1 / 37

Root Kits and Windows Hardening

Root Kits and Windows Hardening. Team BAM! Scott Amack Everett Bloch Maxine Major. Overview. What is a rootkit? Types of rootkits Rootkit history Rootkit tools & removal Rootkit demonstration Windows Hardening Microsoft Security Essentials (MSE). What is a “rootkit” ??.

hung
Download Presentation

Root Kits and Windows Hardening

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Root Kits and Windows Hardening Team BAM!Scott AmackEverett BlochMaxine Major

  2. Overview • What is a rootkit? • Types of rootkits • Rootkit history • Rootkit tools & removal • Rootkit demonstration • Windows Hardening • Microsoft Security Essentials (MSE)

  3. What is a “rootkit” ?? “… originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access.”(Wikipedia)

  4. What is a “rootkit” ?? Current definition:A rootkit is designed to hide the existence of certain processes or programs from normal methods of detection.(Wikipedia)

  5. History of Rootkits Brain Virus (1968) • First documented computer virus • Used cloaking techniques to hide itself • Intercepted attempts to read the boot sector and redirected to disk where copies of the original boot sector were kept.

  6. History of Rootkits C compiler exploit (1983) • Discovered by Ken Thompson of Bell Labs (one of the creators of Unix) • Subverted the C compiler by recompiling with two Trojan Horses

  7. History of Rootkits C compiler exploit (1983) • First, detected attempts to compile “login” command • Login would accept users correct password and one that the attacker specified • Allowed attacker to log into any account on the system

  8. History of Rootkits C compiler exploit (1983) • Second, detected attempts to recompile • Inserted same exploits into the new compiler • Inspection of source would not reveal any malicious code These exploits are equivalent to a rootkit

  9. History of Rootkits Earliest known rootkit (1990) • Written by Lane Davis and Steven Dake • Targeted SunOS UNIX operating system

  10. History of Rootkits NTRootkit(1999) • First malicious rootkit for Windows NT • Created by Greg Hoglund • Implemented as a Trojan • Used OS hooks to conceal presence (McAfee)

  11. History of Rootkits HackerDefender (2003) • First rootkit targeting Mac OS X • Used OS hooks to conceal presence (McAfee)

  12. History of Rootkits Greek wiretapping (2004-2005)AKA “Greek Watergate” • Targeted mobile phones of important Greek government members and civil servants • Rootkit targeted the telephone exchange • Patched memory of exchange, audit log, active processes, and active data blocks

  13. History of Rootkits Greek wiretapping (2004-2005)AKA “Greek Watergate” • Modified the data block checksum verification command • Backdoor allowed operator with sysadmin status to access surveillance information and allow rootkit updates • Rootkit discovered after an update prevented SMS messages from being delivered • Identity of perpetrators is still unknown

  14. History of Rootkits Sony BMG (2005) • Published CD’s with copy protection software Extended Copy Protection, created by First 4 Internet • Software included a music player that silently installed a rootkit to hide files that started with $sys$ • Discovery of this rootkit led to malware taking advantage of affected systems ()

  15. History of Rootkits RootkitRevealer (2006) • Created by Mark Russinovich • Windows rootkit discovery software • Identifies Windows Registry and file system API discrepancies, which may indicate the presence of a rootkit

  16. History of Rootkits Stuxnet (2010) • First to target programmable logic controllers (PLC) (Wikipedia)

  17. History of Rootkits Ubisoft DRM (2012) • Ubisoft’s game DRM used internet connection to ensure any game played was legal • Created a backdoor allowing continued privileged access to user’s machine. • Ubisoft: “…not a rootkit.” Just a “coding error” Hanlon’s Razor - “Never attribute to malice that which is adequately explained by stupidity.” (Geek, lazygamer) (Geek)

  18. Types of Rootkits • Persistent Rootkits • Memory-Based Rootkits • User-mode Rootkits • Kernel-mode Rootkits (Windows Sysinternals)

  19. Types of Rootkits Persistent Rootkits • Malware activates each time the system boots • Store code in a persistent store, such as the Registry or file system • Configure a method by which the code executes without user intervention

