnother Option: Post-Mortem AnalysisAnti-Forensic Strategies

Tactics & CountermeasuresForensic Duplication

Recovering Files

Recovering Deleted Files

Capturing a Metadata Snapshot

Identifying Known Files

File Signature Analysis

Static Analysis of an .EXE

Runtime Analysis of an .EXE

Data Source Elimination Memory-Resident Rootkits

Firmware-Based Rootkits

Operational IssuesFootprint and Fault-Tolerance

Launching a RootkitConclusions

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@

Below Gotham

LaboratoriesThe Quandary of Live Response

The Athens Affair

Rootkit monitored digitized voice traffic on Ericsson AXE switches

Patched the commands that listed active code blocks

Integrity checking code was subverted (patch suspected)http://www.spectrum.ieee.org/telecom/security/the-athens-affair

The DDefy RootkitVendors downplay the threat to live disk imaging as unlikely

DDefy Injects a filter driver to feed bad data to forensic toolshttp://www.ruxcon.org.au/files/2006/anti_forensic_rootkits.ppt

Defeating Hardware-Based RAM Capture on AMD64

Vendors attempt to sidestep OS entirely to avoid interference

Rutkowska defeated this by manipulating Northbridge map tablehttp://invisiblethings.org/papers/cheating-hardware-memory-acquisition-updated.ppt

Fundamental Issue !"#"$%%&'(&")*+"(+&,$-,$,".(&/"$0+&(1,"2*&*")%33,)&(%+

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&A

Below Gotham

Laboratories

Another Option:

Post-Mortem Analysis

!"#$%&'()*+,-'(./'"%

0$("1$#)!'-$&

0$("1$#)2/3$#)!4)256$(/&

7.8$)9$/.:./.)4%.,&3"/

0$;"1$)<%"=%)!'-$&

!'-$)4'>%./+#$)?%.-@&'&

4/./'()ABCB)?%.-@&'&

0+%/';$)ABCB)?%.-@&'&

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&B

Below Gotham

LaboratoriesAn Aside: Assume the Worst-Case

Richard BejtlichDirector of Incident Response, GEFormer MI officer (AFCERT, AFIWC, AIA)http://taosecurity.blogspot.com/

For the sake of keeping things interesting:4,&56"*6601,".,5$,"-*)(+7"%--"*7*(+6&"*"/(7/38"6'(33,29".,33-armed, adversary

:/,";&/,85$,"*33"(2(%&6<"1,+&*3(&8"(6"2*+7,$%06"=2%+5&"0+2,$,6&(1*&,"8%0$"%>>%+,+&?@""

In High-Security Environments!Compromise may be assumed a priori

!Security professionals may employ forensic analysis preemptively

Assumption

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&C

Below Gotham

LaboratoriesAnti-Forensic Strategies

Primary Goal: Outlast the investigator (exhaust their budget, e.g. THX 1138)

Institute Defense in DepthImplement strategies concurrently to augment their effectiveness

Strategy Tactical Implementations

Data Source Elimination Memory-Resident Code, Autonomy

Data Destruction Data and Metadata Shredding, Encryption

Data Concealment In-Band, Out-of-Band, & Application Level

Data Transformation Encryption, Compression, Obfuscation

Data Fabrication Leave False Audit Trails, Introduce Known Files

Use Custom ImplementationsWant to frustrate attempts to rely on automation to save time

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&D

Below Gotham

LaboratoriesTactics and Countermeasures

IntroductionThe Quandary of Live Response

Another Option: Post-Mortem Analysis

Anti-Forensic Strategies

Tactics & CountermeasuresForensic DuplicationRecovering Files Recovering Deleted FilesCapturing a Metadata SnapshotIdentifying Known FilesFile Signature AnalysisStatic Analysis of an .EXERuntime Analysis of an .EXE





4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&6

Below Gotham

LaboratoriesForensic Duplication

Reserved Disk RegionsOne way to undermine forensic duplication is to avoid being captured on the image

Reserved regions like the HPA and DCOs were tenable hideouts (at one point in time)

