770 likes | 874 Views
Information Security. Rootkits Dr. Randy M. Kaplan. Rootkits. What is a Rootkit? Been around for more than 10 years A kit consisting of small and useful programs that allow an attacker to maintain access to “root” root is the user with the highest privilege. Rootkits. What is a rookit?
E N D
Information Security • Rootkits • Dr. Randy M. Kaplan
Rootkits • What is a Rootkit? • Been around for more than 10 years • A kit • consisting of small and useful programs that allow an attacker to maintain access to “root” • root is the user with the highest privilege
Rootkits • What is a rookit? • a set of programs and code that allows a permanent or consistent, undetectable presence on a computer • the key word in this definition is “undetectable”
What Rootkits Can Do? • Rootkits can - • hide code on a system • hide data on a system • Many rootkits can - • hide files • hide directories
What Can Rootkits Do? • Rootkits can - • remote access • eavesdropping • sniffing packets from the network
Are Rootkits Bad? • Rootkits are not inherently bad • Not always used by the bad guys • Why?
Are Rootkits Bad? • Rootkits are not inherently bad • Not always used by the bad guys • Why? • A rootkit is just a technology • Its use makes it bad or good
Rootkits • Why Do Rootkits exist? • Rootkits are a relatively new phenomena • Spying is a very old phenomena • People want to see or control what other people are doing
What are rootkits for? • Maintaining access to a system • If all you want to do is to steal something and leave - • There is no reason to leave a rootkit !!! • Risk - • Leaving a rootkit behind raises the probability of detection
Sample Rootkit Commands • debugint • sniffkeys • echo <string> • ps • help • buffertest • hidedir • hideproc
Legitimate Uses of Rootkits wsZ • Used by law enforcement agencies to collect evidence in an advanced bugging operation • Applies to any crime in which a computer is used • Examples of crimes are computer trespass, creating or distributing child pornography
How long have Rootkits been around? • Methods used in modern rootkits are the same methods used in viruses in the 1980s • These methods include - • modifying system tables • modifying memory • modifying program logic
How long have Rootkits been around? • With the advent of Windows NT, virus writers could no longer exploit key system tables • This caused a lapse in hard virus technology • No virus authors were using the new Windows kernel
How long have Rootkits been around? • With the advent of the Internet - • it would be dominated by UNIX servers • viruses were very uncommon for this operating system • This time is when network worms were born • The famous Morris Worm was a wake up call to the profession
Hackers in the 1990’s • Hackers figure out how to exploit buffer overflows • “the nuclear bomb of all exploits” • The virus writing community did not catch on to this approach for more than a decade
Hackers in the 1990’s • A hacker would - • penetrate a system • set up camp • use a freshly compromised computer to launch new attacks
Hackers in the 1990’s • Once a hacker penetrated a system • she needed to maintain access • Thus, the first rootkits were born • These rootkits were backdoor programs • they used very little stealth • In some cases they replaced key system binaries with modified versions
Hacker’s in the 1990’s • These modified versions - • hide files and processes • For example on UNIX the program that displays directories is named ls • Supposing a hacker replaces ls with one of their own that is specially coded to never list a file named “hacker_stuff”
Hacker’s in the 1990’s • Anytime the hacker wanted to saved information they could simply save it in a file named hacker_stuff
Response of the Administrators • Write programs like Tripwire • determines whether a program has been changed • In our example a program like Tripwire could examine ls and determine it had been altered • At that point the incursion is discovered
The Hackers Respond (Uh-Oh) • Hackers naturally moved from the programs that were extern to the operating system into the actual operating system • This core part of the operating system is called the “kernel” (The term was coined by Orville Reddenbacher - can’t you hear the popping?)
