210 likes | 612 Views
Rootkits What are they? What do they do? Where do they come from?. Introduction. Bill Richards Adjunct Professor at Rose Since 2004 Defense Information Systems Agency Defense Enterprise Computing Center – Oklahoma City (Tinker AFB) since 1995 Network Security Officer since 2002
E N D
Rootkits What are they? What do they do? Where do they come from?
Introduction • Bill Richards • Adjunct Professor at Rose Since 2004 • Defense Information Systems Agency • Defense Enterprise Computing Center – Oklahoma City (Tinker AFB) since 1995 • Network Security Officer since 2002 • Responsible for the security for 9 remote networks • 45+ Mainframes (IBM, UNISYS and TANDEM) • 1400+ Mid-Tier Servers (UNIX and Windows) • 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, etc)
Rootkitsare a serious threat to network and system security and most administrators know little about them • Defining characteristic is Stealth • Viruses reproduce but rootkits hide! • Difficult to detect • Difficult to remove • Carry a variety of payloads • Key loggers • Password Sniffers • Remote Consoles • Back doors • And more!!!
What is a Rootkit? • The term rootkit is old and pre-dates MS Windows • It gets it’s name from the UNIX superuser UserID - - root • aka administrator for windoze users • A rootkit does not typically not cause deliberate damage
What is a Rootkit? • A collection files designed to hide from normal detection by hiding processes, ports, files, etc. • Typically used to hide malicious software from detection while simultaneously collecting information: • userid’s • Password • ip addresses, etc • Some rootkits phone home and/or set up a backdoors
What is a Rootkit? • A rootkit does NOT compromise a host by itself • A vulnerability must be exploited to gain access to the host before a rootkit can be deployed • The purpose of a rootkit is NOT to gain access to a system, but after being installed, to preserve existing access and support the goals of the bad guy
Recent Rootkit History Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm
Rootkit History1998 to 2002 Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm
How rootkits work • A vulnerable system is detected and targeted • unpatched, zero-day exploit, poor configuration, etc. • The targeted system is exploited host via automated or manual means • Root or Administrator access is obtained • Payload is installed • Rootkit is activated and redirects system calls • Prevents the OS from “seeing” rootkit processes and files EVEN AFTER host is patched and original malware is removed
How rootkits work docs rootkit windows docs windows rootkit filters the results to hide itself RootkitDLL dir c:\ docs ReadFile() rootkit windows DLL “tricked” into thinking it can’t execute command, calls rootkit NTFS command C:\
Common Windows rootkits • Hacker Defender (Hxdef) • A rootkit for Windows NT 4.0, Windows 2000 and Windows XP • Avoids antivirus detection • Is able to hook into the Logon API to capture passwords • The developers accept money for custom versions that avoid all detectors • FU • Nullifies Windows Event Viewer • Hides Device Drivers • Recently added “Shadow Walking” (Read Phrack63)
Common UNIX rootkits • SucKIT • Loaded through /dev/kmem • Provides a password protected remote access connect-back shell initiated by a spoofed packet • This method bypasses most of firewall configurations) • Hides processes, files and connections • Adore • Hides files, processes, services, etc. • Can execute a process (e.g. /bin/sh) with root privileges. • Controlled with a helper program ava • Cannot be removed by the rmmod command • kis • A client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machine • It can hide processes, files, connections, redirect execution, and execute commands. • It hides itself and can remove security modules already loaded
Detection & Removal • Detection that doesn’t always work: • Antivirus (Norton, McAfee, AVG, etc.) • Anti-Spyware (AdAware, Giant, Spybot, etc.) • Port Scanning • Manually Looking • Detection that can work: • Sudden System Instability/Sluggishness • Sudden Spike in Traffic • MS RootkitRevealer • F-Secure Black Light
Detection & Removal “list running processes” “nothing to see here” Compromised OS Rootkit “Online” detection (ex: virus scans) relies on the OS’s API to report files and processes. The API has been “hooked,” however, so the rootkit remains concealed.
Detection & Removal “list running processes” “nothing found” Compromised OS Results != Possible Rootkit Black Light Rootkit Revealer Etc. Rootkit “something found” Detection compares the results of the OS’s API with the results of a clean API (Raw) provided by the tool. Discrepancies are potentially rootkits
Detection & Removal “list running processes” Compromised OS Knoppix WindowsPE W.O.L.F. Etc. Rootkit “rootkit detected” Doing an “Offline” detection with a different OS to report files and processes. If the alternate OS is clean, the rootkit will be detected.
Detection & Removal • Only 100% sure removal: • Format drive and a clean install • Some tools can remove some rootkits • But what was hidden may not get cleaned • You cannot trust a system that’s been rootkit’ed • Passwords on the rootkit’ed system are suspect • So change your passwords on the clean host
Prevention • Keep hosts updated • OS • Applications • Limit host exposure • Un-needed services • Use Firewalls • Situational Awareness • CERT, Bugtraq, Security Web sites, etc.
Some Reference Sites • http://www.rootkit.com • http://www.packetstormsecurity.org • http://www.rootkit.nl Questions?