Example: FastBloc 3 Field EditionWrite blocker that can detect and access HPAs and DCOs

http://forensics.marshall.edu/MISDE/Pubs-Hard/FastblocFE.pdf

Bad NewsHPA/DCO-sensitive tools are now commonplace

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!5

Below Gotham

LaboratoriesRecovering Files

Tactics that Hamper File Recovery

Encrypted Volumes

Nothing to carve, looks like random bytes

A3*06(B3,"C,+(*B(3(&8"!"D,6&,2",+)$8>&,2"E%301,6"

Conspicuous, use as part of an exit strategy

File System Attacks

F%+5&"+,),66*$(38"%B6&$0)&"-(3,")*$E,$6

Can lead to erratic behavior (do NOT want this)

Conspicuous, use as part of an exit strategy

Concealment

Definitely has potential (at least in the short-term)

D%EF.%:)G"%($.-;$%/

2+/E"HEF.%:)G"%($.-;$%/

?,,-'(./'"%)I.@$#)G"%($.-;$%/

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!!

Below Gotham

LaboratoriesIn-Band Concealment

ExamplesReserved space in file system metadata structures

Alternate Data Streams Clusters allocated to !"#$%&'()

ImplementationsData Mule FS

Developed by the grugq, targets the *+,-.( file system

Stores data in inode reserved space

http://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-grugq.pdf

IssuesSurviving file system integrity checks

Allocating a sufficient amount of storage (managing many small chunks)

Use regions described by the FS specificationIn-Band

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!3

Below Gotham

LaboratoriesAn Aside: In-Band on Windows

The NTFS Master File Table (MFT)Central repository for all NTFS file system meta-data

Is a relational database consisting of a series of records

Each file/directory corresponds to one or more 1 KB records in the MFT

Hiding Data in The MFT: FragFSRootkit presented at Black Hat Federal 2006 by Thompson and Monroe

Identified available reserved space and slack space in MFT records

NTFS is a Licensed Specification

Microsoft provides an incomplete Technical Reference

http://technet.microsoft.com/en-us/library/cc758691.aspx

For (free) low-level details, we must rely on the Linux-NTFS project

http://sourceforge.net/projects/linux-ntfs/

Brian Carrier also wrote a book that relates many details

http://www.digital-evidence.org/fsfa/index.html

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!?

Below Gotham

LaboratoriesOut-of-Band Concealment

ExamplesThe HPA, DCOs

Slack Space (file-based, partition-based, etc.)

ImplementationG,&*6>3%(&56"(&#/0*12*+*

http://www.metasploit.com/research/projects/antiforensics/

IssuesH(+2(+7"6&%$*7,"6>*),"&/*&56"0+3(',38"&%"B,"%E,$.$(&&,+"%$"$,-allocated

Beware of slack-space wiping tools (PGP Desktop Professional 9.0.4+)http://www.metasploit.com/research/vulnerabilities/pgp_slackspace/

Use regions NOT described by the FS specificationOut-of-Band

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!@

Below Gotham

LaboratoriesE+&E-=>)F&3&#/0*12*+*

443,*5)678)9 (*,),:*);<),=),:*)&=>?/#&)@A;)

3*,;?&*<=?B,*1C.?&*D#B$&*E)FE)GHIIE);JI@K@GLMN)

443,*5)6-8)9 O1?,*)$#,#)P*,O**B),:*)&=>?/#&)@A;)#B$)5:Q(?/#&)@A;)

R1?,*;?&*C.?&*D#B$&*E)P'..*1E)3SK"H;;@TE)UB"Q,*(R1?,,*BE)GHIIMN

;&'(:;?&*"'..*1(C.?&*D#B$&*MN)

443,*5)6V8)9 W=X*);<)P#/0),=),:*)=&$)&=>?/#&)@A;)

3*,;?&*<=?B,*1C.?&*D#B$&*E)93SK"H;;@TE)GHIIE);JI@K%HTT@GYMN)

443,*5)6Z8)9 ,1'B/#,*),:*).?&*)B=B$*(,1'/,?X*&Q)C=B)[<M)

