Copyright Microsoft Corp. 2006 Dhiresh Salian Regional Information Security Manager Microsoft...

Copyright Microsoft Corp. 2006

Dhiresh SalianDhiresh SalianRegional Information Security ManagerRegional Information Security ManagerMicrosoft Corporation.Microsoft Corporation.

Rootkit’s and protection against them.


AgendaAgenda

Internet Security Threat Report* Internet Security Threat Report*

Understanding The LandscapeUnderstanding The Landscape

Rootkits – DefinedRootkits – DefinedRoot ProblemRoot ProblemTypes of rootkitsTypes of rootkitsDefending against rootkitsDefending against rootkitsRootkits in limelightRootkits in limelightMicrosoft Ghostbuster – StriderMicrosoft Ghostbuster – StriderRecapRecap

* Symantec Internet security threat report Vol VIII* Symantec Internet security threat report Vol VIII


Internet Security Threat ReportInternet Security Threat Report

Key FindingsKey FindingsAttackers motivated by financial gainsAttackers motivated by financial gains

Traditional Perimeter defenses not enoughTraditional Perimeter defenses not enough

Web applications and Web browsers increasingly Web applications and Web browsers increasingly targetedtargeted

BOT networks again on the riseBOT networks again on the riseBOT network activity increased 143% over the last reporting BOT network activity increased 143% over the last reporting periodperiod

DOS attacks grew 680% to an average of 927 attacks DOS attacks grew 680% to an average of 927 attacks per day per day

59% of all vulnerabilities reported to Symantec were 59% of all vulnerabilities reported to Symantec were web application vulnerabilities web application vulnerabilities

Web browser most vulnerable – Mozilla Family (25)Web browser most vulnerable – Mozilla Family (25)



Changing TrendsChanging Trends

10,866 new virus and worm variants. Reps 48% 10,866 new virus and worm variants. Reps 48% increase over the previous reporting period increase over the previous reporting period

Number of new virus and worm is slowing Number of new virus and worm is slowing Variants of them are growingVariants of them are growing

Changing Threat landscape : Motivated by Changing Threat landscape : Motivated by financial gain financial gain

BOT networks for rentBOT networks for rent

GPcoder TrojanGPcoder Trojan



Changing TrendsChanging TrendsMobile Malicious Code: Advent of first MMS worms Mobile Malicious Code: Advent of first MMS worms CommwarriorCommwarrior

Skulls Trojan – affects Symbian Skulls Trojan – affects Symbian

Additional Security RisksAdditional Security RisksPhishing messages: Volume grew from 2.9 million a day Phishing messages: Volume grew from 2.9 million a day to 5.7 Million a day to 5.7 Million a day

1 out of every 125 messages a phishing attack1 out of every 125 messages a phishing attack

General trend way from Hacking for fame to hacking for fortuneGeneral trend way from Hacking for fame to hacking for fortune

Identity theft ring was able to net over $2M in one instance (FBI)Identity theft ring was able to net over $2M in one instance (FBI)



Additional Security RisksAdditional Security RisksAverage percentage of email that is spam is 61%. Average percentage of email that is spam is 61%.

Spammers use BOT’s to try and obscure their actual locationSpammers use BOT’s to try and obscure their actual location

Adware and SpywareAdware and SpywareShotathome agent accounted for 19% of adware reportedShotathome agent accounted for 19% of adware reported

Webenhancer: Most reported spyware, accounting for 29%Webenhancer: Most reported spyware, accounting for 29%

Concern over their installation, end user licensing agreement Concern over their installation, end user licensing agreement (EULA), updation and removal(EULA), updation and removal


Understanding The LandscapeUnderstanding The Landscape

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker

ExpertExpert SpecialistSpecialist

Vandal

Thief

Spy

TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals

Fastest Fastest growing growing segmentsegment

Author


Rootkits - DefinedRootkits - Defined

Rootkit Definition.(Rootkit Definition.(as per Symantecas per Symantec))““RootkitRootkit A rootkit is a component that uses stealth to maintain a A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on the machine. persistent and undetectable presence on the machine. Actions performed by a rootkit, such as installation and Actions performed by a rootkit, such as installation and any form of code execution, are done without end user any form of code execution, are done without end user consent or knowledge. consent or knowledge.

