Rootkit’s and protection against them.
Dhiresh Salian
Regional Information Security Manager
Microsoft Corporation.
Copyright Microsoft Corp. 2006
Agenda
Internet Security Threat Report*
Understanding The Landscape
Rootkits – Defined
Root Problem
Types of rootkits
Defending against rootkits
Rootkits in limelight
Microsoft Ghostbuster – Strider
Recap
* Symantec Internet security threat report Vol VIII
Copyright Microsoft Corp. 2006
Internet Security Threat Report
Key Findings
Attackers motivated by financial gains
Traditional Perimeter defenses not enough
Web applications and Web browsers increasingly
targeted
BOT networks again on the rise
BOT network activity increased 143% over the last reporting
period
DOS attacks grew 680% to an average of 927 attacks
per day
59% of all vulnerabilities reported to Symantec were
web application vulnerabilities
Web browser most vulnerable – Mozilla Family (25)
Copyright Microsoft Corp. 2006
Internet Security Threat Report
Changing Trends
10,866 new virus and worm variants. Reps 48%
increase over the previous reporting period
Number of new virus and worm is slowing
Variants of them are growing
Changing Threat landscape : Motivated by
financial gain
BOT networks for rent
GPcoder Trojan
Copyright Microsoft Corp. 2006
Internet Security Threat Report
Changing Trends
Mobile Malicious Code: Advent of first MMS worms
Commwarrior
Skulls Trojan – affects Symbian
Additional Security Risks
Phishing messages: Volume grew from 2.9 million a day
to 5.7 Million a day
1 out of every 125 messages a phishing attack
General trend way from Hacking for fame to hacking for fortune
Identity theft ring was able to net over $2M in one instance (FBI)
Copyright Microsoft Corp. 2006
Internet Security Threat Report
Additional Security Risks
Average percentage of email that is spam is 61%.
Spammers use BOT’s to try and obscure their actual location
Adware and Spyware
Shotathome agent accounted for 19% of adware reported
Webenhancer: Most reported spyware, accounting for 29%
Concern over their installation, end user licensing agreement
(EULA), updation and removal
Copyright Microsoft Corp. 2006
Understanding The Landscape
National Interest
Spy
Personal Gain
Thief
Trespasser
Personal Fame
Curiosity
Fastest
growing
segment
Vandal
Script-Kiddy
Tools created
by experts
now used by
less skilled
attackers and
criminals
Author
Hobbyist
Hacker
Expert
Specialist
Copyright Microsoft Corp. 2006
Rootkits - Defined
Rootkit Definition.(as per Symantec)
“Rootkit
A rootkit is a component that uses stealth to maintain a
persistent and undetectable presence on the machine.
Actions performed by a rootkit, such as installation and
any form of code execution, are done without end user
consent or knowledge.
Rootkits do not infect machines by themselves like
viruses or worms, but rather, seek to provide an
undetectable environment for malicious code to
execute. Attackers will typically leverage vulnerabilities
in the target machine, or use social engineering
techniques, to manually install rootkits. Or, in some
cases, rootkits can be installed automatically upon
execution of a virus or worm or simply even by browsing
to a malicious website.
Once installed, an attacker can perform virtually any
function on the system to include remote access,
eavesdropping, as well as hide processes, files, registry
keys and communication channels. “
Copyright Microsoft Corp. 2006
Root Problem
Common in UNIX platforms, Rootkits on
Windows OS recent phenomenon.
Trojanize Key system files.
In Windows: Different approach
Registers with OS and intercepts program
requests made to standard Windows APIs
Since it intercepts system calls and filters results
– anti malware tools are not effective.
Copyright Microsoft Corp. 2006
Root Problem
In Unix: Replaces standard Unix system files like
ps
Some rootkits more sophisticated: Adds its own
code to every process currently running on a
computer.
Some rootkits use polymorphic wrapper that
constantly changes the appearance of the
spyware file. Very difficult to detect by anti
spyware/malware programs
How does Rootkit infect anyone: Same way as
other malware—a malicious Web site or someone
may copy them directly onto your computer or
through trojan means.
