Information Security Rootkits Dr. Randy M. Kaplan 2 Rootkits What is

Download Report

Transcript Information Security Rootkits Dr. Randy M. Kaplan 2 Rootkits What is

Information Security
Rootkits
Dr. Randy M. Kaplan
Rootkits
What is a Rootkit?
Been around for more than 10 years
A kit
consisting of small and useful programs
that allow an attacker to maintain access
to “root”
root is the user with the highest privilege
2
Rootkits
What is a rookit?
a set of programs and code that allows a
permanent or consistent, undetectable
presence on a computer
the key word in this definition is
“undetectable”
3
What Rootkits Can Do?
Rootkits can hide code on a system
hide data on a system
Many rootkits can -
hide files
hide directories
4
What Can Rootkits Do?
Rootkits can -
remote access
eavesdropping
sniffing packets from the network
5
Are Rootkits Bad?
Rootkits are not inherently bad
Not always used by the bad guys
Why?
6
Are Rootkits Bad?
Rootkits are not inherently bad
Not always used by the bad guys
Why?
A rootkit is just a technology
Its use makes it bad or good
7
Rootkits
Why Do Rootkits exist?
Rootkits are a relatively new phenomena
Spying is a very old phenomena
People want to see or control what other
people are doing
8
Leaving a rootkit behind raises the
probability of detection
What are rootkits for?
9
Sample Rootkit
Commands
ps
help
debugint
buffertest
sniffkeys
hidedir
echo <string>
hideproc
Legitimate Uses of
Rootkits
wsZ
Used by law enforcement agencies to collect
evidence in an advanced bugging operation
Applies to any crime in which a computer is
used
Examples of crimes are computer trespass,
creating or distributing child pornography
11
How long have Rootkits
been around?
Methods used in modern rootkits are the same
methods used in viruses in the 1980s
These methods include modifying system tables
modifying memory
modifying program logic
12
How long have Rootkits
been around?
With the advent of Windows NT, virus writers
could no longer exploit key system tables
This caused a lapse in hard virus technology
No virus authors were using the new Windows
kernel
13
How long have Rootkits
been around?
With the advent of the Internet it would be dominated by UNIX servers
viruses were very uncommon for this
operating system
This time is when network worms were born
The famous Morris Worm was a wake up
call to the profession
14
Hackers in the 1990’s
Hackers figure out how to exploit buffer
overflows
“the nuclear bomb of all exploits”
The virus writing community did not catch on
to this approach for more than a decade
15
Hackers in the 1990’s
A hacker would -
penetrate a system
set up camp
use a freshly compromised computer to
launch new attacks
16
Hackers in the 1990’s
Once a hacker penetrated a system
she needed to maintain access
Thus, the first rootkits were born
These rootkits were backdoor programs
they used very little stealth
In some cases they replaced key system
binaries with modified versions
17
Hacker’s in the 1990’s
These modified versions hide files and processes
For example on UNIX the program that
displays directories is named ls
Supposing a hacker replaces ls with one of
their own that is specially coded to never list a
file named “hacker_stuff”
18
Hacker’s in the 1990’s
Anytime the hacker wanted to saved
information they could simply save it in a file
named hacker_stuff
19
Response of the
Administrators
Write programs like Tripwire
determines whether a program has been
changed
In our example a program like Tripwire
could examine ls and determine it had been
altered
At that point the incursion is discovered
20
The Hackers Respond
(Uh-Oh)
Hackers naturally moved from the programs
that were extern to the operating system into
the actual operating system
This core part of the operating system is called
the “kernel” (The term was coined by Orville
Reddenbacher - can’t you hear the popping?)
21
The Hackers Respond
(Uh-Oh)
By moving into the kernel, hackers could
subvert ANY security utility on the computer at
the time
Trojan files were no longer needed
All stealth could be applied by modification of
the kernel
22
A Word From Orville
A kernel is a core part of an operating system
All operating systems have kernels
The kernel includes components that manage
memory, schedule processes, swap between
processes, and respond to interrupts
These fundamental functions, if changed,
compromise the operating system
23
How Do Rootkits Work?
Modification
a simple concept
software is designed to make specific
decisions on specific data
A rootkit modifies software so that the
decisions it makes are incorrect
24
Where are modifications
made?
Patching
Easter Eggs
Spyware Modifications
Source-Code Modification
25
Where are modifications
made?
Patching
Executable code consists of a series of
statements encoded as data bytes
The bytes come in a very specific order
Each byte means something to the