The Hackers Respond (Uh-Oh) • By moving into the kernel, hackers could subvert ANY security utility on the computer at the time • Trojan files were no longer needed • All stealth could be applied by modification of the kernel
A Word From Orville • A kernel is a core part of an operating system • All operating systems have kernels • The kernel includes components that manage memory, schedule processes, swap between processes, and respond to interrupts • These fundamental functions, if changed, compromise the operating system
How Do Rootkits Work? • Modification • a simple concept • software is designed to make specific decisions on specific data • A rootkit modifies software so that the decisions it makes are incorrect
Where are modifications made? • Patching • Easter Eggs • Spyware Modifications • Source-Code Modification
Where are modifications made? • Patching • Executable code consists of a series of statements encoded as data bytes • The bytes come in a very specific order • Each byte means something to the computer • An instruction or data for an instruction
Where are modifications made? • Patching • The functioning of a piece of software can be changed if the sequence of bytes are changed • The technique is sometimes called patching • Similar to the idea of placing a patch of a different color fabric on a quilt
Where are modifications made? • Patching • Byte patching is one of the major techniques used by “crackers” to remove software protections
Where are modifications made? • Easter Eggs • Software logic modifications may be built into a piece of software • A programmer may place a backdoor in a program • The back door is not documented • The software has a hidden feature
Where are modifications made? • Easter Eggs • A programmer may leave something behind as a signature • That they were the one who wrote the program • Earlier versions of Microsoft Excel contained an Easter Egg that allowed a user who found it to play a Doom-like game
Where are modifications made? • Spyware Modifications • Sometimes a program will modify another program to infect it with spyware • Spyware can - • track the web sites visited • Spyware may be difficult to detect
Where are modifications made? • Spyware Modifications • Spyware may be difficult to detect • Some spyware will attach itself to a browser or program shell making removal very difficult
Where are modifications made? • Source-Code Modification • Sometimes software is modified at the source • A programmer can insert malicious lines of source code into a program that she authors • This possibility caused the military to avoid using Linux
Where are modifications made? • Source-Code Modification • Open-source projects allow - • almost anyone • any being someone you don’t know • to add code to the sources
Where are modifications made? • Source-Code Modification • For critical software like BIND, Apache, and Sendmail there is peer review of code • Does anyone really look at every line of the code that has been written?
What a Rootkit is Not • A Rootkit is not an exploit • A Rootkit is not a virus
A Rootkit is not an Exploit • The rootkit may be used in conjunction with an exploit but - • The rootkit itself is a fairly straightforward set of utility programs • The programs may use undocumented functions and methods • They typically do not depend on software bugs
A Rootkit is not an Exploit • A rootkit is typically deployed after a successful software exploit • Hackers have many exploits available to them • On the other hand a hacker may only have one or two rootkit programs
A Rootkit is not an Exploit • A rootkit is not an exploit BUT - • a rootkit may employ an exploit • A rootkit usually requires access to the kernel • One or more programs start when the system is booted • There are only a limited number of ways to get software into the kernel
A Rootkit is not an Exploit • For example, a component of a rootkit may masquerade as a device driver • These methods can be detected forensically
A Rootkit is not an Exploit • A novel way to install a rootkit is to use a software exploit • Many software exoloits allow arbitrary code or third part software to be installed • Imagine that there is a buffer overflow in the kernel that allows arbitrary code executed
Using a Software Exploit • Kernel buffer overflows can exist in almost any device driver • On system startup a loader program can use the buffer overflow to load a rootkit • The loader program does not employ any documented methods for loading or registering a device driver or otherwise installing a rootkit
Using a Software Exploit • The loader exploits the buffer overflow to install the kernel-mode parts of a rootkit • The buffer-overflow exploit is a mechanism for loading code into the kernel • Most people think of this as a bug • The rootkit developer may think of this as an undocumented feature
Using a Software Exploit • Because this feature is not documented this path to the kernel is not likely to be included as part of a forensic investigation • More importantly, it won’t be protected by a host-based firewall program • It would take someone well versed in software engineering to discover something like this
A Rootkit is Not a Virus • A virus program in a self-propagating automaton • A rootkit does not - • make copies of itself • it does not have a mind of its own • A rootkit is under the control of a human attacker while a virus is not
The Virus Problem • We know that a rootkit is not a virus • But - • The techniques used in a rootkit can easily be employed by a virus • When a rootkit is combined with a virus a very dangerous technology is born
The Virus Problem • Understanding rootkit technology is very important defending against viruses • Virus programmers have been using rootkits for many years to “heat up” their viruses • A very dangerous trend
Software Exploits • There is a strong relationship between rootkits and exploits • A rootkit may be employed as a part of an exploit tool • Software exploits are in great supply
Software Exploits • A conjecture (reasonable) • At any point in time • there are more than 100 • working exploitable holes in the latest version of Microsoft Windows • (even more when a new version is released)
Software Exploits • Some software bugs are found by independent researchers • These may never be reported • They are “deadly” because no one knows about then except the attacker • No defense against them