Rootkits do not infect machines by themselves like Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to provide an viruses or worms, but rather, seek to provide an undetectable environment for malicious code to undetectable environment for malicious code to execute. Attackers will typically leverage vulnerabilities execute. Attackers will typically leverage vulnerabilities in the target machine, or use social engineering in the target machine, or use social engineering techniques, to manually install rootkits. Or, in some techniques, to manually install rootkits. Or, in some cases, rootkits can be installed automatically upon cases, rootkits can be installed automatically upon execution of a virus or worm or simply even by browsing execution of a virus or worm or simply even by browsing to a malicious website. to a malicious website.

Once installed, an attacker can perform virtually any Once installed, an attacker can perform virtually any function on the system to include remote access, function on the system to include remote access, eavesdropping, as well as hide processes, files, registry eavesdropping, as well as hide processes, files, registry keys and communication channels. “keys and communication channels. “


Root ProblemRoot Problem

Common in UNIX platforms, Rootkits on Common in UNIX platforms, Rootkits on Windows OS recent phenomenon.Windows OS recent phenomenon.

Trojanize Key system files.Trojanize Key system files.

In Windows: Different approachIn Windows: Different approach

Registers with OS and intercepts program Registers with OS and intercepts program requests made to standard Windows APIs requests made to standard Windows APIs

Since it intercepts system calls and filters results Since it intercepts system calls and filters results – anti malware tools are not effective.– anti malware tools are not effective.


Root ProblemRoot Problem

In Unix: Replaces standard Unix system files like In Unix: Replaces standard Unix system files like psps

Some rootkits more sophisticated: ASome rootkits more sophisticated: Adds its own dds its own code to every process currently running on a code to every process currently running on a computer.computer.

Some rootkits use polymorphic wrapper that Some rootkits use polymorphic wrapper that constantly changes the appearance of the constantly changes the appearance of the spyware file. Very difficult to detect by anti spyware file. Very difficult to detect by anti spyware/malware programsspyware/malware programs

How does Rootkit infect anyone: Same way as How does Rootkit infect anyone: Same way as other malware—a malicious Web site or someone other malware—a malicious Web site or someone may copy them directly onto your computer or may copy them directly onto your computer or through trojan means.through trojan means.


Types of RootkitsTypes of Rootkits

File or User Level RootkitsFile or User Level RootkitsBasic Type of Rootkits – Operate at application levelBasic Type of Rootkits – Operate at application levelIntercepts standard User mode API’sIntercepts standard User mode API’sCan affect user with lower privilegeCan affect user with lower privilegeLegitimate program replaced with Trojaned version.Legitimate program replaced with Trojaned version.Common files usually trozanized are – login, ls, ps, find, who, Common files usually trozanized are – login, ls, ps, find, who, netstatnetstatTargets files usually used by administratorsTargets files usually used by administrators

Kernel Level rootkitsKernel Level rootkitsMore advanced and difficult to detectMore advanced and difficult to detect

Operate at kernel level.Operate at kernel level.Lives in kernel mode as device driverLives in kernel mode as device driver

Require administrator level access.Require administrator level access.Do not modify system files – Integrity checkers will not be able to Do not modify system files – Integrity checkers will not be able to detect.detect.Attacker can intercept system callsAttacker can intercept system callsOperates at lower levels within the Windows architectureOperates at lower levels within the Windows architecture


Types of Rootkits (cont’d)Types of Rootkits (cont’d)

Kernel mode data structure manipulation Kernel mode data structure manipulation Instead of attacking API’s it attacks data structureInstead of attacking API’s it attacks data structureIt requires admin privilegesIt requires admin privilegesIt can causes crashes and hence can be detectedIt can causes crashes and hence can be detectedMore advanced variations possible: Example: FUMore advanced variations possible: Example: FU

Process HijackingProcess HijackingHide a legitimate processHide a legitimate processCode sits inside legitimate processCode sits inside legitimate processDoesn’t survive rebootDoesn’t survive rebootExtremely hard to detectExtremely hard to detectCode Red used this stealth technique.Code Red used this stealth technique.


