Hidden Rootkits in Windows

Prepared by:

CMS Consulting Inc.Confidential

CMS Consulting Inc.CMS Consulting Inc.

Presented by: Brian Bourne, CISSP, MCSE:Security

DISCLAIMER

• The contents of this presentation are the property of CMS Consulting Inc. No portion, in whole or in part can be used without the express written consent of CMS. You may email brian@cms.ca for permission to re-post or re-use any of this content.

CMS Consulting Inc.

Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA

MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless

Training by Experts for ExpertsMS Infrastructure – Security - Vista and Office Deployment

Visit us online: www.cms.caDownloads – Resources – White Papers

For Security SolutionsFor Advanced InfrastructureFor Network SolutionsFor Information Worker

1. ~~~~~~~~~2. ~~~ ~~ ~~

3. ~~~~

AGENDA

• What is a rootkit?• Kernal mode vs user mode• Popular and New rootkits• History of Rootkits• What can they hide• DEMO – Hacker Defender Anatomy 101• How they hide and go undetected• DEMO - Hacker Defender In Action!• DEMO – Covert Channels• DEMO – FUTo• Detection, Protection and Removal• DEMO – Detection• Hardware Virtualization Rootkits• Vista• Trends

Overview

• A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes.

Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows

Reference: http://en.wikipedia.org/wiki/Rootkit

What is a rootkit?

Types of rootkits 1 of 3

Persistent RootkitsA persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based RootkitsMemory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

Types of rootkits 2 of 3

User-mode RootkitsThere are many methods by which rootkits attempt to evade detection.

Example:• a user-mode rootkit might intercept all calls to the

Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories.

• When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

Types of rootkits 3 of 3

Kernel-mode RootkitsKernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

Reference: http://www.sysinternals.com

Windows Architecture

Reference: http://www.microsoft.com

Windows USER,

GDI

Graphics drivers

NTDLL.DLL

System threads

System Processes· LSASS· Service Control Manager· Session manager· Winlogon

Services· Services.exe· Spoolsvc.exe· Svchost.exe· Winmgt.exe

Applications· Explorer· Task manager· User applications

Subsystems· OS/2· POSIX· Windows· Windows DLLs

System Service Dispatcher

(Kernel mode callable interfaces)

Config Manager (registry)

File System Cache

I/O Manager

Local Procedure

Call

Object Manager

Plug & Play

Processess & Threads

Security Reference

Monitor

Virtual Memory

Ring 0Kernel Mode

Ring 3User Mode

Hardware Abstraction Layer

Device & File Sys Drivers Kernel

History of Rootkits

PrimitiveBinary file replacement (password logging / UNIX)Hiding traces/tracks (log cleaners)

PrimitiveBinary file replacement (password logging / UNIX)Hiding traces/tracks (log cleaners)

More advanced hiding - “stealthy” (Hxdef,HE4Hook)Hooking techniques

More advanced hiding - “stealthy” (Hxdef,HE4Hook)Hooking techniques

Direct dynamic manipulation of kernel structures (FU)Difficult for detection software to identify

Direct dynamic manipulation of kernel structures (FU)Difficult for detection software to identify

Advanced Memory hooking/hiding (Shadow Walker)Used in collusion with 3rd Generation rootkitExtremely “stealthy”

Advanced Memory hooking/hiding (Shadow Walker)Used in collusion with 3rd Generation rootkitExtremely “stealthy”

FirstGeneration

SecondGeneration

ThirdGeneration

FourthGeneration

Hardware VirtualizationHardware Virtualization

FifthGeneration

Reference: http://www.phrack.org/archives/63/p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt

Popular Rootkits

• AFX Rootkit 2005• FU• Hacker Defender• HE4Hook• NT Root

• NTFSHider• NTIllusion• Vanquish• Winlogon Hijack

New Rootkits

• FUTo• KIrcBot• SubVirt• Shadow Walker• BluePill (PoC)

Commercial Stealth

• Sony DRM• Mr. & Mrs. Smith DVD

(Alpha-Disc DRM)• Norton System Works• Hide Folders XP• Tracking and Monitoring

software

Commercially available products that use rootkit type technologies.

