Recent Rootkit History
advertisement
Rootkits What are they? What do they do? Where do they come from? Introduction Bill Richards • Adjunct Professor at Rose Since 2004 Defense Information Systems Agency • Defense Enterprise Computing Center – Oklahoma City (Tinker AFB) since 1995 • Network Security Officer since 2002 • Responsible for the security for 9 remote networks 45+ Mainframes (IBM, UNISYS and TANDEM) 1400+ Mid-Tier Servers (UNIX and Windows) 400+ Network devices (Cisco, Juniper, Sidewinder, BigIP, etc) Rootkits are a serious threat to network and system security and most administrators know little about them Defining characteristic is Stealth • Viruses reproduce but rootkits hide! Difficult to detect Difficult to remove Carry a variety of payloads • • • • • Key loggers Password Sniffers Remote Consoles Back doors And more!!! What is a Rootkit? The term rootkit is old and pre-dates MS Windows It gets it’s name from the UNIX superuser UserID - - root aka administrator for windoze users A rootkit does not typically not cause deliberate damage What is a Rootkit? A collection files designed to hide from normal detection by hiding processes, ports, files, etc. Typically used to hide malicious software from detection while simultaneously collecting information: • userid’s • Password • ip addresses, etc Some rootkits phone home and/or set up a backdoors What is a Rootkit? A rootkit does NOT compromise a host by itself A vulnerability must be exploited to gain access to the host before a rootkit can be deployed The purpose of a rootkit is NOT to gain access to a system, but after being installed, to preserve existing access and support the goals of the bad guy Recent Rootkit History NAME Troj/Stex-A Troj/NTRootK-AS Troj/RusDrp-D Troj/Lager-R Troj/Shellot-L Troj/Dloadr-APN Troj/Agent-DPN Troj/Small-DLH Troj/NetAtk-Gen Troj/Goldun-EH ~ Linux/Rootkit-V ~ SunOS/Rootkit-B ~ OS Discovered Alias Windows 10-Nov-06 TROJ_DLOADER.ESG Windows 8-Nov-06 Generic RootKit.a Windows 7-Nov-06 Win32/Rustock.NAE Windows 7-Nov-06 Windows 6-Nov-06 Windows 4-Nov-06 Trojan-Downloader.Win32.Tiny.eo Windows 4-Nov-06 Win32/TrojanDropper.Small.APR Windows 4-Nov-06 Win32/TrojanClicker.Small.KJ Windows 2-Nov-06 Backdoor.Win32.Zosu.a Windows 2-Nov-06 ~ ~ ~ Linux Jan-06 ~ ~ ~ SunOS Dec-05 ~ ~ ~ Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm Rootkit History 1998 to 2002 NAME OS Discovered Alias ~ ~ ~ ~ Troj/RootKit-I SunOS Nov-02 Backdoor.HackDefender, Linux/Rootkit-FKit Linux Nov-02 FreeBSD.Rootkit FreeBSD Oct-02 Linux/Kokain Linux Aug-02 Troj/Rootkit-A Linux Jun-02 Troj/Rootkit-C Linux Feb-02 Beastkit 7.0 Linux Jan-02 Linux/RootKit-BTM Linux Oct-01 Hacktool.Rootkit Windows Sep-01 Linux/Rootkit Linux Apr-01 Troj/Lrk4 Linux Mar-01 Troj/T0rn-Kit Linux Mar-01 Linux/Rootkit-Knark Linux Mar-01 Linux/Rootkit-Lrk Linux Nov-98 Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm How rootkits work A vulnerable system is detected and targeted • unpatched, zero-day exploit, poor configuration, etc. The targeted system is exploited host via automated or manual means Root or Administrator access is obtained Payload is installed Rootkit is activated and redirects system calls • Prevents the OS from “seeing” rootkit processes and files EVEN AFTER host is patched and original malware is removed How rootkits work docs rootkit windows rootkit filters the results to hide itself Rootkit DLL dir c:\ docs ReadFile() DLL “tricked” into thinking it can’t execute command, calls rootkit rootkit windows NTFS command DLL C:\ Common Windows rootkits • • Hacker Defender (Hxdef) • A rootkit for Windows NT 4.0, Windows 2000 and Windows XP • Avoids antivirus detection • Is able to hook into the Logon API to capture passwords • The developers accept money for custom versions that avoid all detectors FU • Nullifies Windows Event Viewer • Hides Device Drivers • Recently added “Shadow Walking” (Read Phrack63) Common UNIX rootkits SucKIT • Loaded through /dev/kmem • Provides a password protected remote access connect-back shell initiated by a spoofed packet • This method bypasses most of firewall configurations) • Hides processes, files and connections Adore • • • • Hides files, processes, services, etc. Can execute a process (e.g. /bin/sh) with root privileges. Controlled with a helper program ava Cannot be removed by the rmmod command kis • A client/server system to remotely control a machine, with a kernel rootkit as the server on the remotely controlled machine • It can hide processes, files, connections, redirect execution, and execute commands. • It hides itself and can remove security modules already loaded Detection & Removal • Detection that doesn’t always work: • Antivirus (Norton, McAfee, AVG, etc.) • Anti-Spyware (AdAware, Giant, Spybot, etc.) • Port Scanning • Manually Looking • Detection that can work: • Sudden System Instability/Sluggishness • Sudden Spike in Traffic •MS RootkitRevealer • F-Secure Black Light Detection & Removal “list running processes” “nothing to see here” “Hooked” DLL Compromised OS Rootkit “Online” detection (ex: virus scans) relies on the OS’s API to report files and processes. The API has been “hooked,” however, so the rootkit remains concealed. Detection & Removal “list running processes” “nothing found” “Hooked” DLL Compromised OS Black Light Rootkit Revealer Etc. Results != Possible Rootkit Alternate API “something found” Rootkit Detection compares the results of the OS’s API with the results of a clean API (Raw) provided by the tool. Discrepancies are potentially rootkits Detection & Removal “list running processes” Compromised OS Knoppix WindowsPE W.O.L.F. Etc. Alternate OS Rootkit “rootkit detected” Doing an “Offline” detection with a different OS to report files and processes. If the alternate OS is clean, the rootkit will be detected. Detection & Removal Only 100% sure removal: • Format drive and a clean install Some tools can remove some rootkits • But what was hidden may not get cleaned • You cannot trust a system that’s been rootkit’ed Passwords on the rootkit’ed system are suspect • So change your passwords on the clean host Prevention Keep hosts updated • OS • Applications Limit host exposure • Un-needed services Use Firewalls Situational Awareness • CERT, Bugtraq, Security Web sites, etc. Some Reference Sites http://www.rootkit.com http://www.packetstormsecurity.org http://www.rootkit.nl Questions? Questions?
