Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | shavonne-manning |
View: | 230 times |
Download: | 0 times |
Copyright Microsoft Corp. 2006
Dhiresh SalianDhiresh SalianRegional Information Security ManagerRegional Information Security ManagerMicrosoft Corporation.Microsoft Corporation.
Rootkit’s and protection against them.
Copyright Microsoft Corp. 2006
AgendaAgenda
Internet Security Threat Report* Internet Security Threat Report*
Understanding The LandscapeUnderstanding The Landscape
Rootkits – DefinedRootkits – DefinedRoot ProblemRoot ProblemTypes of rootkitsTypes of rootkitsDefending against rootkitsDefending against rootkitsRootkits in limelightRootkits in limelightMicrosoft Ghostbuster – StriderMicrosoft Ghostbuster – StriderRecapRecap
* Symantec Internet security threat report Vol VIII* Symantec Internet security threat report Vol VIII
Copyright Microsoft Corp. 2006
Internet Security Threat ReportInternet Security Threat Report
Key FindingsKey FindingsAttackers motivated by financial gainsAttackers motivated by financial gains
Traditional Perimeter defenses not enoughTraditional Perimeter defenses not enough
Web applications and Web browsers increasingly Web applications and Web browsers increasingly targetedtargeted
BOT networks again on the riseBOT networks again on the riseBOT network activity increased 143% over the last reporting BOT network activity increased 143% over the last reporting periodperiod
DOS attacks grew 680% to an average of 927 attacks DOS attacks grew 680% to an average of 927 attacks per day per day
59% of all vulnerabilities reported to Symantec were 59% of all vulnerabilities reported to Symantec were web application vulnerabilities web application vulnerabilities
Web browser most vulnerable – Mozilla Family (25)Web browser most vulnerable – Mozilla Family (25)
Copyright Microsoft Corp. 2006
Internet Security Threat ReportInternet Security Threat Report
Changing TrendsChanging Trends
10,866 new virus and worm variants. Reps 48% 10,866 new virus and worm variants. Reps 48% increase over the previous reporting period increase over the previous reporting period
Number of new virus and worm is slowing Number of new virus and worm is slowing Variants of them are growingVariants of them are growing
Changing Threat landscape : Motivated by Changing Threat landscape : Motivated by financial gain financial gain
BOT networks for rentBOT networks for rent
GPcoder TrojanGPcoder Trojan
Copyright Microsoft Corp. 2006
Internet Security Threat ReportInternet Security Threat Report
Changing TrendsChanging TrendsMobile Malicious Code: Advent of first MMS worms Mobile Malicious Code: Advent of first MMS worms CommwarriorCommwarrior
Skulls Trojan – affects Symbian Skulls Trojan – affects Symbian
Additional Security RisksAdditional Security RisksPhishing messages: Volume grew from 2.9 million a day Phishing messages: Volume grew from 2.9 million a day to 5.7 Million a day to 5.7 Million a day
1 out of every 125 messages a phishing attack1 out of every 125 messages a phishing attack
General trend way from Hacking for fame to hacking for fortuneGeneral trend way from Hacking for fame to hacking for fortune
Identity theft ring was able to net over $2M in one instance (FBI)Identity theft ring was able to net over $2M in one instance (FBI)
Copyright Microsoft Corp. 2006
Internet Security Threat ReportInternet Security Threat Report
Additional Security RisksAdditional Security RisksAverage percentage of email that is spam is 61%. Average percentage of email that is spam is 61%.
Spammers use BOT’s to try and obscure their actual locationSpammers use BOT’s to try and obscure their actual location
Adware and SpywareAdware and SpywareShotathome agent accounted for 19% of adware reportedShotathome agent accounted for 19% of adware reported
Webenhancer: Most reported spyware, accounting for 29%Webenhancer: Most reported spyware, accounting for 29%
Concern over their installation, end user licensing agreement Concern over their installation, end user licensing agreement (EULA), updation and removal(EULA), updation and removal
Copyright Microsoft Corp. 2006
Understanding The LandscapeUnderstanding The Landscape
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
Script-KiddyScript-Kiddy HobbyistHobbyistHackerHacker
ExpertExpert SpecialistSpecialist
Vandal
Thief
Spy
TrespasserTools created Tools created by experts by experts now used by now used by less skilled less skilled attackers and attackers and criminalscriminals
Fastest Fastest growing growing segmentsegment
Author
Copyright Microsoft Corp. 2006
Rootkits - DefinedRootkits - Defined
Rootkit Definition.(Rootkit Definition.(as per Symantecas per Symantec))““RootkitRootkit A rootkit is a component that uses stealth to maintain a A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on the machine. persistent and undetectable presence on the machine. Actions performed by a rootkit, such as installation and Actions performed by a rootkit, such as installation and any form of code execution, are done without end user any form of code execution, are done without end user consent or knowledge. consent or knowledge.
