Root Kits and Windows Hardening

Team BAM!Scott Amack

Everett BlochMaxine Major

Overview

• What is a rootkit?• Types of rootkits• Rootkit history• Rootkit tools & removal• Rootkit demonstration• Windows Hardening• Microsoft Security Essentials (MSE)

What is a “rootkit” ??

“… originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access.”

(Wikipedia)

What is a “rootkit” ??

Current definition:

A rootkit is designed to hide the existence of certain processes or programs from normal methods of detection.

(Wikipedia)

History of Rootkits

Brain Virus (1968)• First documented computer virus• Used cloaking techniques to hide itself• Intercepted attempts to read the boot

sector and redirected to disk where copies of the original boot sector were kept.

History of Rootkits

C compiler exploit (1983)

• Discovered by Ken Thompson of Bell Labs (one of the creators of Unix)

• Subverted the C compiler by recompiling with two Trojan Horses

History of Rootkits

C compiler exploit (1983)

– First, detected attempts to compile “login” command• Login would accept users correct password and

one that the attacker specified• Allowed attacker to log into any account on the

system

History of Rootkits

C compiler exploit (1983)

– Second, detected attempts to recompile• Inserted same exploits into the new compiler• Inspection of source would not reveal any malicious

code

These exploits are equivalent to a rootkit

History of Rootkits

Earliest known rootkit (1990)

• Written by Lane Davis and Steven Dake• Targeted SunOS UNIX operating system

History of Rootkits

NTRootkit(1999)• First malicious rootkit for Windows NT• Created by Greg Hoglund• Implemented as a Trojan• Used OS hooks to conceal presence

(McAfee)

History of Rootkits

HackerDefender (2003)

• First rootkit targeting Mac OS X• Used OS hooks to conceal presence

(McAfee)

History of Rootkits

Greek wiretapping (2004-2005)AKA “Greek Watergate”

• Targeted mobile phones of important Greek government members and civil servants– Rootkit targeted the telephone exchange– Patched memory of exchange, audit log, active

processes, and active data blocks

History of Rootkits

Greek wiretapping (2004-2005)AKA “Greek Watergate”

– Modified the data block checksum verification command

– Backdoor allowed operator with sysadmin status to access surveillance information and allow rootkit updates

– Rootkit discovered after an update prevented SMS messages from being delivered

– Identity of perpetrators is still unknown

History of Rootkits

Sony BMG (2005)• Published CD’s with copy protection software

Extended Copy Protection, created by First 4 Internet

• Software included a music player that silently installed a rootkit to hide files that started with $sys$

• Discovery of this rootkit led to malware taking advantage of affected systems

()

History of Rootkits

RootkitRevealer (2006)

• Created by Mark Russinovich• Windows rootkit discovery software• Identifies Windows Registry and file

system API discrepancies, which may indicate the presence of a rootkit

History of Rootkits

Stuxnet (2010)• First to target programmable logic

controllers (PLC)

(Wikipedia)

History of Rootkits

Ubisoft DRM (2012)• Ubisoft’s game DRM used internet connection to ensure

any game played was legal• Created a backdoor allowing continued privileged access

to user’s machine.

• Ubisoft: “…not a rootkit.” Just a “coding error”

Hanlon’s Razor - “Never attribute to malice that which is adequately explained by stupidity.”

(Geek, lazygamer)

(Geek)

Types of Rootkits

• Persistent Rootkits• Memory-Based Rootkits• User-mode Rootkits• Kernel-mode Rootkits

(Windows Sysinternals)

Types of Rootkits

Persistent Rootkits• Malware activates each time the system

boots• Store code in a persistent store, such as

the Registry or file system • Configure a method by which the code

executes without user intervention

Types of Rootkits

Memory-Based Rootkits• Has no persistent code• Does not survive a reboot

Types of Rootkits

User-mode Rootkits• Attempts to evade detection:

– Windows native API is interface between user-mode clients and kernel-mode services

– Sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API

– This prevents detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration

Types of Rootkits

Kernel-mode Rootkits• Can intercept native API and directly

manipulate kernel-mode data structures– Hides the presence of malware processes by

removing the process from the kernel's list of active processes.

– Malware process will not display in process management tools like Task Manager or Process Explorer.

Rootkit Removal

• OS Reinstall– May require boot sector repair

• Rootkit Detection/Removal Tools– Some tools are specific to one type of rootkit– We will demo two of these tools today.

• Manual Removal– Complicated.

– It is advised that you do this in conjunction with rootkit detection tools. (e.g.: Blacklight)

Rootkit Tools

• The tools we will be using for our demo:

–RootkitRevealer

–Blacklight

–FU Rootkit

Rootkit Tools

• RootkitRevealer– Displays Registry and File System API

discrepancies– Works on user-mode and kernel-mode rootkits– Runs on Windows XP and Windows Server

2003

Rootkit Tools

• Blacklight– Detects hidden processes, files, and

directories– Helps remove hidden files and directories– Runs on Windows

Rootkit Tools

• FU Rootkit– Kernel-mode rootkit– Hides running processes and Kernel-mode

modules– Directly modifies certain kernel data structures

used by the operating system– Does not actively try to hide itself

RootkitDemonstration

Windows Hardening

• Download current Anti-Virus Solution and Update

• Install all current Windows Patches• Do not use windows with an Admin level

account• Always choose public network when

setting up networking

Windows Hardening

• Turn on Data Execution Prevention– If DEP sees a program using memory

incorrectly it will shut the program down– Disable unnecessary network protocols like

IPV6 and NetBIOS if not in use• Practice Safe Browsing Habits:

if in doubt don’t click it.

Microsoft Security Essentials

• Built on the Microsoft Malware Prevention Engine

• Designed for Small Business or Home User

• Does not include a firewall

– (uses Windows Firewall)

• Does not include centralized management features.

Microsoft Security Essentials

• Initial Public Beta – June 23 2009– Final Build of Version 1.0 Released Sept 29 2009

• Version 2.0 released Dec 16 2010 – 2.0 Included a Network Inspection System– Network intrusion detection for Windows Vista & 7– 2.0 Included new engine employing heuristics in

malware detection.– Suspicious files are executed in a virtual machine that

looks for suspect activity

Microsoft Security Essentials

• Version 4.0 released April 24 2012– Improved memory overhead– Improved Scanning Engine

• September 2012– MSE loses AV-Test Certification with poor

protection score

Microsoft Security Essentials

• October 2012 Windows 8 is released– does not have MSE– It is speculated that Microsoft switched their

focus to windows defender for Windows 8

• For a Free Solution MSE is still a very good product

Conclusions

• Rootkits evade detection by intercepting the native system calls and disguising its activities.

• Rootkit detection software can identify potential rootkits (but may not remove them)

• Windows hardening starts with basics: updates and a security software solution!

Summary

• Definition of a Rootkit

• Rootkit History

• Types of Rootkits• Rootkit Removal• Rootkit Tools & Demonstration• Windows Hardening• Microsoft Security Essentials

References• McAfee:

http://web.archive.org/web/20060823090948/http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf

• http://en.wikipedia.org/wiki/Rootkit• http://en.wikipedia.org/wiki/RootkitRevealer• http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx• http://www.f-secure.com/v-descs/fu.shtml• http://www.softpedia.com/get/Antivirus/F-Secure-BlackLight-Rootkit-Detection.shtml• http://www.geek.com/games/ubisoft-uplay-drm-found-to-include-a-rootkit-1506163/• http://www.lazygamer.net/general-news/ubisoft-rootkit-just-a-bug/