rootkits what are they? what do they do? where do they come from?
TRANSCRIPT
RootkitsRootkits
What are they?What are they?
What do they do?What do they do?
Where do they come from?Where do they come from?
IntroductionIntroduction
Bill RichardsBill Richards• Adjunct Professor at Rose Since 2004Adjunct Professor at Rose Since 2004
Defense Information Systems AgencyDefense Information Systems Agency• Defense Enterprise Computing Center – Oklahoma Defense Enterprise Computing Center – Oklahoma
City (Tinker AFB) since 1995City (Tinker AFB) since 1995• Network Security OfficerNetwork Security Officer since 2002 since 2002• Responsible for the security for 9 remote networksResponsible for the security for 9 remote networks
45+ Mainframes (IBM, UNISYS and TANDEM)45+ Mainframes (IBM, UNISYS and TANDEM) 1400+ Mid-Tier Servers (UNIX and Windows)1400+ Mid-Tier Servers (UNIX and Windows) 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP,
etc)etc)
Rootkits are a serious threat to network and system security and most administrators know little
about them
Defining characteristic is Stealth• Viruses reproduce but rootkits
hide! Difficult to detect Difficult to remove Carry a variety of payloads
• Key loggers• Password Sniffers• Remote Consoles• Back doors• And more!!!
What is aWhat is a Rootkit Rootkit?? The term The term rootkitrootkit is old and pre-dates is old and pre-dates
MS WindowsMS Windows It gets it’s name from the UNIX It gets it’s name from the UNIX
superuser UserID - - superuser UserID - - rootroot aka administrator for windoze usersaka administrator for windoze users A A rootkitrootkit does not typically not cause does not typically not cause
deliberate damagedeliberate damage
What is aWhat is a Rootkit Rootkit??
A collection files designed to hide from normal detection by hiding processes, ports, files, etc.
Typically used to hide malicious software from detection while simultaneously collecting information: • userid’s• Password• ip addresses, etc
Some rootkits phone home and/or set up a backdoors
What is aWhat is a Rootkit Rootkit??
A rootkit does NOT compromise a host by itself
A vulnerability must be exploited to gain access to the host before a rootkit can be deployed
The purpose of a rootkit is NOT to gain access to a system, but after being installed, to preserve existing access and support the goals of the bad guy
Recent Rootkit HistoryRecent Rootkit HistoryNAME OS Discovered Alias
Troj/Stex-A Windows 10-Nov-06 TROJ_DLOADER.ESGTroj/NTRootK-AS Windows 8-Nov-06 Generic RootKit.aTroj/RusDrp-D Windows 7-Nov-06 Win32/Rustock.NAETroj/Lager-R Windows 7-Nov-06 Troj/Shellot-L Windows 6-Nov-06 Troj/Dloadr-APN Windows 4-Nov-06 Trojan-Downloader.Win32.Tiny.eoTroj/Agent-DPN Windows 4-Nov-06 Win32/TrojanDropper.Small.APRTroj/Small-DLH Windows 4-Nov-06 Win32/TrojanClicker.Small.KJTroj/NetAtk-Gen Windows 2-Nov-06 Backdoor.Win32.Zosu.aTroj/Goldun-EH Windows 2-Nov-06
~ ~ ~ ~Linux/Rootkit-V Linux Jan-06
~ ~ ~ ~SunOS/Rootkit-B SunOS Dec-05
~ ~ ~ ~
Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm
Rootkit HistoryRootkit History1998 to 20021998 to 2002
NAME OS Discovered Alias~ ~ ~ ~
Troj/RootKit-I SunOS Nov-02 Backdoor.HackDefender,Linux/Rootkit-FKit Linux Nov-02 FreeBSD.Rootkit FreeBSD Oct-02 Linux/Kokain Linux Aug-02 Troj/Rootkit-A Linux Jun-02 Troj/Rootkit-C Linux Feb-02 Beastkit 7.0 Linux Jan-02 Linux/RootKit-BTM Linux Oct-01 Hacktool.Rootkit Windows Sep-01 Linux/Rootkit Linux Apr-01 Troj/Lrk4 Linux Mar-01 Troj/T0rn-Kit Linux Mar-01 Linux/Rootkit-Knark Linux Mar-01Linux/Rootkit-Lrk Linux Nov-98
Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm
How How rootkitsrootkits work work
A vulnerable system is detected and targetedA vulnerable system is detected and targeted• unpatched, zero-day exploit, poor configuration,
etc. The targeted system is exploited host via
automated or manual means Root or Administrator access is obtained Payload is installed Rootkit is activated and redirects system calls
• Prevents the OS from “seeing” rootkit processes and files EVEN AFTER host is patched and original malware is removed
How How rootkitsrootkits work work
DLLDLL
docsrootkitwindows
dir c:\
ReadFile()
NTFS command
C:\
windows
rootkit
docs
RootkitDLL
rootkit filters the results to hide itself
docs
windows