3*,@B$A.;?&*C.?&*D#B$&*MN

Logical EOF & FP Physical EOF

FP

FP

&$(/"# &$(/"# -);1$# -);1$# -);1$# -);1$#&$(/"# &$(/"#

&$(/"# &$(/"# -);1$# -);1$# -);1$# -);1$#&$(/"# &$(/"#

&$(/"# &$(/"# -);1$# -);1$# -);1$# -);1$#&$(/"# &$(/"#

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!A

Below Gotham

LaboratoriesE+&E-=>)F&G=;#$-$H1&I)-J$+>-

Microsoft Addresses this Issue in Vista Calls to 3*,@B$A.;?&*CM)zero out file slack space before returning

Design a rootkit that manages file slack space from Kernel-Space

Place metadata in a known location to avoid using an external tracking file

I,"F*$+,2J"2%+5&"3,*E,"&/(6"1,&*2*&*"(+">3*(+&,K&"-%$1*&?

KMD manages file slack space

User-Mode code sees a virtual block device

One Solution

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!B

Below Gotham

LaboratoriesApplication Layer Concealment

ExamplesSteganography

http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-raggo/bh-us-04-raggo-up.pdf

Rogue Database Entries

Injecting code to create a Trojan Executable

C*.(2"L%30+6'(9";M%70,"I(+*$(,6"- N%."&%"O.+"&/,"P%-&.*$,9<"hakin9, 1/2008

IssuesNot very effective with static files, a binary diff will expose alteration

Must identify files that are normally subject to constant updates

Modifying database files through official channels leaves an audit trail

If possible, see if you can navigate the database file manually

http://helios.miel-labs.com/downloads/registry.pdf

Use regions defined by a particular file formatApplication Layer

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!C

Below Gotham

LaboratoriesRecovering Deleted Files

Tactics that Impede Recovery of Deleted Data

File WipingSoftware-based wiping tools often rely on overwriting data in place

Not always effective on journaling and RAID-based file systems

Metadata ShreddingC,3,&(+7"2*&*"(6+5&",+%07/9"106&"*36%")3,*+"0>"&/,"-(3,"686&,1"

QK*1>3,J":/,"C,-(3,$56":%%3'(&"=:C:@"B0(3&"B8"&/,"7$07R

http://www.phrack.org/issues.html?issue=59&id=6

EncryptionQ+)$8>&"2*&*"B,-%$,"(&56">,$6(6&,2"&%"2(6'"6&%$*7,

Destroy the key and the data becomes random junk

!-1

Prize

K$/&>$&/)&J#$1);1&1()&L)M

"#$%&8)=+:&=+1)#;)J1)>N

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!D

Below Gotham

LaboratoriesAn Aside: Key Management

Hints on Protecting Encryption Keys

!"#$%&'%"()&*)+,&"#&!-,.&

If you do, encrypt it with another encryption key

Minimize Runtime Key ExposureYou should assume that debuggers will be brought into play

Lock the Memory Containing the Key Need to prevent recovery of the key from the page file/partition

On Unix: W&=/0CM (see (Q(4WW#B2:)

On Windows: \?1,'#&I=/0CM (see R?BP#(*2:)

D%&,J"8%0533"+,,2"&%"%B-06)*&,"&/,6,")*336"B,)*06,"&/,85$,"B,*)%+6

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&!6

Below Gotham

Laboratories

Binary Modification

:/(6".(33">3*),"*"'+%.+"7%%2"-(3,"(+&%"&/,";0+'+%.+<")*&,7%$8"

Too conspicuous for the scenario of preemptive forensics

As part of an exit strategy, serves as a diversionary measure

Timestamp Modification

Can be applied to non-system files to fabricate a false trail

Note: On NTFS, more than one attribute has timestamp data!