Rootkits do not infect machines by themselves like Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to provide an viruses or worms, but rather, seek to provide an undetectable environment for malicious code to undetectable environment for malicious code to execute. Attackers will typically leverage vulnerabilities execute. Attackers will typically leverage vulnerabilities in the target machine, or use social engineering in the target machine, or use social engineering techniques, to manually install rootkits. Or, in some techniques, to manually install rootkits. Or, in some cases, rootkits can be installed automatically upon cases, rootkits can be installed automatically upon execution of a virus or worm or simply even by browsing execution of a virus or worm or simply even by browsing to a malicious website. to a malicious website.
Once installed, an attacker can perform virtually any Once installed, an attacker can perform virtually any function on the system to include remote access, function on the system to include remote access, eavesdropping, as well as hide processes, files, registry eavesdropping, as well as hide processes, files, registry keys and communication channels. “keys and communication channels. “
Copyright Microsoft Corp. 2006
Root ProblemRoot Problem
Common in UNIX platforms, Rootkits on Common in UNIX platforms, Rootkits on Windows OS recent phenomenon.Windows OS recent phenomenon.
Trojanize Key system files.Trojanize Key system files.
In Windows: Different approachIn Windows: Different approach
Registers with OS and intercepts program Registers with OS and intercepts program requests made to standard Windows APIs requests made to standard Windows APIs
Since it intercepts system calls and filters results Since it intercepts system calls and filters results – anti malware tools are not effective.– anti malware tools are not effective.
Copyright Microsoft Corp. 2006
Root ProblemRoot Problem
In Unix: Replaces standard Unix system files like In Unix: Replaces standard Unix system files like psps
Some rootkits more sophisticated: ASome rootkits more sophisticated: Adds its own dds its own code to every process currently running on a code to every process currently running on a computer.computer.
Some rootkits use polymorphic wrapper that Some rootkits use polymorphic wrapper that constantly changes the appearance of the constantly changes the appearance of the spyware file. Very difficult to detect by anti spyware file. Very difficult to detect by anti spyware/malware programsspyware/malware programs
How does Rootkit infect anyone: Same way as How does Rootkit infect anyone: Same way as other malware—a malicious Web site or someone other malware—a malicious Web site or someone may copy them directly onto your computer or may copy them directly onto your computer or through trojan means.through trojan means.
Copyright Microsoft Corp. 2006
Types of RootkitsTypes of Rootkits
File or User Level RootkitsFile or User Level RootkitsBasic Type of Rootkits – Operate at application levelBasic Type of Rootkits – Operate at application levelIntercepts standard User mode API’sIntercepts standard User mode API’sCan affect user with lower privilegeCan affect user with lower privilegeLegitimate program replaced with Trojaned version.Legitimate program replaced with Trojaned version.Common files usually trozanized are – login, ls, ps, find, who, Common files usually trozanized are – login, ls, ps, find, who, netstatnetstatTargets files usually used by administratorsTargets files usually used by administrators
Kernel Level rootkitsKernel Level rootkitsMore advanced and difficult to detectMore advanced and difficult to detect
Operate at kernel level.Operate at kernel level.Lives in kernel mode as device driverLives in kernel mode as device driver
Require administrator level access.Require administrator level access.Do not modify system files – Integrity checkers will not be able to Do not modify system files – Integrity checkers will not be able to detect.detect.Attacker can intercept system callsAttacker can intercept system callsOperates at lower levels within the Windows architectureOperates at lower levels within the Windows architecture
Copyright Microsoft Corp. 2006
Types of Rootkits (cont’d)Types of Rootkits (cont’d)
Kernel mode data structure manipulation Kernel mode data structure manipulation Instead of attacking API’s it attacks data structureInstead of attacking API’s it attacks data structureIt requires admin privilegesIt requires admin privilegesIt can causes crashes and hence can be detectedIt can causes crashes and hence can be detectedMore advanced variations possible: Example: FUMore advanced variations possible: Example: FU
Process HijackingProcess HijackingHide a legitimate processHide a legitimate processCode sits inside legitimate processCode sits inside legitimate processDoesn’t survive rebootDoesn’t survive rebootExtremely hard to detectExtremely hard to detectCode Red used this stealth technique.Code Red used this stealth technique.
