網(wǎng)絡(luò)攻擊與防范4惡意代碼概論

IntroductionofMaliciousProgramsBasisknowledgeTrapdoorsLogicbombVirusTrojanHorseRootkitWormBotnetFuture?GrowthandChangeinMalwareDevelopmentInthebeginningtherewereviruses…2003sawthebeginningofspyware,phishing,botnets,etc.asanoutgrowthofspammingoutfits,nothackingoutfits.Spyware,Phishing,Botnetsstillgrowingdespitetheincreaseofmoneybeingspenttoremediatetheproblem.GrowthinMalwareNumberoftrojansinterceptedbyKasperskyLabs.2About10-15knewbotmachinesperday.Droppedto5kafterSP2releaseforonlyafewmonths.Only4-6daysuntilexploitreleased,yet40-60daysforpatch.Whydotheykeepgrowing?Becauseitkeepsworking.Wehaven’teliminatedtherealproblem.WhatisMaliciousCode?SetofinstructionsthatcausesasecuritypolicytobeviolatedGenerallyrelieson“l(fā)egal”operationsAuthorizedusercouldperformoperationswithoutviolatingpolicyMaliciouscode“mimics”authorizeduserMaliciousProgramsMaliciousProgram’sEvolutionGlobal

Infrastructure

ImpactRegional

NetworksMultiple

NetworksIndividual

NetworksIndividual

ComputerTargetandScopeofDamage1stGenBootvirusesWeeks2ndGenMacrovirusesEmailDoSLimitedhackingDays3rdGenNetworkDoSBlendedthreat(worm+virus+trojan)TurbowormsWidespreadsystemhackingMinutesNextGenSeconds1980s1990sTodayFutureTrapdoorsTrapdoorAnundocumentedwayofgainingaccesstoaprogram,onlineserviceoranentirecomputersystem.Thebackdooriswrittenbytheprogrammerwhocreatesthecodefortheprogram.Itisoftenonlyknownbytheprogrammer.ExamplesofBackdoor2003,anattemptwasmadetocreateabackdoorintheLinuxKernelEarlyversionsoftheSobigVirusin2003installedbackdoorstosenditsspam.MyDoomvirusinearly2004createdabackdooronport3127tosendspamBackdoorTypesLocalEscalationofPrivilegeRemotecommand-lineaccess.RemotecontroloftheGUI.BackdoorInstallationAttackerhascompromisedthesystemVirus,worm,ormaliciousmobilecodeinstallsthebackdoor.Socialengineering:Trickingthevictimintoinstallingthebackdoor....StartingbackdoorsautomaticallyAttackerwantstomaintainaccesstothesystem.Backdoorneedstorestartwheneverthesystemrestarts.MethodsareOSdependent.StartingbackdoorsautomaticallyonWindowsAlteringStartupFilesandFoldersRegistryTaskSchedulerExampleUseSub7tocreateabackdoortotheremotemachine.Fromremotemachine,useexistingvpntunneltocommunicateinsidethenetwork.Nowhaveaccess,performVLANHoppingattack.Sub7ManyfunmodulesKeyloggingEnabletelnetandftp………….LogicBombLogicBombprogrammingcodeaddedtothesoftwareofanapplicationoroperatingsystemthatliesdormantuntilapredeterminedperiodoftime(i.e.,aperiodoflatency)oreventoccurs,triggeringthecodeintoaction