DLL “tricked” into thinking it
can’t execute command,
calls rootkit
• Hacker Defender (Hxdef)• A rootkit for Windows NT 4.0, Windows 2000 and Windows XP
• Avoids antivirus detection
• Is able to hook into the Logon API to capture passwords
• The developers accept money for custom versions that avoid all detectors
• FU• Nullifies Windows Event Viewer
• Hides Device Drivers
• Recently added “Shadow Walking” (Read Phrack63)
Common Windows Common Windows rootkitsrootkits
Common UNIX Common UNIX rootkitsrootkits SucKITSucKIT
• Loaded through /dev/kmemLoaded through /dev/kmem• Provides a password protected remote access connect-back shell Provides a password protected remote access connect-back shell
initiated by a spoofed packet initiated by a spoofed packet • This method bypasses most of firewall configurations)This method bypasses most of firewall configurations)• Hides processes, files and connectionsHides processes, files and connections
AdoreAdore• Hides files, processes, services, etc.Hides files, processes, services, etc.• Can execute a process (e.g. /bin/sh) with root privileges. Can execute a process (e.g. /bin/sh) with root privileges. • Controlled with a helper program avaControlled with a helper program ava• Cannot be removed by the rmmod commandCannot be removed by the rmmod command
kiskis • A client/server system to remotely control a machine, A client/server system to remotely control a machine,
with a kernel rootkit as the server on the remotely with a kernel rootkit as the server on the remotely controlled machinecontrolled machine
• It can hide processes, files, connections, redirect It can hide processes, files, connections, redirect execution, and execute commands. execution, and execute commands.
• It hides itself and can remove security modules already It hides itself and can remove security modules already loadedloaded
Detection & RemovalDetection & Removal
• Detection that doesn’t always work:
• Antivirus (Norton, McAfee, AVG, etc.)
• Anti-Spyware (AdAware, Giant, Spybot, etc.)
• Port Scanning
• Manually Looking
• Detection that can work:
• Sudden System Instability/Sluggishness
• Sudden Spike in Traffic
•MS RootkitRevealer
• F-Secure Black Light
“list running processes”“Hooked”
DLL“Hooked”
DLL
Rootkit
“nothing to see here”
Compromised OS
“Online” detection (ex: virus scans) relies on the OS’s API to report files
and processes. The API has been “hooked,” however, so the rootkit
remains concealed.
Detection & RemovalDetection & Removal
“list running processes”
Rootkit“something found”
Compromised OS
Detection compares the results of the OS’s API with the results of a clean API (Raw) provided
by the tool. Discrepancies are potentially rootkits
Alternate API
Alternate API
Black LightRootkit RevealerEtc.
“Hooked”DLL
“Hooked”DLL
“nothing found”
Results !=Possible Rootkit
Detection & RemovalDetection & Removal
“list running processes”
Rootkit
“rootkit detected”
Compromised OS
Doing an “Offline” detection with a different OS to report files and
processes. If the alternate OS is clean, the rootkit will be detected.
Alternate OS
Alternate OS
KnoppixWindowsPE
W.O.L.F.Etc.
Detection & RemovalDetection & Removal
Only 100% sure removal:Only 100% sure removal:• Format drive and a clean installFormat drive and a clean install
Some tools can remove some rootkitsSome tools can remove some rootkits• But what was hidden may not get cleanedBut what was hidden may not get cleaned• You cannot trust a system that’s been rootkit’ed You cannot trust a system that’s been rootkit’ed
Passwords on the rootkit’ed system are Passwords on the rootkit’ed system are suspectsuspect• So change your passwords on the clean hostSo change your passwords on the clean host
Detection & RemovalDetection & Removal
PreventionPrevention
Keep hosts updated Keep hosts updated • OSOS• ApplicationsApplications
Limit host exposureLimit host exposure• Un-needed servicesUn-needed services
Use FirewallsUse Firewalls Situational AwarenessSituational Awareness
• CERT, Bugtraq, Security Web sites, etc.CERT, Bugtraq, Security Web sites, etc.
Some Reference SitesSome Reference Sites
http://www.rootkit.comhttp://www.rootkit.com http://www.packetstormsecurity.orghttp://www.packetstormsecurity.org http://www.rootkit.nlhttp://www.rootkit.nl
Questions?
Questions?