Copyright Microsoft Corp. 2006
Windows ArchitectureWindows ArchitectureService Control
ManagerTask Manager
NTDLL.DLL
Security
Refe
rence M
onitor
Processes &
T
hreads
Config
Manager
(registry)
(Kernel mode callable interfaces)
I/O Mgr
User Mode
System Processes Services Applications
LSASS Explorer
WinlogonUser
applicationsSession Manager
Services.exe
Kernel Mode
Device & File Sys
Drivers Kernel
Hardware Abstraction Layer
NTDLL.DLL – User mode rootkit hooks
Kernel – Kernel mode rootkit hooks
Copyright Microsoft Corp. 2006
Defending against Rootkits.Defending against Rootkits.All stealth mechanisms used by rootkits do have All stealth mechanisms used by rootkits do have holesholes
Cloaking not possible when OS is offlineCloaking not possible when OS is offline
Induces system anomaliesInduces system anomalies
Leaves some API’s unfilteredLeaves some API’s unfiltered
Simple way of detecting rootkits – comparing Simple way of detecting rootkits – comparing offline and online win diff results.offline and online win diff results.
Most Effective defense: Nail it before it gets Most Effective defense: Nail it before it gets installed.installed.
Up-to-date Security PracticesUp-to-date Security Practices
Good Email PracticesGood Email Practices
Virus ProtectionVirus Protection
Rootkit Detection Tools: Standard part of security toolkit.Rootkit Detection Tools: Standard part of security toolkit.
Copyright Microsoft Corp. 2006
Defending against RootkitsDefending against Rootkits
File or User-level RootkitsFile or User-level RootkitsUsing kernel mode API and comparing this with user mode API Using kernel mode API and comparing this with user mode API resultsresults
Creating Message DigestCreating Message Digest
Using tools like TripwireUsing tools like Tripwire
Other programs – Chkrootkit (Unix, Linux), Data Sentinel Other programs – Chkrootkit (Unix, Linux), Data Sentinel (Windows), (Windows),
Kernel-level RootkitsKernel-level RootkitsProper Defense mechanismsProper Defense mechanisms
LPA: Least Privilege accessLPA: Least Privilege access
Difference in offline – online scansDifference in offline – online scans
Other Tools: Microsoft’s antispyware, Other Tools: Microsoft’s antispyware, RootkitRevealer RootkitRevealer from Sysinternals; BlackLight from F-Secure from Sysinternals; BlackLight from F-Secure
Copyright Microsoft Corp. 2006
Malware/Spyware/Rootkit ToolsMalware/Spyware/Rootkit Tools
Sigcheck (Sigcheck (www.sysinternals.comwww.sysinternals.com))MSConfig.exeMSConfig.exeAutorun (Autorun (www.sysinternals.comwww.sysinternals.com))Process Explorer (Process Explorer (www.sysinternals.comwww.sysinternals.com))Rootkit Revealer (Rootkit Revealer (www.sysinternals.comwww.sysinternals.com))
Copyright Microsoft Corp. 2006
Rootkits in LimelightRootkits in LimelightContextPlus, Inc., makers of the Apropos and ContextPlus, Inc., makers of the Apropos and PeopleOnPage adware programs.PeopleOnPage adware programs.
Apropos, a spyware program, collects users' browsing Apropos, a spyware program, collects users' browsing habits and system information and reports back to the habits and system information and reports back to the ContextPlus serversContextPlus servers
Data used to serve targeted pop-up advertisements Data used to serve targeted pop-up advertisements while the user is surfing the Webwhile the user is surfing the Web
Sophisticated kernel-mode rootkit that allows the Sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and program to hide files, directories, registry keys and processes processes
FU rootkit extremely widespread in 2005FU rootkit extremely widespread in 2005FU only hides processes, elevate process privileges, FU only hides processes, elevate process privileges, fake out the Windows Event Viewer. fake out the Windows Event Viewer.