!3Y]GL]TLKJG;AT^]YJAG)and !;JI@KG]^@


Tactics that Undermine the Integrity of Metadata

O-)#&

7$:$HHP#$:#2%

Q+-12,,)>

O-)#&

7$:$+

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&35

Below Gotham

LaboratoriesAn Aside: Y?W*3,=W52*+*

?.CW=$Y?W*3,#W5M)

_)

.?&*"#(?/JB.=2%1*#,?=BY?W*2I=O<#1,))`)7N)

.?&*"#(?/JB.=2%1*#,?=BY?W*2D?>:<#1,)`)FN)

222

a

B,(,#,'()`)SO3*,JB.=1W#,?=B;?&*)

C)

:#B$&*E) 44JG)D]GLI@);?&*D#B$&*)

U?=3,#,'("&=/0E) 44AHY)<JAK3Y]YH3K"IA%b)J=3,#,'("&=/0)

U.?&*"#(?/JB.=E) 44JG)<\AJL);?&*JB.=1W#,?=B)

(?c*=.C.?&*"#(?/JB.=ME) 44JG)HIAGd)I*B>,:)

;?&*"#(?/JB.=1W#,?=B) 44JG);JI@KJG;AT^]YJAGK%I]33)

MN

The ;JI@K"]3J%KJG;AT^]YJAG argument stores four I]Td@KJGY@d@T values

These values represent the number of 100-nanosecond intervals since 1601

F/,+"&/,6,"E*30,6"*$,"61*339"&/,"F(+2%.6"#AS"2%,6+5&"&$*+63*&,"&/,1")%$$,)&38"

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&3!

Below Gotham

LaboratoriesIdentifying Known Files

Investigator Performs a Cross-Time Diff

Eliminate known good and known bad files, identify unknown files

How Can We Sabotage this Stage?

Preimage Attack Files altered in this manner can be discovered via a binary diff

R+$/+&0$$> R+$/+&

.2>

"=,)-

Inject Known Good and Known Bad Files

Consumes bandwidth, but is definitely conspicuous

(e.g. time needed to get reference check sums)

Has potential as part of an exit strategy

(e.g. Decrypt a known bad file, let it act as a decoy)

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&33

Below Gotham

LaboratoriesFile Signature Analysis

Tactics that Subvert File Signature Analysis

Transmogrification#3&,$"&/,"-(3,"/,*2,$"6%"&/*&"(&"2%,6+5&"1*&)/"&/,">$,2,-(+,2"6(7+*&0$,

Keep in mind that an investigator can always crank up a hex editor

http://www.metasploit.com/data/antiforensics/BlueHat-Metasploit_AntiForensics.ppt

Steganography and Encryption

T*+",+)$8>&"*+",K,)0&*B3,"!"+%"6(7+*&0$,"./*&6%,E,$

Encode a configuration text file and wrap it in an executable

6D?$$*B)<1=/*((*(8

:+$*.e

W(,.,52*+*

0*Q&=>>*12*+*

f3,1?B>L#,#gfD<g

#D:0SRhiLj5,/VTW$D]'S[

:&Lj51S[&(P-$BS[J'S[:&

f4D<gf43,1?B>L#,#g

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&3?

Below Gotham

LaboratoriesStatic Analysis of an .EXE

CountermeasuresStore the 2@[@)in a format that cannot be readily analyzed

Static Analysis Tools Example

File Header Readers $'W5P?B2*+*

Disassemblers IDA Pro

Hex Editors HxD

Countermeasure Tools Description

Cryptor (e.g. EXECryptor) Encrypts the original application

Packer (e.g. UPX) Compresses the original application

Bytecode Compiler Recasts the machine code as p-code

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&3@

Below Gotham

Laboratories.2-=;&SJ)#21=$+

Tool Runtime

Stub %=$*

Original

Executable

(Encapsulated)

Encrypted/Packed/P-code Section(s)

Prefixed by Stub Code

Original

%=$*)U)L#,#

(Ready to Run)

Stub Code Unveils its Payload,

Transfers Program Control

Original

Executable

.reloc Section

.idata Section

.data Section

.text Section

Original Entry Point New Entry Point Stub %=$*

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&3A

Below Gotham

LaboratoriesRecurring Theme: Userland Exec

Standard family of exec functions on Unix systems?B,)*+*/XC/=B(,)/:#1)e5#,:E)/:#1)e/=B(,)#1>X68MN