Windows ArchitectureWindows ArchitectureService Control

ManagerTask Manager

NTDLL.DLL

Security

Refe

rence M

onitor

Processes &

T

hreads

Config

Manager

(registry)

(Kernel mode callable interfaces)

I/O Mgr

User Mode

System Processes Services Applications

LSASS Explorer

WinlogonUser

applicationsSession Manager

Services.exe

Kernel Mode

Device & File Sys

Drivers Kernel

Hardware Abstraction Layer

NTDLL.DLL – User mode rootkit hooks

Kernel – Kernel mode rootkit hooks


Defending against Rootkits.Defending against Rootkits.All stealth mechanisms used by rootkits do have All stealth mechanisms used by rootkits do have holesholes

Cloaking not possible when OS is offlineCloaking not possible when OS is offline

Induces system anomaliesInduces system anomalies

Leaves some API’s unfilteredLeaves some API’s unfiltered

Simple way of detecting rootkits – comparing Simple way of detecting rootkits – comparing offline and online win diff results.offline and online win diff results.

Most Effective defense: Nail it before it gets Most Effective defense: Nail it before it gets installed.installed.

Up-to-date Security PracticesUp-to-date Security Practices

Good Email PracticesGood Email Practices

Virus ProtectionVirus Protection

Rootkit Detection Tools: Standard part of security toolkit.Rootkit Detection Tools: Standard part of security toolkit.


Defending against RootkitsDefending against Rootkits

File or User-level RootkitsFile or User-level RootkitsUsing kernel mode API and comparing this with user mode API Using kernel mode API and comparing this with user mode API resultsresults

Creating Message DigestCreating Message Digest

Using tools like TripwireUsing tools like Tripwire

Other programs – Chkrootkit (Unix, Linux), Data Sentinel Other programs – Chkrootkit (Unix, Linux), Data Sentinel (Windows), (Windows),

Kernel-level RootkitsKernel-level RootkitsProper Defense mechanismsProper Defense mechanisms

LPA: Least Privilege accessLPA: Least Privilege access

Difference in offline – online scansDifference in offline – online scans

Other Tools: Microsoft’s antispyware, Other Tools: Microsoft’s antispyware, RootkitRevealer RootkitRevealer from Sysinternals; BlackLight from F-Secure from Sysinternals; BlackLight from F-Secure


Malware/Spyware/Rootkit ToolsMalware/Spyware/Rootkit Tools

Sigcheck (Sigcheck (www.sysinternals.comwww.sysinternals.com))MSConfig.exeMSConfig.exeAutorun (Autorun (www.sysinternals.comwww.sysinternals.com))Process Explorer (Process Explorer (www.sysinternals.comwww.sysinternals.com))Rootkit Revealer (Rootkit Revealer (www.sysinternals.comwww.sysinternals.com))


Rootkits in LimelightRootkits in LimelightContextPlus, Inc., makers of the Apropos and ContextPlus, Inc., makers of the Apropos and PeopleOnPage adware programs.PeopleOnPage adware programs.

Apropos, a spyware program, collects users' browsing Apropos, a spyware program, collects users' browsing habits and system information and reports back to the habits and system information and reports back to the ContextPlus serversContextPlus servers

Data used to serve targeted pop-up advertisements Data used to serve targeted pop-up advertisements while the user is surfing the Webwhile the user is surfing the Web

Sophisticated kernel-mode rootkit that allows the Sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and program to hide files, directories, registry keys and processes processes

FU rootkit extremely widespread in 2005FU rootkit extremely widespread in 2005FU only hides processes, elevate process privileges, FU only hides processes, elevate process privileges, fake out the Windows Event Viewer. fake out the Windows Event Viewer.