FU among the top-five pieces of malware deleted by FU among the top-five pieces of malware deleted by Microsoft’s free Windows malicious software removal Microsoft’s free Windows malicious software removal tool. tool.
Copyright Microsoft Corp. 2006
Rootkits in LimelightRootkits in Limelight
Hack DefenderHack DefenderA user mode rootkitA user mode rootkit
Author – “Holy Father”Author – “Holy Father”
Hides many thingsHides many thingsFiles, Processes, Services, Registry values,PortsFiles, Processes, Services, Registry values,Ports
Is able to hook into logon API to capture Is able to hook into logon API to capture passwordspasswords
You can pay developers money ($100-$900) for You can pay developers money ($100-$900) for a custom version of software to avoid detectorsa custom version of software to avoid detectors
Copyright Microsoft Corp. 2006
Rootkits in LimelightRootkits in Limelight
Customized hack defenderCustomized hack defender
Copyright Microsoft Corp. 2006
Rootkits in LimelightRootkits in Limelight
Symantec Corp : admitted using a rootkit-Symantec Corp : admitted using a rootkit-type feature in Norton SystemWorks type feature in Norton SystemWorks
Hides directory from Windows APIs: To stop Hides directory from Windows APIs: To stop customers from accidentally deleting files customers from accidentally deleting files
Norton Systemwork’s Norton Protected Recycle Norton Systemwork’s Norton Protected Recycle Bin with a director called NProtect is hidden Bin with a director called NProtect is hidden from Windows APIs. Since it is, files in the from Windows APIs. Since it is, files in the NProtect directory might not be scanned during NProtect directory might not be scanned during virus scansvirus scans
Norton recommends SystemWorks users Norton recommends SystemWorks users update the product immediately to ensure update the product immediately to ensure greater protection greater protection
Copyright Microsoft Corp. 2006
Rootkits in LimelightRootkits in Limelight
Sony BMG’s DRM rootkitSony BMG’s DRM rootkitRootkit like cloaking techniques used in First 4 Internet DRM Rootkit like cloaking techniques used in First 4 Internet DRM software Sony ships on its CDssoftware Sony ships on its CDs
Extended Copy Protection (XCP) is a CD/DVD copy protection Extended Copy Protection (XCP) is a CD/DVD copy protection technology created by First 4 Internet Ltdtechnology created by First 4 Internet LtdSoftware is designed to prevent protected CDs being played with Software is designed to prevent protected CDs being played with anything other than an included Media Player anything other than an included Media Player
DRM software will hide files, processes and registry keysDRM software will hide files, processes and registry keysDRM service named as Plug and Play Device ManagerDRM service named as Plug and Play Device ManagerThe DRM software hides it information by modifying the execution The DRM software hides it information by modifying the execution path of several Native API functions path of several Native API functions Comes with no uninstall featureComes with no uninstall featureEULA does not mention about this cloaking or that it comes with EULA does not mention about this cloaking or that it comes with uninstall featureuninstall featureNeed to open a support call to uninstall the rootkit – possibility of Need to open a support call to uninstall the rootkit – possibility of crashing the computercrashing the computer
Copyright Microsoft Corp. 2006
Demo :Malware detection toolsDemo :Malware detection tools
Copyright Microsoft Corp. 2006
Rootkits in LimelightRootkits in Limelight
Detecting Sony DRM rootkitDetecting Sony DRM rootkit
Copyright Microsoft Corp. 2006
Microsoft Ghostbuster - StriderMicrosoft Ghostbuster - Strider
Clever prototype developed by Microsoft.Clever prototype developed by Microsoft.
It detects It detects arbitrary persistent and stealthy software, such arbitrary persistent and stealthy software, such as rootkits, Trojans, and software keyloggersas rootkits, Trojans, and software keyloggers
How does it work?How does it work?Checker runs stopping all services, flushing caches and does Checker runs stopping all services, flushing caches and does checksumchecksum
Now machine boots with the CD and does the same checksum Now machine boots with the CD and does the same checksum again.again.