?B,)*+*/X*C/=B(,)/:#1)e5#,:E)/:#1)e/=B(,)#1>X68E)/:#1)e/=B(,)*BX568MN

?B,)*+*/X5C/=B(,)/:#1)e.?&*E)/:#1)e/=B(,)#1>X68MN

Replace the current process image with a new process image

Core functionality is provided by facilities in the kernel

Loads an arbitrary byte stream (from disk)

Makes adjustments so that the byte stream can execute

C%,6+5&"06,"&/,"+*&(E,"OP"3%*2,$"=,U7U"(&56"*"V6,$-Mode loader)

:/(6"6%$&"%-"-0+)&(%+*3(&8".(33">$%E,"06,-03"3*&,$"%+W"

Origins

P&0B"T%2,"X"V6,$3*+2"QK,)

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&3B

Below Gotham

LaboratoriesStub Code Issues Y Part I

If Key Material is Stored in the StubBreak the payload into segments, use a different key for each one

Use multiple keys that are generated at runtime from a seed value

Storing Key Material Outside of the StubHide key material in a reserved region (MFT, HPA, BIOS, etc.)

Use an environmental key9"&/*&56"6>,)(-()"&%"&/,"&*$7,&"1*)/(+,"

http://papers.weburb.dk/archive/00000136/01/eicar05final.pdf

Use Custom Tools Public tools leave a signature (http://www.peid.info/ )

This enables automated tools that unpack/decrypt the payload

Implement a combination of packing, encrypting, and bytecode

For example: bytecode is encrypted and then compressed

Use multiple packing/encrypting algorithms to buy time

But, be aware of the size penalty you will pay

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&3C

Below Gotham

Laboratories

CamouflageStub code has only a few sections, not many imports, and very little string data

!"#$%&'()*+,"

-.(/01-((((((2%3$!%4"5(---67---((2%3$89935((----.---

-7(/01.((((((2%3$!%4"5(---.:---((2%3$89935((---6;---

-;(<3=3#(((((2%3$!%4"5(---->---((2%3$89935((---?@---

This scarcity of data is a dead giveaway to the investigator

Can Fabricate extra code and data to make the stub appear legitimate

Example: \@T3JAGJG;A resource-definition statement

http://msdn.microsoft.com/en-us/library/aa381058.aspx

Runtime Exposure

Foiling static analysis is a temporary countermeasure at best

It should be used as part of a defense in depth approach

Ultimately, the stub will unveil its payload at runtime

/0-,&1)23,&4,&%"&%0)&#)5%&%"6-78

Look familiar?

Stub Code Issues Y Part II

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&3D

Below Gotham

LaboratoriesRuntime Analysis of an .EXE

CountermeasuresThe very same tools that vendors used to defend against crackers (role reversal!)

Runtime Analysis Tools Example

Debuggers (User & Kernel-Mode) OllyDbg, WinDBG, KD

Resource Monitors SysInternals Suite

API Tracers Windows I=>>*12*+*

Network Packet Analyzers Wireshark

System Logs Windows Event Logs

Countermeasure Description

Tamperproofing Detect and respond to patching (e.g. a debugger)

Obfuscation Make code/data difficult to interpret and reverse

Autonomy Rely as little as possible on the official channels

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&36

Below Gotham

LaboratoriesTamperproofing

'%)6&9&:&!)%)7%-#;&<"3-=-72%-"#,Want to know when a debugger has set a breakpoint or disabled a routine with NOPs

Official API Calls (are relatively easy to subvert)

"AAI)RJG]<J)J(L*P'>>*1<1*(*B,CMN) 44'(*19W=$*)

"AAI@]G)b$T*.1*(:L*P'>>*1G=,<1*(*B,CMN)))440*1B*&9W=$*

Checksums are a more robust approach

Avoid a centralized checksum API, implement redundant integrity checks

Create integrity checking routines to monitor your integrity checks

Plant decoy integrity checks to mislead the investigator

Periodically reinstate code to prevent it from being overwritten with NOPs

'%)6&>&:&?),6"#3-#;&%"&<"3-=-72%-"#,Disassociate integrity checks from response (delayed trigger)