What can they hide

• Covert Channels • Custom GINA’s • Files and Directories • Processes • Registry Keys • Services • TCP/UPD ports• Memory pages (New) • VM’s (New)

How they hide and go undetected

• Kernel Native API hooking• User Native API hooking• Dynamic Forking of Win32 EXE• Direct Kernel Object Manipulation (DKOM)• Interrupt Descriptor Table Hooking• Memory Hooking (Shadow Walker)

Reference: www.security.org.sg / www.hbgary.com / www.rootkit.com

DEMO Network

172.16.0.x

Internet

Windows Server 2003SMTP ServiceDomain ControllerIP: 172.16.0.1rk-win2k3.domain.com

Windows Server 2003ISA 2004 FirewallIP: 172.16.0.10rk-isa.domain.com

Windows XPIP: 10.10.8.200winxp.attacker.com

Windows XPIP: 172.16.0.xrk-winxp.domain.com

IP: 10.10.8.100

DEMO Introduction

• Hacker Defender - Anatomy 101– Hxdef100.exe– Hxdef100.ini– Hxdefdrv.sys (Embedded in hxdef100.exe)

– Rdrbs100.exe– Rdrbs100.ini– Bdcli100.exe

Reference: http://hxdef.czweb.org

DEMO

Hacker Defender – In Action!• Security Compromise - Exploit• Avoiding Antivirus Detection• Hiding Folders/Files• Hiding Services• Hiding TCP Ports

Hacker Defender – Covert Channel• Backdoor shell access via SMTP

Covert Channel Summary

Firewall

Port 25 is intercepted by Backdoor

2Backdoor

ServerIntercept TCP:25

Special 256 bit key is sent

1

Remote Shell

TCP:100

SMTP ServiceTCP:25

Windows 2003

Normal email is sent to the SMTP service

1

2

33

4 Remote Shell on TCP:100 started

4

Backdoor Client Internet

DEMO

FUTo• Security Compromise - Exploit• Avoiding Antivirus Detection• Changing Security Token• Hiding Process

Detection

How to detect rootkits?

Darkspy 1.0.5

F-Secure BlackLight Beta 2.2.1050

GMER 1.0.11.11390

IceSword 1.20

KProcCheck 0.2-beta2

Malicious Software Removal Tool V1.21 10/10/2006

Process Magic by WinEggDrop V1.0

RootKit Shark 3.11

RootkitRevealer 1.7

Strider (Microsoft) beta

System Virginity Verifier 2.3

Windows Defender Beta 2

UnHackMe 3.1

DEMO

Detecting rootkits• F-Secure Blacklight• GMER• Rootkit Revealer• IceSword

*1 Could not detect FU because it does not hide folders/files. Only processes.

Detection Results

Name Version AFX Rootkit 2005 FUHacker

DefenderVanquish Notes

Blacklight 2.2.1037 Yes Yes Yes Yes

Flister 0.1 Yes No *1 Yes Yes Need to type in the exact dir path

Keensense 2.0 Yes Yes Yes No Installs system driver and requires a reboot. Unstable.

Process Guard 3.150 Yes Yes Yes Yes Install requires a reboot. All Global Protection optiosn manually turned on. Needs to “learn” a baseline of the system.

GMER 1.0.10.10111 Yes Yes Yes Yes Choice of reboot for advanced features

IceSword 1.18 Yes Yes Yes Yes Choice of reboot for advanced features

Rootkit Revealer 1.55 Yes No Yes Yes

Strider beta Yes No *1 Yes Yes Hidden directory/file compare of comprimised state and clean state from a WinPE boot CD using windiff.

Detection Summary

• All “stock” rootkits discovered with various detection tools

• Custom recompiled rootkits by pass antivirus detection

• Commercially available customized rootkits that hide files, services, processes, registry keys would not be detected in the compromised OS

Hardware Virtualization Rootkits

• Dino Dai Zovi presented an essentially undetectable hypervisor rootkit using:

• Intel VT processor • Mac OS-X• “Vitriol” to be demo’d at BlueHat

• Joanna Rutkowska presented an essentially undetectable hypervisor rootkit using:

• AMD Pacifica processor• Microsoft Vista Beta 2

• SUMMARY: THIS IS NOT AN AMD OR INTEL NOR VISTA OR MAC ISSUE!

Hardware Virtualization Rootkits

• Preventing detection was a design goal:– – “There is no software-visible bit whose setting indicates whether a

logical processor is in VMX non-root operation. This fact may allow a VMM to prevent guest software from determining that it is running in a virtual machine” -- Intel VT-x specification

• The design goals of AMD and Intel were to provide full virtualization. This means FULL virtualization.

• There is no hardware bit or register that indicates that the processor is running in VMX non-root mode

• Read Dino and Joanna’s presentations for details regarding new CPU instructions and how hypervisors work.

Bypassing Vista Kernel Signed Drivers

• Well Joanna did have some extra complexity to deal with because of Vista requiring all kernel drivers to be signed.

