1 / 11

Introduction to Information Security - Rootkits

Introduction to Information Security - Rootkits. Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il. Rootkits. What are they? Various types of rootkits. Detection Famous case. What is a rootkit ?.

kolya
Download Presentation

Introduction to Information Security - Rootkits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Information Security - Rootkits Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il

  2. Rootkits • What are they? • Various types of rootkits. • Detection • Famous case

  3. What is a rootkit ? • The name rootkit originally came from UNIX/linux set of utilities that was used post gaining root via a privilege escalation (PE) or a remote root exploit. • The goal of the rootkit is to allow a hacker to roam free about the system, while still maintaining root. • The rootkit hides the hacker and allows him to evade detection by the system admin. • Modus operandi: • Hack the system. • Install the system. • Explore the system. • **** the system.

  4. What can/should a rootkit do ? • Hide the hackers files – a hacker would usually have a drop-off directory where he will create temporary files (such as zip files) or keep a PE file: • echo “int main{setuid(0);setgid(0);system(“/bin/sh”);} > a.c ; gcca.c –o a ; chmod 4755 a • Eg: all files in /usr/bin/.w00t/ are completely hidden. • Hide the hackers process: • Eg. Any process starting with the words: “w00t” will not be visible. • Hide sniffing: hide working in promiscuous mode. • Hide open ports • Let the hacker back in without using the exploit: • Using the exploit to re-enter usually makes too much noise. • No need to cleanup after re-entry.

  5. Application based rootkits • The first rootkits seen in the 90s were replacements for the set of system utilities in /bin/. • For example hackers used a modified version of /bin/ls. • In open-source systems such as linux this is very easy: • Download original code, modify, compile, spread. • In closed-source systems such as windows, older UNIX: • Binary patch the relevant files.

  6. Application Layer Dilemmas • If you patch one program, you never know if you covered all your bases. Eg.: • patch ‘ps’ but forget to patch ‘top’ • Patch ‘ls’ but forget to patch ‘mc’ (midnight commander) • Software upgrades, if the software is upgraded

  7. Library Rootkits • Patch the system libraries, such as libc, eg.: • readdir • Patching can be done offline to the library or via code injection techniques.

  8. Code Injection/API Hooking • The idea is to dynamically patch a program’s behavior. • This is necessary for debuggers to work properly • We load a “shellcode” in the process memory using some technique. • Eg. Windows: • BOOL WriteProcessMemory( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten ); • Eg. Linux: ptrace with POKETEXT: • PTRACE_POKETEXT, PTRACE_POKEDATA Copies the word data to location addr in the child's memory. As above, the two requests are currently equivalent. • The shellcodecan load a DLL that does some more work. • Subverting functions is done by patching the original code. • Linux: The code segment permissions can be changed via mprotect() • Windows: VirtualProtect(). • Windows has Detours – a library used to Hook APIs

  9. Syscall rootkit • Rootkit based in a kernel driver. The rootkit driver is loaded into the operating system, once it is loaded it modifies the system_call table and subverts the original

  10. Rootkit detection • Looking at the rootkit from a different perspective • Signature based: • Look for signatures in files and memory know to belong to the rootkit. blacklist based. • This is the technique most anti-viruses use. • Difference based • Difference between view from memory to view on disk. • Offline vs. Online. • Integrity checking of binaries. Compare md5 of files to whitelist. • Eg.: tripwire application for *n?x [Trace buster video]

  11. Sony DRM: Famous Rootkit Case • https://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx?Redirected=true

More Related