Rootkits What are they? What do they do? Where do they come from?

Download Rootkits What are they? What do they do? Where do they come from?

Post on 05-Jan-2016

217 views

Category:

Documents

3 download

TRANSCRIPT

<ul><li><p>Rootkits</p><p>What are they?What do they do?Where do they come from?</p></li><li><p>IntroductionBill RichardsAdjunct Professor at Rose Since 2004Defense Information Systems AgencyDefense Enterprise Computing Center Oklahoma City (Tinker AFB) since 1995Network Security Officer since 2002Responsible for the security for 9 remote networks45+ Mainframes (IBM, UNISYS and TANDEM)1400+ Mid-Tier Servers (UNIX and Windows)400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, etc)</p></li><li><p>Rootkits are a serious threat to network and system security and most administrators know little about themDefining characteristic is StealthViruses reproduce but rootkits hide!Difficult to detectDifficult to removeCarry a variety of payloadsKey loggersPassword SniffersRemote ConsolesBack doorsAnd more!!!</p></li><li><p>What is a Rootkit?The term rootkit is old and pre-dates MS WindowsIt gets its name from the UNIX superuser UserID - - rootaka administrator for windoze usersA rootkit does not typically not cause deliberate damage </p></li><li><p>What is a Rootkit?A collection files designed to hide from normal detection by hiding processes, ports, files, etc.Typically used to hide malicious software from detection while simultaneously collecting information: useridsPasswordip addresses, etcSome rootkits phone home and/or set up a backdoors</p></li><li><p>What is a Rootkit?A rootkit does NOT compromise a host by itselfA vulnerability must be exploited to gain access to the host before a rootkit can be deployedThe purpose of a rootkit is NOT to gain access to a system, but after being installed, to preserve existing access and support the goals of the bad guy</p></li><li><p>Recent Rootkit HistorySource: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm</p><p>Sheet1</p><p>NAMEOSDiscoveredAlias</p><p>Troj/Stex-AWindows10-Nov-06TROJ_DLOADER.ESG</p><p>Troj/NTRootK-ASWindows8-Nov-06Generic RootKit.a</p><p>Troj/RusDrp-DWindows7-Nov-06Win32/Rustock.NAE</p><p>Troj/Lager-RWindows7-Nov-06</p><p>Troj/Shellot-LWindows6-Nov-06</p><p>Troj/Dloadr-APNWindows4-Nov-06Trojan-Downloader.Win32.Tiny.eo</p><p>Troj/Agent-DPNWindows4-Nov-06Win32/TrojanDropper.Small.APR</p><p>Troj/Small-DLHWindows4-Nov-06Win32/TrojanClicker.Small.KJ</p><p>Troj/NetAtk-GenWindows2-Nov-06Backdoor.Win32.Zosu.a</p><p>Troj/Goldun-EHWindows2-Nov-06</p><p>~~~~</p><p>Linux/Rootkit-VLinuxJan-06</p><p>~~~~</p><p>SunOS/Rootkit-BSunOSDec-05</p><p>~~~~</p><p>NAMEOSDiscoveredAlias</p><p>~~~~</p><p>Troj/RootKit-ISunOSNov-02Backdoor.HackDefender,</p><p>Linux/Rootkit-FKitLinuxNov-02</p><p>FreeBSD.RootkitFreeBSDOct-02</p><p>Linux/KokainLinuxAug-02</p><p>Troj/Rootkit-ALinuxJun-02</p><p>Troj/Rootkit-CLinuxFeb-02</p><p>Beastkit 7.0LinuxJan-02</p><p>Linux/RootKit-BTMLinuxOct-01</p><p>Hacktool.RootkitWindowsSep-01</p><p>Linux/RootkitLinuxApr-01</p><p>Troj/Lrk4LinuxMar-01</p><p>Troj/T0rn-KitLinuxMar-01</p><p>Linux/Rootkit-KnarkLinuxMar-01</p><p>Linux/Rootkit-LrkLinuxNov-98</p><p>Sheet2</p><p>Sheet3</p></li><li><p>Rootkit History1998 to 2002Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm</p><p>Sheet1</p><p>NAMEOSDiscoveredAlias</p><p>Troj/Stex-AWindows10-Nov-06TROJ_DLOADER.ESG</p><p>Troj/NTRootK-ASWindows8-Nov-06Generic RootKit.a</p><p>Troj/RusDrp-DWindows7-Nov-06Win32/Rustock.NAE</p><p>Troj/Lager-RWindows7-Nov-06</p><p>Troj/Shellot-LWindows6-Nov-06</p><p>Troj/Dloadr-APNWindows4-Nov-06Trojan-Downloader.Win32.Tiny.eo</p><p>Troj/Agent-DPNWindows4-Nov-06Win32/TrojanDropper.Small.APR</p><p>Troj/Small-DLHWindows4-Nov-06Win32/TrojanClicker.Small.KJ</p><p>Troj/NetAtk-GenWindows2-Nov-06Backdoor.Win32.Zosu.a</p><p>Troj/Goldun-EHWindows2-Nov-06</p><p>~~~~</p><p>Linux/Rootkit-VLinuxJan-06</p><p>~~~~</p><p>SunOS/Rootkit-BSunOSDec-05</p><p>~~~~</p><p>NAMEOSDiscoveredAlias</p><p>~~~~</p><p>Troj/RootKit-ISunOSNov-02Backdoor.HackDefender,</p><p>Linux/Rootkit-FKitLinuxNov-02</p><p>FreeBSD.RootkitFreeBSDOct-02</p><p>Linux/KokainLinuxAug-02</p><p>Troj/Rootkit-ALinuxJun-02</p><p>Troj/Rootkit-CLinuxFeb-02</p><p>Beastkit 