1 / 77

Information Security

Information Security. Rootkits Dr. Randy M. Kaplan. Rootkits. What is a Rootkit? Been around for more than 10 years A kit consisting of small and useful programs that allow an attacker to maintain access to “root” root is the user with the highest privilege. Rootkits. What is a rookit?

tobias
Download Presentation

Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Security • Rootkits • Dr. Randy M. Kaplan

  2. Rootkits • What is a Rootkit? • Been around for more than 10 years • A kit • consisting of small and useful programs that allow an attacker to maintain access to “root” • root is the user with the highest privilege

  3. Rootkits • What is a rookit? • a set of programs and code that allows a permanent or consistent, undetectable presence on a computer • the key word in this definition is “undetectable”

  4. What Rootkits Can Do? • Rootkits can - • hide code on a system • hide data on a system • Many rootkits can - • hide files • hide directories

  5. What Can Rootkits Do? • Rootkits can - • remote access • eavesdropping • sniffing packets from the network

  6. Are Rootkits Bad? • Rootkits are not inherently bad • Not always used by the bad guys • Why?

  7. Are Rootkits Bad? • Rootkits are not inherently bad • Not always used by the bad guys • Why? • A rootkit is just a technology • Its use makes it bad or good

  8. Rootkits • Why Do Rootkits exist? • Rootkits are a relatively new phenomena • Spying is a very old phenomena • People want to see or control what other people are doing

  9. What are rootkits for? • Maintaining access to a system • If all you want to do is to steal something and leave - • There is no reason to leave a rootkit !!! • Risk - • Leaving a rootkit behind raises the probability of detection

  10. Sample Rootkit Commands • debugint • sniffkeys • echo <string> • ps • help • buffertest • hidedir • hideproc

  11. Legitimate Uses of Rootkits wsZ • Used by law enforcement agencies to collect evidence in an advanced bugging operation • Applies to any crime in which a computer is used • Examples of crimes are computer trespass, creating or distributing child pornography

  12. How long have Rootkits been around? • Methods used in modern rootkits are the same methods used in viruses in the 1980s • These methods include - • modifying system tables • modifying memory • modifying program logic

  13. How long have Rootkits been around? • With the advent of Windows NT, virus writers could no longer exploit key system tables • This caused a lapse in hard virus technology • No virus authors were using the new Windows kernel

  14. How long have Rootkits been around? • With the advent of the Internet - • it would be dominated by UNIX servers • viruses were very uncommon for this operating system • This time is when network worms were born • The famous Morris Worm was a wake up call to the profession

  15. Hackers in the 1990’s • Hackers figure out how to exploit buffer overflows • “the nuclear bomb of all exploits” • The virus writing community did not catch on to this approach for more than a decade

  16. Hackers in the 1990’s • A hacker would - • penetrate a system • set up camp • use a freshly compromised computer to launch new attacks

  17. Hackers in the 1990’s • Once a hacker penetrated a system • she needed to maintain access • Thus, the first rootkits were born • These rootkits were backdoor programs • they used very little stealth • In some cases they replaced key system binaries with modified versions

  18. Hacker’s in the 1990’s • These modified versions - • hide files and processes • For example on UNIX the program that displays directories is named ls • Supposing a hacker replaces ls with one of their own that is specially coded to never list a file named “hacker_stuff”

  19. Hacker’s in the 1990’s • Anytime the hacker wanted to saved information they could simply save it in a file named hacker_stuff

  20. Response of the Administrators • Write programs like Tripwire • determines whether a program has been changed • In our example a program like Tripwire could examine ls and determine it had been altered • At that point the incursion is discovered

  21. The Hackers Respond (Uh-Oh) • Hackers naturally moved from the programs that were extern to the operating system into the actual operating system • This core part of the operating system is called the “kernel” (The term was coined by Orville Reddenbacher - can’t you hear the popping?)

  22. The Hackers Respond (Uh-Oh) • By moving into the kernel, hackers could subvert ANY security utility on the computer at the time • Trojan files were no longer needed • All stealth could be applied by modification of the kernel

  23. A Word From Orville • A kernel is a core part of an operating system • All operating systems have kernels • The kernel includes components that manage memory, schedule processes, swap between processes, and respond to interrupts • These fundamental functions, if changed, compromise the operating system

  24. How Do Rootkits Work? • Modification • a simple concept • software is designed to make specific decisions on specific data • A rootkit modifies software so that the decisions it makes are incorrect