LogicBombOneofoldesttypesofmalicioussoftwareCodeembeddedinlegitimateprogramActivatedwhenspecifiedconditionsmetE.g.,presence/absenceofsomefileParticulardate/timeParticularseriesofkeystrokesWhentriggeredtypicallydamagesystemModify/deletefiles/disksVirusesVirusesDefinitionfromRFC1135:Avirusisapieceofcodethatinsertsitselfintoahost,includingoperatingsystems,topropagate.Itcannotrunindependently.Itrequiresthatitshostprogramberuntoactivateit.StepsinNormalProgramExecutionOSAMainMemory(volatile)HardDisk(non-volatile)ROM(non-volatile)0x0OSOS1234ProgramA0x00x0OSProgramA0x0OSlocates&copiestheprogramtobeexecutedintomemoryMainmemoryisemptyatthebeginningBIOSlocates&copiesOSfromdisktomemoryProgramAstartsexecutingFATFAT:FileAllocationTablestoresthelocationofallfilesonthesystem.ItismaintainedbytheOS.BIOScodeExecutingprogramsusetheOStoperformstandardfunctionslike,readingandwritingfilesetcVirusInfectionMechanismOSBInfectedprogramentersmemoryHardDisk0x0OSOS0x00x0OS0x0VirussearchesforasuitableprogramtoinfectOSProgramAVirusFrominfectedfloppydiskoranemailattachmentOSHardDiskB+virusVirusProgramAProgramB1FAT23ProgramAProgramAVirusVirusVirusProgramBViruscopiestheinfectedtargetbackintothedisk54ViruscopiesitselfintothetargetprograminmemoryViruscopiesthetargetprogramtomainmemoryWhenprogramBisexecuteditinfectsanewfileVirusmakesuseofOSconstructstosearchfortargetfiles,copyingetc VirusTargetClassificationBoot-SectorInfectorsFileInfectorsMacroVirusesConcealmentStrategyClassificationNoConcealmentEncryptionStealthOligomorphism,Polymorphism,Metamorphism27先來(lái)看看硬盤的安排按DOS標(biāo)準(zhǔn)的一張分區(qū)表主分區(qū)+擴(kuò)展分區(qū)<=4——這個(gè)ubuntu的gparted會(huì)提示的但邏輯分區(qū)可以很多很多。Windows需要安裝到主分區(qū)上Windows需要讓主分區(qū)為激活狀態(tài)(Active或boot)，只能有一個(gè)MBR和引導(dǎo)扇區(qū)的代碼均不可見(jiàn)MBRMFT主分區(qū)(Primary)邏輯分區(qū)(Logical)擴(kuò)展分區(qū)(extended)引導(dǎo)扇區(qū)MBR主引導(dǎo)記錄28MBR->分區(qū)——Windows的啟動(dòng)方式系統(tǒng)包括WindowsXP在安裝的時(shí)候向MBR寫(xiě)一些代碼，從而把MBR完全覆蓋，它會(huì)去尋找主分區(qū)中的活動(dòng)分區(qū)中的引導(dǎo)扇區(qū)，如這個(gè)C:的->引導(dǎo)扇區(qū)向ntldr或者bootmgr發(fā)出邀請(qǐng)XP用ntldr，Vista和Win7用bootmgr但win7有可能自己新建一個(gè)C:前面的隱藏、主、活動(dòng)分區(qū)專門放啟動(dòng)文件MBRMFTC:ntldrORbootmgr Virus:BootSectorInfectorsBootsequenceonIBM-PCRunsinstructionatmemorylocationF000:FFF0ofBIOSJumpstoexecutionofBIOSstartupprogramExecutesPower-OnSelf-Test(POST)Checks,initializesdevicesGoesthroughpreconfiguredlistofdevicesIfitfindsbootabledevice,loads,andexecutesbootsectorAssumeMBRonharddriveMBRcontainsaddressofbootablepartitionLoadbootsectorofbootablepartitionBootsectormovesOSkernelintomemoryandstartsit Virus:BootSectorInfectorsBootSectorInfectorCopiesitselfintotheMBRTypicallyaftermakingcopyofMBRina“safelocation”StonedVirusOriginalversioninfectsonly360KBdiskettes1988ManyvariantsBehaviorBecomesmemoryresidentDisablesinterrupt12(MemorySizeDetermination)InfectsMBRInfectsalldiskettesMovesbootsectortosector11andcopiesitselfintosector0UsuallydestroyspartofthefilesystemPayload:Displaysmessageduringbootprocess:Yourcomputerisnowstoned. Virus:BootSectorInfectorsExtinctinthewild:Floppiesarerarelyusedtoboot,disablingthepropagationmechanismOSpreventwritingtoadisk’sbootsectorwithoutproperauthorizationBIOScanenablebootblockprotection Virus:FileInfectorsVirusinfectsexecutablesVirusisplacedinanexecutablePrependingVirus:AtthebeginningExecutionofa*.comloadsfileintomemorySetPCtobeginningoffileOftencopiesinfectedfilefurtherdownCodeCodeVirus Virus:FileInfectorsCodeCodeVirusAppendingVirus:AttheendTogetcontrolSaveoriginalinstructionincode,replacebyjumptoviralcode,executevirus,restoreoriginalinstructionandjumptothemorrunoriginalinstructionatsavedlocationfollowedbyjumptotherestofthecodeExecutablefileformatscanspecifystartlocationinfileheader Virus:FileInfectorsJumpJumpVirusProgramAProgramA1stinstruction1stinstruction2ndinstruction2ndinstructionProgramAinfectedwithvirusViralInfectionEndprogramAEndprogramAInintheexecutionoftheinfectedprogram,thevirusisexecutedbeforeprogramA,andthecorrectsequenceofinstructionexecutionInprogramAismaintained Virus:FileInfectorsOverwritingVirusesDoesnotchangefilesizePlacementStrategies:PlacevirusinsuperfluousdataPlacevirusinfileslackorunusedallocatedfilespaceStashoverwrittencontentsinacompanionfileCompress(partsof)theoriginalfile,decompress Virus:ConcealmentEncryptionVirusbodyisencryptedtomakeithardertodetectVirusneedstocontainadecryptionengineEncryptionmethodsrangefromverysimpletostrong Virus:ConcealmentStealthVirustakesactivestepstoconcealinfectionRestoreoriginalfiletimestampInterceptsystemcallstoplaybackoriginalinformationoffileChangeI/OcallsinDOSChangesystemlibrariesinmoresophisticatedOSAnti-stealthvirusVirusmakesallfileslookinfected Virus:ConcealmentPolymorphismByusingequivalentinstructionsequencesByusingdifferentversionsTremorhad6decryptionenginesMetamorphismInstructionsarereordered,branchconditionsreversedJumpsandNOPsinsertedinrandomplacesGarbageopcodesinsertedinunreachablecodeareasInstructionsequencesreplacedwithotherinstructionsthathavethesameeffect,butdifferentopcodesMutateSUBEAX,EAXintoXOREAX,EAXor