How to fool Ghostbuster?How to fool Ghostbuster?Detect that such a checking program is running and either Detect that such a checking program is running and either notnot lie to lie to it or change the output as it's written to disk it or change the output as it's written to disk
Integrate into the BIOS rather than the OS Integrate into the BIOS rather than the OS
Give up on either being persistent or stealthy. Give up on either being persistent or stealthy.
Copyright Microsoft Corp. 2006
Microsoft Ghostbuster - StriderMicrosoft Ghostbuster - Strider
Effective against keyloggers – add key strokes to the fist scan. Will Effective against keyloggers – add key strokes to the fist scan. Will increase the size of keyloogers log and will be detected by clean scanincrease the size of keyloogers log and will be detected by clean scanTo detect non stealth malware- compare the file output with a know To detect non stealth malware- compare the file output with a know good list.good list.Compute a cryptographic hash of every file on infected disk and Compute a cryptographic hash of every file on infected disk and match it against the Strider Known-* Database match it against the Strider Known-* Database
Step #3
WinDiffFiles HiddenBy RootKit
“dir /s /a” Clean ScanClean BootFrom WinPE
CD
Step #2
InfectedDrive
“dir /s /a” Infected ScanInfectedBoot
Step #1
Copyright Microsoft Corp. 2006
Microsoft Ghostbuster - StriderMicrosoft Ghostbuster - Strider
Characteristics of Ghostbuster ScanCharacteristics of Ghostbuster ScanDeterministically, efficiently, and effectively detect Deterministically, efficiently, and effectively detect today’s file-hiding software; today’s file-hiding software;
It will help computer users gain back trustworthy file-It will help computer users gain back trustworthy file-query operations and force malware programs to give query operations and force malware programs to give up file hiding and therefore always expose themselves up file hiding and therefore always expose themselves to Gatekeeper ASEP scan and anti-virus-style known-to Gatekeeper ASEP scan and anti-virus-style known-bad signature-based scansbad signature-based scans
Does not require known-bad signatures hence no Does not require known-bad signatures hence no signature updatessignature updates
Assumes that Assumes that any data gathered through any apps or any data gathered through any apps or OS components running inside an infected OS cannot OS components running inside an infected OS cannot be trusted.be trusted.
Copyright Microsoft Corp. 2006
RecapRecap
Rootkit - DefinitionRootkit - Definition
Rootkit DefenseRootkit DefenseDefense in DepthDefense in Depth
Multilayered approachMultilayered approach
Secure your perimeter and protect your internal clientsSecure your perimeter and protect your internal clients
Patch UpdatesPatch Updates
Security AwarenessSecurity Awareness
No_execute hardware supportNo_execute hardware support
Usage of DEPUsage of DEP
Firewalled internal zones and desktopsFirewalled internal zones and desktops
Usage of antispyware and antivirus softwareUsage of antispyware and antivirus software
Messaging Hygiene (Frontbridge and Sybari Antigen)Messaging Hygiene (Frontbridge and Sybari Antigen)
LPA: Running as non-adminLPA: Running as non-admin
Copyright Microsoft Corp. 2006
RecapRecap
Rootkit DefenseRootkit DefenseAntispyware Kit: Microsoft Antispyware, Rootkit Antispyware Kit: Microsoft Antispyware, Rootkit Revealer, RK detect, F Secure Blacklight, ChkrootkitRevealer, RK detect, F Secure Blacklight, Chkrootkit
Other tools for malware detection and investigation – Other tools for malware detection and investigation – sigcheck, autorun and Process explorersigcheck, autorun and Process explorer
If Infected – Format and reinstall If Infected – Format and reinstall
Copyright Microsoft Corp. 2006
ResourcesResources
Microsoft Anti Spyware - Microsoft Anti Spyware - http://www.microsoft.com/athome/security/spywarhttp://www.microsoft.com/athome/security/spyware/software/default.mspxe/software/default.mspxMalicious Software removal tool - Malicious Software removal tool - http://www.microsoft.com/security/malwareremovhttp://www.microsoft.com/security/malwareremove/default.mspxe/default.mspxSysinternals – Sysinternals – www.sysinternals.comwww.sysinternals.com
Copyright Microsoft Corp. 2006
© 2006 Microsoft Corporation. All rights reserved.© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.