Transcript Raising The Bar For Windows Rootkit Detection

Raising The Bar For Windows
Rootkit Detection
Aurthors: Sherri Sparks, Jamie
Butler
Publication: Phrack Magazine, 2005
Presenter : Richard Bares
What is a Rootkit



Code that tries to hide itself along with
other components from detection by
other software
Can be used by virus detection software
to hide from malicious code
Can also be used by malicious code to
hide from virus detection software
First generation Rootkits



Replaced or modified key system files
with maliciously enhanced versions
Designed to avoid detection or perform
other malicious actions
Example changing login programs to
record password as well as verify them
Second Generation Rootkits


Moved from changing files on hard disk
to memory
Altered execution path of application
and operating system components
instead of changing the targeted files
themselves
Third generation Rootkits




Direct Kernel Object Manipulation
Targeted dynamically changing kernel
data structure in operating system
Prevented detection software from
getting a baseline reading
Example the FU rootkit
Detection of Rootkits



Misuse detection based on Signatures
Anomaly Detection based on statistical
deviations from normal behavior
Integrity Detection based on snapshots
of file systems or memory compared to
a baseline
Rootkit of the Future



Code that does not try to hide by
altering it’s code but changes what
detection software sees
When detection software tries to access
memory the rootkit will return a fake
view of the memory without itself
Does this by gaining control of virtual
memory on computer system
Virtual Memory
Virtual Address
Space
Physical Address
Space
Page 1
Frame 1
Page 2
Frame 2
Page 3
Frame 3
Page 4
Page 5
Page 6
Keeping Track Of Virtual
Memory


Page Fault handler which allows for
swapping of large files
Two Translation Lookaside Buffer (TLB)
which is used to keep track of
frequently used instruction and data
Modified FU Rootkit


Replaces page fault handler code
Modifies Data TLB to redirect data
access of rookit data by detection
software to wrong location
Taking over the TLB
Virtual Address
Space
Is it a Code
access
Instruction
TBL
Rootkit Code
Page 1
VPN= 12
Frame = 1
Page 2
Memory Access
VPN=12
Is it a Data
access
Page 3
Data
TLB
Page 4
VPN= 12
Frame= 6
Page 5
Random Garbage
Page 6
Conclusion



Could be a valid new form of rootkit on
some systems
The modified FU rootkit was able to
hide from most detection attempts
But more tested and modification are
needed
Contributions


Added a new understanding of possible
future development in rootkits by
attacking system x86 architecture
Ways to detect these attacks by looking
at the page fault handler
Weaknesses




Does not work on 4 MB page block
No way to hide the replaced page fault
handler
Modified rootkit has a performance
impact of the installed system
Only works on x86 CPUs