PUSHEBP;MOVEBP,ESPintoPUSHEBP;PUSHESP;POPEBPAnti-VirusTechnologiesSimpleanti-virusscannersLookforsignatures(fragmentsofknownviruscode)HeuristicsforrecognizingcodeassociatedwithvirusesPolymorphicvirusesoftenusedecryptionloopsIntegritycheckingtofindmodifiedfilesRecordfilesizes,checksums,MACs(keyedhashesofcontents)GenericdecryptionandemulationEmulateCPUexecutionforafewhundredinstructions,viruswilleventuallydecrypt,canrecognizeknownbodyVirusDetectionbyEmulationVirusbodyRandomlygeneratesanewkeyandcorrespondingdecryptorcodeMutationADecryptandexecuteMutationCMutationBTodetectanunknownmutationofaknownvirus,emulateCPUexecutionofuntilthecurrentsequenceofinstructionopcodesmatchestheknownsequenceforvirusbodyTrojanhorsesAdestructiveprogramthatmasqueradesasabenignapplication.Unlikeviruses,TrojanhorsesdonotreplicatethemselvesbuttheycanbejustasdestructiveTrojanHorseProgramsthatappeartohaveonefunctionbutactuallyperformanother.ModernTrojanHorse:resembleaprogramthattheuserwishestorun