Embed subtle bugs and have the integrity checks correct them

Do NOT crash and burn, send them on a goose chase (buy time)

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?5

Below Gotham

LaboratoriesObfuscation

Obfuscation Strategy Tactics

Reduce Code Abstraction In-line expansion, central routine dispatching

Rearrange Code Code interleaving

Break Conventions Using exceptions to transfer program control

Encrypt Code Use code checksums as a decryption key

Microsoft uses obfuscation to implement Kernel Patch Protectionhttp://uninformed.org/index.cgi?v=3&a=3&p=4

Skype also relies heavily on obfuscation to hamper reversinghttp://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

Code Morphing is preferable, has less impact on the source base http://www.strongbit.com/execryptor_inside.asp

Note - encrypted routines are inherently not thread-safe

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?!

Below Gotham

LaboratoriesAutonomy

@==-7-21&A02##)1,&B&C-#3"D,&EFG&B&E43-%&/(2-1&HIJ)#%&K";,L

Minimize the interface between rootkit and OS

Less dependence means more stealth

User-Mode

Kernel-Mode

0""/8'/

Rootkit Implementation Details

Athens Affair Maintained its own database instance

Deepdoor Modified a couple of LRATL3 in the NDIS data section

Deeper Door Established a direct channel to local NIC hardware

Blue Pill Hypervisor-based, lies outside of child partition

T$*+1)#%)2-*#)

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?3

Below Gotham

LaboratoriesData Source Elimination





Recovering Files







Data Source Elimination Memory-Resident RootkitsFirmware-Based Rootkits



4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&??

Below Gotham

LaboratoriesMemory-Resident Rootkits

/0)&M),%&D2+&%"&3)=)2%&3-,.&2#21+,-,&B&N)J)(&D(-%)&%"&%0)&3-,.&%"&M);-#&D-%0

This strategy has so much potential that it deserves special attention

Several ways to implement Memory-Resident Variant

Syscall Proxying

Memory-Resident Development Tools

Data Contraception

In-Memory Library Injection

Persistence by Re-Infection

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?@

Below Gotham

LaboratoriesAn Aside: Userland Exec Reloaded

From Earlier: Cryptors and PackersThe stub loaded a byte stream that originally resided on disk

A Full-Blown Userland ExecQ-&)--)+1=2,,M&2&-1*8&1(21&;2+&,$2>&;$>)&H#$%&2&%)%$#M&8*HH)#

'()&8*HH)#&*-*2,,M&#);)=U)-&=1-&8M1)&-1#)2%&H#$%&2&+)1/$#L&;$++);1=$+

<=>)-1)J-&#)-1#=;1=$+-&=%J$-)>&8M&1()&+21=U)&S<&,$2>)#&V)9:9&>=-L&#)-=>)+;)W&

Implementations Description

N)MM)%%$,&'04%%1)& Uses Win32 API to overwrite a suspended process

ul_exec Library that loads ELF binaries into an address space

SHELF Revised version of '&K*+*/ for use in exploits

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?A

Below Gotham

LaboratoriesSyscall Proxying

Local System Remote System

T,=)+1&EJJ,=;21=$+!$A+BC3%$"D%,"EF

<M-;2,,&<1*8=G=#*,,BH"IA"=$EF

<M-;2,,&<)#U)#C3%$"D%,"EF

SJ)#21=+:&<M-1)%J$C3%$"D%,"EF

Marshals request parameters

Initiates syscall request

Processes server response

Processes client request

Invokes OS system call

Marshals output parameters

Returns response to client

J$/="#8)G3.//$#))'()&2U)#2:)&2JJ,=;21=$+&%2L)-&,$1-X&2+>&,$1-X&$H&-M-1)%&;2,,-

I"=EI$1$-))J./+#$)"H)/3$)7$(3%'K+$))P$#128=,=1M&8);$%)-&2+&=--*)X&%2#-(2,,=+:&=-&2&#$M2,&J2=+

D&&+$&

G"#$)4$(+#'/@)7$(3%"-">'$&L)G20B)D9M?G7))M$%)7$&/'%>)7""-http://www.coresecurity.com/content/syscall-proxying-simulating-remote-execution