FU among the top-five pieces of malware deleted by FU among the top-five pieces of malware deleted by Microsoft’s free Windows malicious software removal Microsoft’s free Windows malicious software removal tool. tool.


Rootkits in LimelightRootkits in Limelight

Hack DefenderHack DefenderA user mode rootkitA user mode rootkit

Author – “Holy Father”Author – “Holy Father”

Hides many thingsHides many thingsFiles, Processes, Services, Registry values,PortsFiles, Processes, Services, Registry values,Ports

Is able to hook into logon API to capture Is able to hook into logon API to capture passwordspasswords

You can pay developers money ($100-$900) for You can pay developers money ($100-$900) for a custom version of software to avoid detectorsa custom version of software to avoid detectors



Customized hack defenderCustomized hack defender



Symantec Corp : admitted using a rootkit-Symantec Corp : admitted using a rootkit-type feature in Norton SystemWorks type feature in Norton SystemWorks

Hides directory from Windows APIs: To stop Hides directory from Windows APIs: To stop customers from accidentally deleting files customers from accidentally deleting files

Norton Systemwork’s Norton Protected Recycle Norton Systemwork’s Norton Protected Recycle Bin with a director called NProtect is hidden Bin with a director called NProtect is hidden from Windows APIs. Since it is, files in the from Windows APIs. Since it is, files in the NProtect directory might not be scanned during NProtect directory might not be scanned during virus scansvirus scans

Norton recommends SystemWorks users Norton recommends SystemWorks users update the product immediately to ensure update the product immediately to ensure greater protection greater protection



Sony BMG’s DRM rootkitSony BMG’s DRM rootkitRootkit like cloaking techniques used in First 4 Internet DRM Rootkit like cloaking techniques used in First 4 Internet DRM software Sony ships on its CDssoftware Sony ships on its CDs

Extended Copy Protection (XCP) is a CD/DVD copy protection Extended Copy Protection (XCP) is a CD/DVD copy protection technology created by First 4 Internet Ltdtechnology created by First 4 Internet LtdSoftware is designed to prevent protected CDs being played with Software is designed to prevent protected CDs being played with anything other than an included Media Player anything other than an included Media Player

DRM software will hide files, processes and registry keysDRM software will hide files, processes and registry keysDRM service named as Plug and Play Device ManagerDRM service named as Plug and Play Device ManagerThe DRM software hides it information by modifying the execution The DRM software hides it information by modifying the execution path of several Native API functions path of several Native API functions Comes with no uninstall featureComes with no uninstall featureEULA does not mention about this cloaking or that it comes with EULA does not mention about this cloaking or that it comes with uninstall featureuninstall featureNeed to open a support call to uninstall the rootkit – possibility of Need to open a support call to uninstall the rootkit – possibility of crashing the computercrashing the computer


Demo :Malware detection toolsDemo :Malware detection tools



Detecting Sony DRM rootkitDetecting Sony DRM rootkit


Microsoft Ghostbuster - StriderMicrosoft Ghostbuster - Strider

Clever prototype developed by Microsoft.Clever prototype developed by Microsoft.

It detects It detects arbitrary persistent and stealthy software, such arbitrary persistent and stealthy software, such as rootkits, Trojans, and software keyloggersas rootkits, Trojans, and software keyloggers

How does it work?How does it work?Checker runs stopping all services, flushing caches and does Checker runs stopping all services, flushing caches and does checksumchecksum

Now machine boots with the CD and does the same checksum Now machine boots with the CD and does the same checksum again.again.