-usuallysuperficiallyattractiveE.g.,game,softwareupgradeetcWhenrunperformssomeadditionaltasksAllowsattackertoindirectlygainaccesstheydonothavedirectlyOftenusedtopropagateavirus/wormorinstallabackdoorTrojanHorseProgramwithanovertandcoverteffectAppearsnormal/expectedCoverteffectviolatessecuritypolicyUsertrickedintoexecutingTrojanhorseExpects(andsees)overtbehaviorCoverteffectperformedwithuser’sauthorizationExample:In1995,aprogramdistributedasPKZ300B.EXElookedlikeanewversionofPKZIP…Whenexecuted,itformattedyourharddrive.TrojanhorsemayreplicateCreatecopyonexecutionSpreadtootherusers/systemsRootkitMotivationHackerswanttokeepaccesstoasuccessfullycompromizedbox.Atthesametime,theywanttoremainundetectedandthusneedtohidetheirpresenceandtraces.Allhackeractivitiesanddatarelatedtothoseactivitiesshallbeinvisibletolegitimateusers.Anypermanenttraceshouldbeavoided,ifpossible.DefinitionSource:G.Hoglund,J.Butler:?Rootkits“,ISBN0-321-29431-9?Arootkitisasetofsoftwaretoolsintendedtoconcealrunningprocesses,filesorsystemdatafromtheoperatingsystem.“Source:WikipediaEncyclopedia,/wiki/RootkitArootkitisasetofprogramsandcodethatallowsapermanentorconsistent,undetectablepresenceonacomputer.“47RootkitBehaviorRemoveevidenceoforiginalattackandactivitythatledtorootkitinstallation.Hidefutureattackeractivity(files,networkconnections,processes)andpreventitfrombeinglogged.Enablefutureaccesstosystembyattacker.Installtoolstowidenscopeofpenetration.Securesystemsootherattackerscan’ttakecontrolofsystemfromoriginalattacker.HistoryofRootkitsPrimitiveBinaryfilereplacement(passwordlogging/UNIX)Hidingtraces/tracks(logcleaners)Moreadvancedhiding-“stealthy”(Hxdef,HE4Hook)HookingtechniquesDirectdynamicmanipulationofkernelstructures(FU)DifficultfordetectionsoftwaretoidentifyAdvancedMemoryhooking/hiding(ShadowWalker)Usedincollusionwith3rdGenerationrootkitExtremely“stealthy”1First

Generation2Second

Generation3Third

Generation4Fourth

GenerationHardwareVirtualization5Fifth

GenerationReference:/archives/63/p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txtPopularRootkitsAFXRootkit2005FUHackerDefenderHE4HookNTRootNTFSHiderNTIllusionVanquishWinlogonHijackNewRootkitsFUToKIrcBotSubVirtShadowWalkerBluePill(PoC)CommercialStealthSonyDRMMr.&Mrs.SmithDVD

(Alpha-DiscDRM)NortonSystemWorksHideFoldersXPTrackingandMonitoringsoftwareCommerciallyavailableproductsthatuserootkittypetechnologies.52RootkitTypesUser-modeRootkitsBinaryRootkitsreplaceuserprograms.ls,netstat,ps,login,sshd.LibraryRootkitsreplacesystemlibraries.Interceptsystemcalldatareturningfromkernel,strippingoutevidenceofattackeractivities.Alternately,ensurethatrootkitlibraryprovidingsystemcallsiscalledinsteadoflibcbyplacingitin/etc/ld.so.preload,like:

t0rnrootkit KernelRootkitsModifysystemcalls/structuresthatalluser-modeprogramsrelyontolistusers,processes,andsockets.Addbackdoorstokernelitself.53RootkitsDifferentRootkitsWindowsRootkits&MalwareUser-landRootkitKernel-landRootkitLinux/*BSDRootkitsUser-landRootkitKernel-landRootkitMacOSXRootkitsUser-landRootkitKernel-landRootkitFourPrivilegeRingsRing3Ring2Ring1Ring0Least-trustedlevelMost-trustedlevelCPURing0:operatingsystemkernelRing1:operatingsystemservicesRing2:customextensionsRing3:ordinaryuserapplicationsLegalRing-TransitionsAtransitionfromanouterringtoaninnerringismadepossiblebyusingaspecialcontrol-structure(knownasa‘callgate’)The‘gate’isdefinedviaadata-structurelocatedina‘system’memory-segmentnormallynotaccessibleformodificationsAtransitionfromaninnerringtoanouterringisnotnearlysostrictlycontrolledOperatingSystemDesignIntelhasfourprivilegelevelsorringswindowsandmanyotherOSvendorsuseonlytworingsUserMode:Inthislevelsomerestrictioninaccessingthesystemhardwareandcertainmemoryregionsapply.Theaddressspaceofauserprogramisrestrictedtotheapplicationmemorymaps.KernelMode:EverythingisallowedSupervisor/KernelModeUserMode58User-Landvs.Kernel-LandMulti-LayersofanOperatingSystemUser-LandYourpersonalapplicationsrunwithinthisspaceOperatingsystemprovidescommonAPIfordeveloperstouseKernel32.dllNtdll.dll.Kernel-LandThisisthe“heart”ofyourO/S.ThelowlevelkernelfunctionsthatimplementtheservicesneededinuserlandProtectedmemorycontainingobjectssuchasthoseforprocesses,tokens,ports,etcWindowsArchitectureHowdoesRootkitwork?Ring3–UserLandUserAdministratorSystemRing0–KernelLandDriversSystemServiceCallCycleUserApplicationcalltoCreateFileAPIKernel32.DLLcallstubNtCreateFileAPINTDLL.DLLEAX=0x00000020callINT2EhUSERMODEKERNELMODENTOSKRNL.EXESwitchBacktoUSERMODEreturnNtCreateFileresultreturnCreateFileresultNTDLLInterfaceKernel32.DLLimportssolelyonthelibraryNTDLL.DLLNTDLL.DLLisaninterfacetoInt2EhfunctionofWindowsNTInt2EhsignalsaneedtoswitchfromusermodetokernelmodeInt2EhisinternallyknownasKiSystemService().Int2EhhandlerlooksuponatableinNTOSKRNLcalledKeServiceDescriptorTable()

GettingIntoTheRootApplication:CalltoCreateFile()APIKernel32.DLL:CalltoNtCreateFile()--NativeAPINTDLL.DLLNTOSKRNL.EXE:CalltoKeServiceDescriptorTableInvokesKiSystemService()NTOSKRNLExportsThestructureofKeServiceDescriptorTable:typedefstructServiceDescriptorTable{PVOIDServiceTableBase;PVOIDServiceCounterTable(0);unsignedintNumberOfServices;PVOIDParamTableBase;}KeServiceDescriptorTableServiceTableBaseParamTableBase……@NtCreateFile0x2Cbytes……@NtCreateProcess0x20bytes…@NtOpenProcess0x10bytes………0x200x290x6AHookingSystemServiceExampleofNTDLLExportedFunctionsWhatHappensWhenYouReadaFile?Readfile()calledonFile1.txtTransitiontoRing0NtReadFile()processedI/OSubsystemcalledIRPgeneratedUserland(Ring3)RootkitsBinaryreplacementegmodifiedExeorDllBinarymodificationinmemoryegHe4HookUserlandhookingegHackerDefenderIAThookingKernel(Ring0)RootkitsKernelHookingE.g.NtRootkitDriverreplacement

E.g.replacentfs.syswithntfss.sysDirectKernelObjectManipulation–DKOM

E.g.Fu,FuToKernel(Ring0)RootkitsIORequestPacket(IRP)HookingIRPDispatchTable E.g.He4HookKernel(Ring0)RootkitsFilterDriversTheofficialMicrosoftmethodTypesFilesystemfilterVolumefilterDiskFilterBusFilter