  25. Where are modifications made? • Patching • Easter Eggs • Spyware Modifications • Source-Code Modification

  26. Where are modifications made? • Patching • Executable code consists of a series of statements encoded as data bytes • The bytes come in a very specific order • Each byte means something to the computer • An instruction or data for an instruction

  27. Where are modifications made? • Patching • The functioning of a piece of software can be changed if the sequence of bytes are changed • The technique is sometimes called patching • Similar to the idea of placing a patch of a different color fabric on a quilt

  28. Where are modifications made? • Patching • Byte patching is one of the major techniques used by “crackers” to remove software protections

  29. Where are modifications made? • Easter Eggs • Software logic modifications may be built into a piece of software • A programmer may place a backdoor in a program • The back door is not documented • The software has a hidden feature

  30. Where are modifications made? • Easter Eggs • A programmer may leave something behind as a signature • That they were the one who wrote the program • Earlier versions of Microsoft Excel contained an Easter Egg that allowed a user who found it to play a Doom-like game

  31. Where are modifications made? • Spyware Modifications • Sometimes a program will modify another program to infect it with spyware • Spyware can - • track the web sites visited • Spyware may be difficult to detect

  32. Where are modifications made? • Spyware Modifications • Spyware may be difficult to detect • Some spyware will attach itself to a browser or program shell making removal very difficult

  33. Where are modifications made? • Source-Code Modification • Sometimes software is modified at the source • A programmer can insert malicious lines of source code into a program that she authors • This possibility caused the military to avoid using Linux

  34. Where are modifications made? • Source-Code Modification • Open-source projects allow - • almost anyone • any being someone you don’t know • to add code to the sources

  35. Where are modifications made? • Source-Code Modification • For critical software like BIND, Apache, and Sendmail there is peer review of code • Does anyone really look at every line of the code that has been written?

  36. What a Rootkit is Not • A Rootkit is not an exploit • A Rootkit is not a virus

  37. A Rootkit is not an Exploit • The rootkit may be used in conjunction with an exploit but - • The rootkit itself is a fairly straightforward set of utility programs • The programs may use undocumented functions and methods • They typically do not depend on software bugs

  38. A Rootkit is not an Exploit • A rootkit is typically deployed after a successful software exploit • Hackers have many exploits available to them • On the other hand a hacker may only have one or two rootkit programs

  39. A Rootkit is not an Exploit • A rootkit is not an exploit BUT - • a rootkit may employ an exploit • A rootkit usually requires access to the kernel • One or more programs start when the system is booted • There are only a limited number of ways to get software into the kernel

  40. A Rootkit is not an Exploit • For example, a component of a rootkit may masquerade as a device driver • These methods can be detected forensically

  41. A Rootkit is not an Exploit • A novel way to install a rootkit is to use a software exploit • Many software exoloits allow arbitrary code or third part software to be installed • Imagine that there is a buffer overflow in the kernel that allows arbitrary code executed

  42. Using a Software Exploit • Kernel buffer overflows can exist in almost any device driver • On system startup a loader program can use the buffer overflow to load a rootkit • The loader program does not employ any documented methods for loading or registering a device driver or otherwise installing a rootkit

  43. Using a Software Exploit • The loader exploits the buffer overflow to install the kernel-mode parts of a rootkit • The buffer-overflow exploit is a mechanism for loading code into the kernel • Most people think of this as a bug • The rootkit developer may think of this as an undocumented feature

  44. Using a Software Exploit • Because this feature is not documented this path to the kernel is not likely to be included as part of a forensic investigation • More importantly, it won’t be protected by a host-based firewall program • It would take someone well versed in software engineering to discover something like this

  45. A Rootkit is Not a Virus • A virus program in a self-propagating automaton • A rootkit does not - • make copies of itself • it does not have a mind of its own • A rootkit is under the control of a human attacker while a virus is not

  46. The Virus Problem • We know that a rootkit is not a virus • But - • The techniques used in a rootkit can easily be employed by a virus • When a rootkit is combined with a virus a very dangerous technology is born

  47. The Virus Problem • Understanding rootkit technology is very important defending against viruses • Virus programmers have been using rootkits for many years to “heat up” their viruses • A very dangerous trend

  48. Software Exploits • There is a strong relationship between rootkits and exploits • A rootkit may be employed as a part of an exploit tool • Software exploits are in great supply

  49. Software Exploits • A conjecture (reasonable) • At any point in time • there are more than 100 • working exploitable holes in the latest version of Microsoft Windows • (even more when a new version is released)

  50. Software Exploits • Some software bugs are found by independent researchers • These may never be reported • They are “deadly” because no one knows about then except the attacker • No defense against them

More Related