BN.;,-$

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?B

Below Gotham

LaboratoriesMemory-Resident Tools


Client Application

YZJ,$=1)>&P#$;)--<$*#;)&T$>)

I)-*,1-

Compiler

Machine Code

Immunity, Inc., CANVAS Penetration Testing ToolUses MOSDEF, a memory-resident C compiler that generates position independent code

http://www.immunitysec.com/products-canvas.shtml

http://www.immunitysec.com/downloads/MOSDEF2dot0.tar.gz

BN.;,-$

Compiler could output bytecode to be run by an injected virtual machine

Replace compiler by an interpreter, send it bytecode from client side

O.#'./'"%&

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?C

Below Gotham

LaboratoriesData Contraception


Client Application

P#$;)--&E>>#)--&<J2;)

Server

(e.g. gdb, jre, gawk)

0$K+'#$;$%/&Use a Common Utility for the Server

Minimizes the amount of forensic evidence

N)7),,-%2%),&2&O'P2(%Q&A1-)#%Compensates for general nature of the server

BN.;,-$

Remote Exec: Built by the grugq, uses the GNU debugger and his '&K*+*/ library

http://www.phrack.org/issues.html?issue=62&id=8#article

http://archive.cert.uni-stuttgart.de/bugtraq/2004/01/msg00002.html

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?D

Below Gotham

LaboratoriesIn-Memory Library Injection

Local System Remote SystemClient Application

YZJ,$=1)>&P#$;)--

Server

DLL

D;,-$;$%/./'"%Routines used by the dynamic loader are hooked

Q+*B3,6"*"C4456"B8&,"6&$,*1"&%"B,"3%*2,2"-$%1"1,1%$8http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf

[77

DLL

BN.;,-$<)%2,61"-%$,&<)%2-Interpreter (Meterpreter)QK&,+6(B3,"$,1%&,"6/,33"&/*&56"2,3(E,$,2"(+"*+",K>3%(&">*83%*2

Extensions are implemented as DLLs rather than as raw machine code

Sam Juicer: a Meterpreter extension that dumps password hashes without disk writes

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&?6

Below Gotham

LaboratoriesPersist via Re-Infection

\P]Monitor listens

for heartbeat

\Q]Targeted host fails

to emit heartbeat

\R]Monitor re-infects

targeted host

\S]Targeted host

restarted

5^>2M&YZJ,$=1

Based on ideas presented by Joanna Rutkowska(11JF__///98,2;L(219;$%_J#)-)+121=$+-_8(^H)>)#2,^5B_.K^")>^5B^I*1L$/-L2_.K^")>^5B^I*1L$/-L2^*J9J>H

Heartbeat could be a signal transmitted over a passive covert channel (PCC)

C%+5&"7,+,$*&,"*+8"&$*--()"%-"%0$"%.+9"1,$,38"*3&,$",K(6&(+7">*)',&"6&$,*16(11JF__=+U=-=8,)1(=+:-9$#:_J2J)#-_J2--=U)^;$U)#1^;(2++),-^,=+*Z9J>H

J"/$&

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@5

Below Gotham

LaboratoriesFirmware-Based Rootkits

Can also avoid the disk by hiding in firmware

John Heasman, http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdf

Anibal Sacco and Alfredo Ortega, http://cansecwest.com/csw09/csw09-sacco-ortega.pdf

Darmawan Salihun, BIOS Disassembly Ninjutsu Uncovered, A-List Publishing, 2006

Public Research

Absolute Software sells Computrace, which includes a BIOS-based persistence agenthttp://developernet.absolute.com/products-core-technology.asp

Several OEMs have embedded this agent at the firmware levelhttp://www.absolute.com/partners/bios-compatibility

Commercial

P%1,%+,"-(70$,6"%0&"/%."&%")%11*+2,,$"T%1>0&$*),W

Scenario

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@!