ClassficalwaysforhidingvariousobjectsReplacingfiles(e.g.DLLs)HookingDLL’sfunctions(API/IAThooking)ModifyingDLL’sfunctions(RawCodeChange)HookingentriesinSST/KiServiceTable(verypopular)HookingIDT2EhentryModifyingKernelCode(RawCodeChange)IAThookingImportAddressTable(IAT)/ExportAddressTable(EAT)Eachprocessandmodule(DLL)havetheirownImportAddressTable(IAT)thatcontainstheentry-pointaddressesoftheAPIsthatareused.EveryDLLhasanExportAddressTable(EAT)thatcontainstheentry-pointaddressesoftheAPIsthatareimplementedwithintheDLL.0x00IATModificationHeadersCodeSectionCALL[CreateFileA]CreateFileA():…ImportSectionCreateFileA:0x12345678Kernel32.dllPEFileBeforeIATPatchingIATModificationHeadersCodeSectionCALL[CreateFileA]CreateFileA():…ImportSectionCreateFileA:AddrofHookKernel32.dllPEFileBeforeIATPatchingHook:JMP0x12345678IAThookingPowerfulandsimpleEasytodetect,butLegitimatehookingcommonMethodssuchasDLLforwardingmakesbenignvs.malicioushookshardtodiscernLatebindingApplicationsdolate-demandbindingwherefunctionaddressesarenotresolveduntilcalledFunctionswillnothaveaddressesinIATtohook!InlinefunctionhookingMorepowerfulthanIAThookingDonothaveproblemswithbindingtimeOverwritecodebytesoftargetfunctionsothatnomatterhowitisresolved,yourcodewillrunCanbeusedforbothkernelanduserfunctionsInlinefunctionhookingFindNextFileA:195D6:55 PUSHEBP195D7:8BEC MOVEBP,ESP195D9:81EC60020000 SUBESP,260Continue_Here:194DF:53 PUSHEBX195E0:8D85A0FDFFFF LEAEAX,[EBP-260]195DF:XX <…originalcode continues…>OriginalFindNextFile()APIFunctionDynamicCodePatchingFindNextFileA:195D6:E9XXXXXXXX JMPHook195DB:90 NOP195DC:90 NOP195DD:90 NOP195DE:90 NOPContinue_Here:194DF:53 PUSHEBX195E0:8D85A0FDFFFF LEAEAX,[EBP-260]195DF:XX <…originalcode continues…>Hook:<processparams> callSaved_Original <alterdata> retPatchedFindNextFile()APIFunctionInjectingaDLLViatheRegistryAppInit_DLLkeyAddaDLLthathooksormodifiesIAT,kernel32.dllorntdll.dllViaWindowshooksWindowsallowsyoutohookwindowmessagesandeventsofanotherprocessSetWindowsHookExWindowshookspecifiesThreadtohooktoSetto0andthesystemhooksallthreadsinthecurrentWindowsdesktop!InjectingaDLLViaremotethreadWindowsallowsyoutocreateathreadonaremoteprocessCreateRemoteThreadLoadrootkitDLLintoremoteprocessbyspecifyingstartroutineasLoadLibraryandbygivingitparametersthatpointtorootkitcodeusingVirtualAllocExDynamicForkingofWin32EXEUnderWindows,aprocesscanbecreatedinsuspendmodeusingtheCreateProcessAPIwiththeCREATE_SUSPENDEDparameter.TheEXEimagewillbeloadedintomemorybyWindowsbutexecutionwillnotbeginuntiltheResumeThreadAPIisused.SSDThookingSystemServiceDescriptorTableKerneldatastructurethatpointstocodewhichimplementssystemcallsinWin32,POSIX,andOS/2subsystemsIndexedbysystemcallnumberSystemServiceParameterTableSpecifiesthenumberofbytesfortheparametersofeachcallHookingSSDTLoadrootkitasdevicedriverReplaceSSDTentrytopointtoitinsteadofNtoskrnl.exeorWin32k.sysLaterversionsofWindowsXPmakememorythatstoresSSDTread-only(BSODifyoutrytowrite)ChangeCR0todisablememoryprotectioninkernelUseMemoryDescriptorListstochangeflagsHOOK_SYSCALL,UNHOOK_SYSCALLmacrosUsingSSDThooksHidingprocessesReplaceNTQuerySystemInformationfunctioninSSDTHookcallsoriginalfunctionandfiltersresultstoremoverootkitentriesfromSystemInformationClassbufferthatisreturnedMustupdateexecutiontimestatisticsacrossallprocessesinlistIfCPUdoesn’taddupto100%,someonewillbesuspiciousSDTEveryKTHREADobjecthaspServiceDescriptorTablepointer,whichisactuallyusedtodeterminetheappropriateService