7.0LinuxJan-02</p><p>Linux/RootKit-BTMLinuxOct-01</p><p>Hacktool.RootkitWindowsSep-01</p><p>Linux/RootkitLinuxApr-01</p><p>Troj/Lrk4LinuxMar-01</p><p>Troj/T0rn-KitLinuxMar-01</p><p>Linux/Rootkit-KnarkLinuxMar-01</p><p>Linux/Rootkit-LrkLinuxNov-98</p><p>Sheet2</p><p>Sheet3</p></li><li><p>How rootkits workA vulnerable system is detected and targetedunpatched, zero-day exploit, poor configuration, etc.The targeted system is exploited host via automated or manual meansRoot or Administrator access is obtainedPayload is installedRootkit is activated and redirects system callsPrevents the OS from seeing rootkit processes and files EVEN AFTER host is patched and original malware is removed</p></li><li><p>How rootkits workdocsrootkitwindowsdir c:\ReadFile()NTFS commandC:\windowsrootkitdocsRootkit DLLrootkit filters the results to hide itselfdocs</p><p>windowsDLL tricked into thinking it cant execute command, calls rootkit</p><p>DLL</p></li><li><p>Hacker Defender (Hxdef)A rootkit for Windows NT 4.0, Windows 2000 and Windows XP Avoids antivirus detectionIs able to hook into the Logon API to capture passwordsThe developers accept money for custom versions that avoid all detectorsFUNullifies Windows Event ViewerHides Device DriversRecently added Shadow Walking (Read Phrack63)Common Windows rootkits</p></li><li><p>Common UNIX rootkitsSucKITLoaded through /dev/kmemProvides a password protected remote access connect-back shell initiated by a spoofed packet This method bypasses most of firewall configurations)Hides processes, files and connectionsAdoreHides files, processes, services, etc.Can execute a process (e.g. /bin/sh) with root privileges. Controlled with a helper program avaCannot be removed by the rmmod commandkis A client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machineIt can hide processes, files, connections, redirect execution, and execute commands. It hides itself and can remove security modules already loaded</p></li><li><p>Detection &amp; Removal Detection that doesnt always work: Antivirus (Norton, McAfee, AVG, etc.) Anti-Spyware (AdAware, Giant, Spybot, etc.) Port Scanning Manually Looking Detection that can work: Sudden System Instability/Sluggishness Sudden Spike in TrafficMS RootkitRevealer F-Secure Black Light</p></li><li><p>list running processesRootkitnothing to see hereCompromised OSOnline detection (ex: virus scans) relies on the OSs API to report files and processes. The API has been hooked, however, so the rootkit remains concealed.Detection &amp; Removal</p><p>HookedDLL</p></li><li><p>list running processesRootkitsomething foundCompromised OSDetection compares the results of the OSs API with the results of a clean API (Raw) provided by the tool. Discrepancies are potentially rootkitsBlack LightRootkit RevealerEtc.nothing foundResults !=Possible RootkitDetection &amp; Removal</p><p>Alternate API</p><p>HookedDLL</p></li><li><p>list running processesRootkitrootkit detectedCompromised OSDoing an Offline detection with a different OS to report files and processes. If the alternate OS is clean, the rootkit will be detected.KnoppixWindowsPEW.O.L.F.Etc.Detection &amp; Removal</p><p>Alternate OS</p></li><li><p> Only 100% sure removal:Format drive and a clean install Some tools can remove some rootkitsBut what was hidden may not get cleanedYou cannot trust a system thats been rootkited Passwords on the rootkited system are suspectSo change your passwords on the clean host</p><p>Detection &amp; Removal</p></li><li><p>Prevention Keep hosts updated OSApplications Limit host exposureUn-needed servicesUse FirewallsSituational AwarenessCERT, Bugtraq, Security Web sites, etc.</p></li><li><p>Some Reference Siteshttp://www.rootkit.comhttp://www.packetstormsecurity.orghttp://www.rootkit.nl</p><p>Questions?</p></li><li><p>Questions?</p></li></ul>

Recommended

View more >