How to fool Ghostbuster?How to fool Ghostbuster?Detect that such a checking program is running and either Detect that such a checking program is running and either notnot lie to lie to it or change the output as it's written to disk it or change the output as it's written to disk

Integrate into the BIOS rather than the OS Integrate into the BIOS rather than the OS

Give up on either being persistent or stealthy. Give up on either being persistent or stealthy.



Effective against keyloggers – add key strokes to the fist scan. Will Effective against keyloggers – add key strokes to the fist scan. Will increase the size of keyloogers log and will be detected by clean scanincrease the size of keyloogers log and will be detected by clean scanTo detect non stealth malware- compare the file output with a know To detect non stealth malware- compare the file output with a know good list.good list.Compute a cryptographic hash of every file on infected disk and Compute a cryptographic hash of every file on infected disk and match it against the Strider Known-* Database match it against the Strider Known-* Database

Step #3

WinDiffFiles HiddenBy RootKit

“dir /s /a” Clean ScanClean BootFrom WinPE

CD

Step #2

InfectedDrive

“dir /s /a” Infected ScanInfectedBoot

Step #1



Characteristics of Ghostbuster ScanCharacteristics of Ghostbuster ScanDeterministically, efficiently, and effectively detect Deterministically, efficiently, and effectively detect today’s file-hiding software; today’s file-hiding software;

It will help computer users gain back trustworthy file-It will help computer users gain back trustworthy file-query operations and force malware programs to give query operations and force malware programs to give up file hiding and therefore always expose themselves up file hiding and therefore always expose themselves to Gatekeeper ASEP scan and anti-virus-style known-to Gatekeeper ASEP scan and anti-virus-style known-bad signature-based scansbad signature-based scans

Does not require known-bad signatures hence no Does not require known-bad signatures hence no signature updatessignature updates

Assumes that Assumes that any data gathered through any apps or any data gathered through any apps or OS components running inside an infected OS cannot OS components running inside an infected OS cannot be trusted.be trusted.


RecapRecap

Rootkit - DefinitionRootkit - Definition

Rootkit DefenseRootkit DefenseDefense in DepthDefense in Depth

Multilayered approachMultilayered approach

Secure your perimeter and protect your internal clientsSecure your perimeter and protect your internal clients

Patch UpdatesPatch Updates

Security AwarenessSecurity Awareness

No_execute hardware supportNo_execute hardware support

Usage of DEPUsage of DEP

Firewalled internal zones and desktopsFirewalled internal zones and desktops

Usage of antispyware and antivirus softwareUsage of antispyware and antivirus software

Messaging Hygiene (Frontbridge and Sybari Antigen)Messaging Hygiene (Frontbridge and Sybari Antigen)

LPA: Running as non-adminLPA: Running as non-admin


RecapRecap

Rootkit DefenseRootkit DefenseAntispyware Kit: Microsoft Antispyware, Rootkit Antispyware Kit: Microsoft Antispyware, Rootkit Revealer, RK detect, F Secure Blacklight, ChkrootkitRevealer, RK detect, F Secure Blacklight, Chkrootkit

Other tools for malware detection and investigation – Other tools for malware detection and investigation – sigcheck, autorun and Process explorersigcheck, autorun and Process explorer

If Infected – Format and reinstall If Infected – Format and reinstall


ResourcesResources

Microsoft Anti Spyware - Microsoft Anti Spyware - http://www.microsoft.com/athome/security/spywarhttp://www.microsoft.com/athome/security/spyware/software/default.mspxe/software/default.mspxMalicious Software removal tool - Malicious Software removal tool - http://www.microsoft.com/security/malwareremovhttp://www.microsoft.com/security/malwareremove/default.mspxe/default.mspxSysinternals – Sysinternals – www.sysinternals.comwww.sysinternals.com


© 2006 Microsoft Corporation. All rights reserved.© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Date post:	24-Dec-2015
Category:	Documents
Upload:	shavonne-manning
View:	230 times
Download:	0 times

Copyright Microsoft Corp. 2006 Dhiresh Salian Regional Information Security Manager Microsoft...

Documents