Below Gotham

LaboratoriesOperational Issues





Recovering Files









Operational IssuesFootprint and Fault-Tolerance Launching a RootkitConclusions

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@3

Below Gotham

LaboratoriesFootprint and Fault Tolerance

Periodic shutdowns can occur even in high-end environments

The Chicago Stock Exchange reboots its machines every evening

http://staging.glg.com/tourwindowsntserver/CHX/pdf/tech_road.pdf

If the value of the data warrants the necessary R&D, you can have both

G(+(1(Z,"H%%&>$(+&"!"P*)$(-(),"M,6&*$&"P0$E(E*3

May need to balance the two based on:

!The type of environment being targeted

!The value of the data to be acquired

!The skill level of your opponent(s)

73$)7#.:$"HH

G.1$./&

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@?

Below Gotham

LaboratoriesLaunching a Rootkit

Assuming a knowledgeable, well-2(P)3R&23J)(,2(+8

Preferred Vector: Install a Memory-Resident Rootkit via an ExploitEverything happens inside of an existing process (no need to launch a new one)

Can avoid disk modification entirely (though traces may reside in the page file)

Less Attractive Vector: Install an Agent in the FirmwareFirmware launches a bare-bones server that loads the rootkit proper over a socket

4,*E,6"*"1(+(1*3"*1%0+&"%-")%2,"%+"&/,"686&,19"(+"*"6>%&"&/*&56"%-&,+"(7+%$,2"

Least Attractive Vector: Persist Somewhere on DiskInitiating code will, by necessity, be naked and accessible

You can expect that your code will, with enough effort, be discovered

Leverage the five anti-forensic strategies with defense in depth to buy time

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@@

Below Gotham

LaboratoriesConclusions

State of the art anti-forensics can defeat disk analysis(Perhaps this explains why this is a relatively inactive sub-field?)

F"//";)I'%$

The arms race continues in the domains of live response and NSM

G"#"--.#@

#"$%%&'(&"1*8"+,E,$"06,"2(6'"6&%$*7,W

But it still has to execute in memory

And it will almost always talk to the outside

25&$#1./'"%

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@A

Below Gotham

Laboratories!"#$%"#&$'()"#*+,-"(.

'()&I$$1L=1&E#-)+2,`$+)-&a&.2#1,)11&P*8,=-()#-&&VG2M&@X&3556W

Q<.b^!5F&!A6D335B!B

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@B

Below Gotham

LaboratoriesThanks and Greetings

David Aitel, John Aycock, Richard Bejtlich, BigBoote, Darren Bilby,

Maximiliano Cáceres, Brian Carrier, Jamie Butler, James Foster,

Dawid Golunski, Glyn Gowing, the grugq, Nick Harbour, John

Heasman, Greg Hoglund, Alex Keller, George Ledin, Elias Levy,

The Linux-NTFS project, Vinnie Liu, Mark Ludwig, Mathew

Monroe, Mental Driller, NV Labs, H D Moore, Metasploit, Jeff

Moss, Gary Nebbett, Matt Pietrek, Pluf, Ripe, Marc Rogers, Mark

Russinovich, Joanna Rutkowska, Darmawan Salihun, Bruce

Schneier, Sherri Sparks, skape, Skywing, Sven Schreiber,

Alexander Tereshkin, Irby Thompson, Jarkko Turkulainen,

Dmitry Vostokov

To Security Researchers

Who Shared with the Rest of Us

4&3556&.),$/&0$1(2%&728-&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&///98),$/:$1(2%9;$%&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&<,=>)&@C

Below Gotham

LaboratoriesQuestions?

'(2+L&c$*&H$#&c$*#&'=%)

Date post:	17-Mar-2018
Category:	Documents
Upload:	trinhquynh
View:	217 times
Download:	4 times

0$1(2% - George Mason Universityastavrou/courses/ISA_785_F11/BHUSA09-Blunden...Rootkit monitored...

Documents