Tabletobeused.+0xdcKTHREADSDT...KiServiceTableSDT&SDTShadow...KTHREAD......KiServiceTableW32pServiceTableSDTSDTShadowActiveProcessLinks...Allactiveprocessesinthesystemarekeptonthesinglelist.ThislistisimplementedbypairofpointersineachEPROCESSblock:EPROCESS.ActiveProcessLinksEPROCESSFurootkit...Attacker’sprocess...NowitishiddenIDThookingInterruptDescriptorTableNumeroussoftwareandhardwareinterruptsPagefaults(Entry0x0e),timers,systemcalls(Entry0x2e),etc.H2eStoreoriginalint2efunctionhandler(KiSystemService)intoglobalDWORDReplaceSSDTentrywithaddressofyourhookModernWindowsusesfasterSYSENTERAddressesoffunctionsstoredinmodel-specificregisters(MSR)RequireRing0tomodifyHookingI/OMajorI/ORequestPacketFunctionTableFunctiontablecontainedineverydevicedriverEachIRPtypehasanentryintableforaddressesoffunctionsthathandleitReplaceIRPoffilesystemwritesorTCPquerieswithrootkitRootkitTechnologySummaryExecutionpathChangeOnlydatastructuresChange(e.g.fu)Simplehooking(IAT,SDT/SST,IDT)RawcodechangeStrangepointerschange91LinuxRootkitsHistoryUser-LandSSHEater-1.1byCarlosBarrosKernel-LandStatic-X’sAdore-NG2.4/2.6kernelrootkitRebel’sphalanx(patches/dev/mem)

rebel@DifferenttypesbinaryreplacementlibraryreplacementKernelmodificationInterruptTableSyscallTableSyscallHandlerRAMmodificationotherkernelstructures93BinaryRootkitsExample:LRK4chsh Trojaned!User->r00tcrontab Trojaned!HiddenCrontabEntriesdu Trojaned!Hidefilesfix Filefixer!ifconfig Trojaned!Hidesniffinginetd Trojaned!Remoteaccesslinsniffer Packetsniffer!login Trojaned!Remoteaccessls Trojaned!Hidefilesnetstat Trojaned!Hideconnectionspasswd Trojaned!User->r00tps Trojaned!Hideprocessesrshd Trojaned!Remoteaccesssniffchk Programtocheckifsnifferisupandrunningsyslogd Trojaned!Hidelogstcpd Trojaned!Hideconnections,avoiddeniestop Trojaned!Hideprocesseswted wtmp/utmpeditor!z2 Zap2utmp/wtmp/lastlogeraser!94Example:LRK4ifconfig–Doesn’tdisplayPROMISCflagwhensniffing.login–Allowslogintoanyaccountwiththerootkitpassword.Ifrootloginisrefusedonyourterminalloginas"rewt".Disableshistoryloggingwhenbackdoorisused.ls–Hidesfileslistedin/dev/ptyr.Allfilesshownwith'ls-/'ifSHOWFLAGenabled.passwd–Enteryourrootkitpasswordinsteadofoldpasswordtobecomeroot.ps–Hidesprocesseslistedin/dev/ptyp.rshd–Executeremotecommandsasroot:rsh-lrootkitpasswordhostcommandsyslogd–Removeslogentriesmatchingstringslistedin/dev/ptys.Example:

LKMRootkitFunctionalityExample:RKPRootkitFunctionalityDetectingRootkitsHowtoDetectKeepacloseeyeonyoursystem(e.g.,filefingerprinting,centralizedsystemlogging)NoticeunusualtrafficwithIDS,etc.Noticeunusualportsbeingused(thiscouldalsobebotnetactivity)UNIXtoolschkrootkitchkrootkit:shellscriptthatcheckssystembinariesforrootkitmodification.ifpromisc.c:checksiftheinterfaceisinpromiscuousmode.chklastlog.c:checksforlastlogdeletions.chkwtmp.c:checksforwtmpdeletions.check_wtmpx.c:checksforwtmpxdeletions.(Solarisonly)chkproc.c:checksforsignsofLKMtrojans.chkdirs.c:checksforsignsofLKMtrojans.strings.c:quickanddirtystringsreplacement.chkutmp.c:checksforutmpdeletionsUNIXtools(cont’d)http://www.rootkit.nl/projects/

rootkit_hunter.htmlrkhunter(fromtheirsite)Rootkithunterisascanningtooltoassureyou(toabout99.9%*)you'recleanofnastytools.Thistoolscansforrootkits,backdoorsandlocalexploitsbyrunningtestslike:

-MD5hashcompare

-Lookfordefaultfilesusedbyrootkits

-Wrongfilepermissionsforbinaries

-LookforsuspectedstringsinLKMandKLDmodules

-Lookforhiddenfiles

-Optionalscanwithinplaintextandbinaryfiles

RootkitHunterisreleasedasGPLlicensedprojectandfreeforeveryonetouse.

*No,notreally99.9%..It'sjustanothersecuritylayerWindowsTools/ntw2k/

freeware/rootkitreveal.shtml

RootkitRevealerInterestingquotefromthesiteThereasonthatthereisnolongeracommand-lineversionisthatmalwareauthorshavestartedtargettingRootkitRevealer'sscanbyusingitsexecutablename.We'vethereforeupdatedRootkitRevealertoexecuteitsscanfromarandomlynamedcopyofitselfthatrunsasaWindowsservice.Thistypeofexecutionisnotconducivetoacommand-lineinterface.Notethatyoucanusecommand-lineoptionstoexecuteanautomaticscanwithresultsloggedtoafile,whichistheequivalentofthecommand-lineversion'sbehaviorWindowsTools(cont’d)/unhackme/unhackmeWindowsNT4/2000/XPthroughSP2What'snewinversion2.5AddeddetectionofAFXRootkit2005,EliteKeylogger,hiddenprocesses.What'snewinversion2.0

AddeddetectionandremovalofAFXRootkitandVanquishRootkit.UnHackMemonitor.NotGPLWindowsTools(cont’d)/taskinfo.html

TaskinfoUsedtolookforrogueprocessesWorksonWindows95through2003serverTaskInfoshowsinformationaboutallrunningprocessesandthreadsincludingring0VxDthreads.Informationabouteachprocessincludes:MostoftheProcessesthatwanttobeinvisiblelikeworms,keyloggersandotherspysoftware

Allthreads(withdetailsincludingThreadStartAddressandCallStackwithSymbolicInformationifpossible)CPUusage(multipleCPUsupported)MemoryusageSchedulingratePathOpenedfilesandhandlesLoadedmodules(DLLsetc.)CommandlineEnvironmentvariablesVersioninformationConnectionsWormsWormsAutonomous,activecodethatcanreplicatetoremotehostswithoutanytriggeringReplicatingbutnotinfectingprogramBecausetheypropagateautonomously,theycanspreadmuch