  20. Types of Rootkits Memory-Based Rootkits • Has no persistent code • Does not survive a reboot

  21. Types of Rootkits User-mode Rootkits • Attempts to evade detection: • Windows native API is interface between user-mode clients and kernel-mode services • Sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API • This prevents detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration

  22. Types of Rootkits Kernel-mode Rootkits • Can intercept native API and directly manipulate kernel-mode data structures • Hides the presence of malware processes by removing the process from the kernel's list of active processes. • Malware process will not display in process management tools like Task Manager or Process Explorer.

  23. Rootkit Removal • OS Reinstall • May require boot sector repair • Rootkit Detection/Removal Tools • Some tools are specific to one type of rootkit • We will demo two of these tools today. • Manual Removal • Complicated. • It is advised that you do this in conjunction with rootkit detection tools. (e.g.: Blacklight)

  24. Rootkit Tools • The tools we will be using for our demo: • RootkitRevealer • Blacklight • FU Rootkit

  25. Rootkit Tools • RootkitRevealer • Displays Registry and File System API discrepancies • Works on user-mode and kernel-mode rootkits • Runs on Windows XP and Windows Server 2003

  26. Rootkit Tools • Blacklight • Detects hidden processes, files, and directories • Helps remove hidden files and directories • Runs on Windows

  27. Rootkit Tools • FU Rootkit • Kernel-mode rootkit • Hides running processes and Kernel-mode modules • Directly modifies certain kernel data structures used by the operating system • Does not actively try to hide itself

  28. Rootkit Demonstration

  29. Windows Hardening • Download current Anti-Virus Solution and Update • Install all current Windows Patches • Do not use windows with an Admin level account • Always choose public network when setting up networking

  30. Windows Hardening • Turn on Data Execution Prevention • If DEP sees a program using memory incorrectly it will shut the program down • Disable unnecessary network protocols like IPV6 and NetBIOS if not in use • Practice Safe Browsing Habits: if in doubt don’t click it.

  31. Microsoft Security Essentials • Built on the Microsoft Malware Prevention Engine • Designed for Small Business or Home User • Does not include a firewall • (uses Windows Firewall) • Does not include centralized management features.

  32. Microsoft Security Essentials • Initial Public Beta – June 23 2009 • Final Build of Version 1.0 Released Sept 29 2009 • Version 2.0 released Dec 16 2010 • 2.0 Included a Network Inspection System • Network intrusion detection for Windows Vista & 7 • 2.0 Included new engine employing heuristics in malware detection. • Suspicious files are executed in a virtual machine that looks for suspect activity

  33. Microsoft Security Essentials • Version 4.0 released April 24 2012 • Improved memory overhead • Improved Scanning Engine • September 2012 • MSE loses AV-Test Certification with poor protection score

  34. Microsoft Security Essentials • October 2012 Windows 8 is released • does not have MSE • It is speculated that Microsoft switched their focus to windows defender for Windows 8 • For a Free Solution MSE is still a very good product

  35. Conclusions • Rootkits evade detection by intercepting the native system calls and disguising its activities. • Rootkit detection software can identify potential rootkits (but may not remove them) • Windows hardening starts with basics: updates and a security software solution!

  36. Summary • Definition of a Rootkit • RootkitHistory • Types of Rootkits • Rootkit Removal • Rootkit Tools & Demonstration • Windows Hardening • Microsoft Security Essentials

  37. References • McAfee:http://web.archive.org/web/20060823090948/http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf • http://en.wikipedia.org/wiki/Rootkit • http://en.wikipedia.org/wiki/RootkitRevealer • http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx • http://www.f-secure.com/v-descs/fu.shtml • http://www.softpedia.com/get/Antivirus/F-Secure-BlackLight-Rootkit-Detection.shtml • http://www.geek.com/games/ubisoft-uplay-drm-found-to-include-a-rootkit-1506163/ • http://www.lazygamer.net/general-news/ubisoft-rootkit-just-a-bug/

More Related