Copyright Microsoft Corp. 2006
Types of Rootkits
File or User Level Rootkits
Basic Type of Rootkits – Operate at application level
Intercepts standard User mode API’s
Can affect user with lower privilege
Legitimate program replaced with Trojaned version.
Common files usually trozanized are – login, ls, ps, find, who,
netstat
Targets files usually used by administrators
Kernel Level rootkits
More advanced and difficult to detect
Operate at kernel level.
Lives in kernel mode as device driver
Require administrator level access.
Do not modify system files – Integrity checkers will not be able to
detect.
Attacker can intercept system calls
Operates at lower levels within the Windows architecture
Copyright Microsoft Corp. 2006
Types of Rootkits (cont’d)
Kernel mode data structure manipulation
Instead of attacking API’s it attacks data structure
It requires admin privileges
It can causes crashes and hence can be detected
More advanced variations possible: Example: FU
Process Hijacking
Hide a legitimate process
Code sits inside legitimate process
Doesn’t survive reboot
Extremely hard to detect
Code Red used this stealth technique.
Copyright Microsoft Corp. 2006
Windows Architecture
System Processes Services
Applications
Service Control
Manager
Task Manager
LSASS
Explorer
User
applications
Winlogon
Session
Manager
User
Mode
Kernel
Mode
Services.exe
NTDLL.DLL –NTDLL.DLL
User mode rootkit hooks
(Kernel mode callable interfaces)
Config
Manager
(registry)
Processes &
Threads
Device
& File
Sys
Drivers
Security
Reference
Monitor
I/O Mgr
Kernel – Kernel
Kernel
mode rootkit hooks
Hardware Abstraction Layer
Copyright Microsoft Corp. 2006
Defending against Rootkits.
All stealth mechanisms used by rootkits do have
holes
Cloaking not possible when OS is offline
Induces system anomalies
Leaves some API’s unfiltered
Simple way of detecting rootkits – comparing
offline and online win diff results.
Most Effective defense: Nail it before it gets
installed.
Up-to-date Security Practices
Good Email Practices
Virus Protection
Rootkit Detection Tools: Standard part of security toolkit.
Copyright Microsoft Corp. 2006
Defending against Rootkits
File or User-level Rootkits
Using kernel mode API and comparing this with user mode API
results
Creating Message Digest
Using tools like Tripwire
Other programs – Chkrootkit (Unix, Linux), Data Sentinel
(Windows),
Kernel-level Rootkits
Proper Defense mechanisms
LPA: Least Privilege access
Difference in offline – online scans
Other Tools: Microsoft’s antispyware, RootkitRevealer
from Sysinternals; BlackLight from F-Secure
Copyright Microsoft Corp. 2006
Malware/Spyware/Rootkit Tools
Sigcheck (www.sysinternals.com)
MSConfig.exe
Autorun (www.sysinternals.com)
Process Explorer (www.sysinternals.com)
Rootkit Revealer (www.sysinternals.com)
Copyright Microsoft Corp. 2006
Rootkits in Limelight
ContextPlus, Inc., makers of the Apropos and
PeopleOnPage adware programs.
Apropos, a spyware program, collects users' browsing
habits and system information and reports back to the
ContextPlus servers
Data used to serve targeted pop-up advertisements
while the user is surfing the Web
Sophisticated kernel-mode rootkit that allows the
program to hide files, directories, registry keys and
processes
FU rootkit extremely widespread in 2005
FU only hides processes, elevate process privileges,
fake out the Windows Event Viewer.
FU among the top-five pieces of malware deleted by
Microsoft’s free Windows malicious software removal
tool.