• Essentially, she figured out a way to cause it to page out null.sys, then modified the pagefile.sys directly using raw disk access to get Vista to run her rootkit. The process:– Allocate lots of memory to cause unused drivers code to be

paged – Replace the paged out code (inside pagefile) with some

shellcode– Ask kernel to call the driver code which was just replaced

• “Fixed” in Vista RC2 – by disabling raw disk access from user mode (including administrator)

BP Detection

• Some ideas for BluePill detection were presented by both Dino and Joanna. Essentially they are:– Attempt to use VMX to create a VM

• Bluepill a box with Bluepill – although this exception could be handled and the second Bluepill to run would end up being virtualized also)

– Attempt to detect VM exit latency • Dino demo’d using CPUID, but a number of instructions cause a VM

Exit and you could measure latency. Although the timer could be altered by the Bluepill and hence would require an external time source. How could is your stop watch?

– Joanna came up with an undisclosed method to blue screen a BluePill’ed box, but that’s not really great detection.

Hardware Virtualization Rootkits Bottom line

• Arbitrary code can be injected into Vista x64 kernel despite code signing requirement, and in really any other operating system.

• This could be abused to create “Blue Pill” based malware on processors supporting virtualization

• BP installs itself on the fly and does not introduce any modifications to BIOS nor hard disk

• BP can be used in many different ways to create the actual malware • BP should be undetectable in any practical way (when fully

implemented)• Blocking BP based attacks on software level will also prevent ISVs

from providing their own VMMs and security products based on SVM technology

• Changes in hardware (processor) could allow for easy BP detection

Protection

• Defence in Depth practices!• Application Layer firewalls• Add rootkit detection and removal software to

your toolkit• Baseline your systems in another kernel (WinPE)

using the Microsoft Strider technique for comparing modified/added binaries on a regular basis

Removal

• Rootkit removal tools (eg. “Unhackme” by Greatis Software, F-Secure Blacklight, GMER, IceSword)

• Clean from another kernel (eg. BackTrack, WinPE, etc)• Use technology that reverts back to a previous state if

your environment allows for it:– Undo disks in Microsoft Virtual PC/Server– Microsoft Shared Computer Toolkit v1.1– Faronics Deep Freeze– Symantec Norton GoBack– Winternals Recovery Manager

• Once a machine has been compromised, the only true cleaning method is to low-level format and reload!

Trends 1 of 2

It’s a cat and mouse game• As rootkit detection methods/signatures are updated; so are the

techniques/methods of the rootkits evading detection; just like viruses but much more sophisticated

• Encrypting the memory pages where the rootkit is running to avoid detection

• Polymorphism

• Spyware and Viruses utilizing functions of rootkits to hide their presence and payload; This has already happened and will continue to escalate to an extremely “stealthy” version

Trends 2 of 2

• Memory Hiding (e.g. Shadow Walker)

• Using other system writeable memory locations. (e.g. VideoCardKit, MTDWin, ACPI, BIOS)

• Boot sector rootkits (e.g. BootRootKit)

• Virtual Machine rootkits

• Database rootkits (presented in concept by Alexander Kornbrust at BH2005)

• Hardware based rootkit detection– Intel Rootkit detection (Code name: LaGrande)

• TPM (Trusted Platform Module)– Co-Pilot (PCI card) http://www.komoku.com

VISTA

· Windows Defender (Beta 2)· Microsoft plans to move device drivers out of the kernel

and in to the user level.· Address Space Layout Randomization (ASLR)· Digital Signatures for Kernel Modules on x64-based

Systems Running Windows Vista· Microsoft Patch Guard on x64 Based Systems

Reference: http://www.microsoft.com

Need to Know

Stop rootkits from entering and executing in your environment.Stop rootkits from entering and executing in your environment.Prevention

Non-critical systems can be cleaned and/or reloaded.Critical systems require professional assistance, particularly if forensic evidence is desired.

Non-critical systems can be cleaned and/or reloaded.Critical systems require professional assistance, particularly if forensic evidence is desired.

Response

http://www.rootkit.comhttp://www.antirootkit.comParticipate in the Toronto Area Security Klatch http://www.task.to

http://www.rootkit.comhttp://www.antirootkit.comParticipate in the Toronto Area Security Klatch http://www.task.to

LearnMore

CMS Training Offerings

• INSPIRE Infrastructure Workshop– 4 days of classroom training - demo intensive

AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server

• Business Desktop Deployment – Deploying Vista/Office– 3 days of classroom training - hands on labs (computers provide)

Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office

• Securing Internet Information Services• Securing ActiveDirectory• Securing Exchange 2003

– 1 day classroom training per topic

TRAINING BY EXPERTS FOR EXPERTS

@Contacting Us.

• Brian Bourne, President – brian@cms.ca

• Robert Buren, VP Business Development – robert@cms.ca

CMS Consulting Inc. – http://www.cms.ca/

CMS Training – http://www.cms.ca/training/

Toronto Area Security Klatch – http://www.task.to/