Copyright Microsoft Corp. 2006
Rootkits in Limelight
Hack Defender
A user mode rootkit
Author – “Holy Father”
Hides many things
Files, Processes, Services, Registry values,Ports
Is able to hook into logon API to capture
passwords
You can pay developers money ($100-$900) for
a custom version of software to avoid detectors
Copyright Microsoft Corp. 2006
Rootkits in Limelight
Customized hack defender
Copyright Microsoft Corp. 2006
Rootkits in Limelight
Symantec Corp : admitted using a rootkittype feature in Norton SystemWorks
Hides directory from Windows APIs: To stop
customers from accidentally deleting files
Norton Systemwork’s Norton Protected Recycle
Bin with a director called NProtect is hidden
from Windows APIs. Since it is, files in the
NProtect directory might not be scanned during
virus scans
Norton recommends SystemWorks users
update the product immediately to ensure
greater protection
Copyright Microsoft Corp. 2006
Rootkits in Limelight
Sony BMG’s DRM rootkit
Rootkit like cloaking techniques used in First 4 Internet DRM
software Sony ships on its CDs
Extended Copy Protection (XCP) is a CD/DVD copy protection
technology created by First 4 Internet Ltd
Software is designed to prevent protected CDs being played with
anything other than an included Media Player
DRM software will hide files, processes and registry keys
DRM service named as Plug and Play Device Manager
The DRM software hides it information by modifying the execution
path of several Native API functions
Comes with no uninstall feature
EULA does not mention about this cloaking or that it comes with
uninstall feature
Need to open a support call to uninstall the rootkit – possibility of
crashing the computer
Copyright Microsoft Corp. 2006
Demo :Malware detection tools
Copyright Microsoft Corp. 2006
Rootkits in Limelight
Detecting Sony DRM rootkit
Copyright Microsoft Corp. 2006
Microsoft Ghostbuster - Strider
Clever prototype developed by Microsoft.
It detects arbitrary persistent and stealthy software, such
as rootkits, Trojans, and software keyloggers
How does it work?
Checker runs stopping all services, flushing caches and does
checksum
Now machine boots with the CD and does the same checksum
again.
How to fool Ghostbuster?
Detect that such a checking program is running and either not lie to
it or change the output as it's written to disk
Integrate into the BIOS rather than the OS
Give up on either being persistent or stealthy.
Copyright Microsoft Corp. 2006
Microsoft Ghostbuster - Strider
“dir /s /a” Infected Scan
Infected
Boot
Step #1
Step #3
Infected
Drive
WinDiff
Files Hidden
By RootKit
Step #2
Clean Boot
From WinPE
CD
“dir /s /a” Clean Scan
Effective against keyloggers – add key strokes to the fist scan. Will
increase the size of keyloogers log and will be detected by clean scan
To detect non stealth malware- compare the file output with a know
good list.
Compute a cryptographic hash of every file on infected disk and
match it against the Strider Known-* Database
Copyright Microsoft Corp. 2006
Microsoft Ghostbuster - Strider
Characteristics of Ghostbuster Scan
Deterministically, efficiently, and effectively detect
today’s file-hiding software;
It will help computer users gain back trustworthy filequery operations and force malware programs to give
up file hiding and therefore always expose themselves
to Gatekeeper ASEP scan and anti-virus-style knownbad signature-based scans
Does not require known-bad signatures hence no
signature updates
Assumes that any data gathered through any apps or
OS components running inside an infected OS cannot
be trusted.
Copyright Microsoft Corp. 2006
Recap
Rootkit - Definition
Rootkit Defense
Defense in Depth
Multilayered approach
Secure your perimeter and protect your internal clients
Patch Updates
Security Awareness
No_execute hardware support
Usage of DEP
Firewalled internal zones and desktops
Usage of antispyware and antivirus software
Messaging Hygiene (Frontbridge and Sybari Antigen)
LPA: Running as non-admin
Copyright Microsoft Corp. 2006
Recap
Rootkit Defense
Antispyware Kit: Microsoft Antispyware, Rootkit
Revealer, RK detect, F Secure Blacklight, Chkrootkit
Other tools for malware detection and investigation –
sigcheck, autorun and Process explorer
If Infected – Format and reinstall

Copyright Microsoft Corp. 2006
Resources
Microsoft Anti Spyware http://www.microsoft.com/athome/security/spywar
e/software/default.mspx
Malicious Software removal tool http://www.microsoft.com/security/malwareremov
e/default.mspx
Sysinternals – www.sysinternals.com
Copyright Microsoft Corp. 2006
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Copyright Microsoft Corp. 2006