computer
An instruction or data for an instruction
26
Where are modifications
made?
Patching
The functioning of a piece of software can
be changed if the sequence of bytes are
changed
The technique is sometimes called patching
Similar to the idea of placing a patch of a
different color fabric on a quilt
27
Where are modifications
made?
Patching
Byte patching is one of the major
techniques used by “crackers” to remove
software protections
28
Where are modifications
made?
Easter Eggs
Software logic modifications may be built
into a piece of software
A programmer may place a backdoor in a
program
The back door is not documented
The software has a hidden feature
29
Where are modifications
made?
Easter Eggs
A programmer may leave something behind
as a signature
That they were the one who wrote the
program
Earlier versions of Microsoft Excel
contained an Easter Egg that allowed a
user who found it to play a Doom-like game
30
Where are modifications
made?
Spyware Modifications
Sometimes a program will modify another
program to infect it with spyware
Spyware can -
track the web sites visited
Spyware may be difficult to detect
31
Where are modifications
made?
Spyware Modifications
Spyware may be difficult to detect
Some spyware will attach itself to a browser
or program shell making removal very
difficult
32
Where are modifications
made?
Source-Code Modification
Sometimes software is modified at the
source
A programmer can insert malicious lines of
source code into a program that she
authors
This possibility caused the military to avoid
using Linux
33
Where are modifications
made?
Source-Code Modification
Open-source projects allow almost anyone
any being someone you don’t know
to add code to the sources
34
Where are modifications
made?
Source-Code Modification
For critical software like BIND, Apache, and
Sendmail there is peer review of code
Does anyone really look at every line of the
code that has been written?
35
What a Rootkit is Not
A Rootkit is not an exploit
A Rootkit is not a virus
36
A Rootkit is not an
Exploit
The rootkit may be used in conjunction with an
exploit but The rootkit itself is a fairly straightforward set
of utility programs
The programs may use undocumented
functions and methods
They typically do not depend on software bugs
37
A Rootkit is not an
Exploit
A rootkit is typically deployed after a
successful software exploit
Hackers have many exploits available to them
On the other hand a hacker may only have
one or two rootkit programs
38
A Rootkit is not an
Exploit
A rootkit is not an exploit BUT a rootkit may employ an exploit
A rootkit usually requires access to the kernel
One or more programs start when the
system is booted
There are only a limited number of ways to get
software into the kernel
39
A Rootkit is not an
Exploit
For example, a component of a rootkit may
masquerade as a device driver
These methods can be detected
forensically
40
A Rootkit is not an
Exploit
A novel way to install a rootkit is to use a
software exploit
Many software exoloits allow arbitrary code or
third part software to be installed
Imagine that there is a buffer overflow in the
kernel that allows arbitrary code executed
41
Using a Software Exploit
Kernel buffer overflows can exist in almost any
device driver
On system startup a loader program can use
the buffer overflow to load a rootkit
The loader program does not employ any
documented methods for loading or
registering a device driver or otherwise
installing a rootkit
42
Using a Software Exploit
The loader exploits the buffer overflow to
install the kernel-mode parts of a rootkit
The buffer-overflow exploit is a mechanism for
loading code into the kernel
Most people think of this as a bug
The rootkit developer may think of this as an
undocumented feature
43
Using a Software Exploit
Because this feature is not documented this
path to the kernel is not likely to be included
as part of a forensic investigation
More importantly, it won’t be protected by a
host-based firewall program
It would take someone well versed in software
engineering to discover something like this
44
A Rootkit is Not a Virus
A virus program in a self-propagating
automaton
A rootkit does not make copies of itself
it does not have a mind of its own
A rootkit is under the control of a human
attacker while a virus is not
45
The Virus Problem
We know that a rootkit is not a virus
But The techniques used in a rootkit can easily
be employed by a virus
When a rootkit is combined with a virus a
very dangerous technology is born
46
The Virus Problem
Understanding rootkit technology is very
important defending against viruses
Virus programmers have been using rootkits
for many years to “heat up” their viruses
A very dangerous trend
47
Software Exploits
There is a strong relationship between rootkits
and exploits
A rootkit may be employed as a part of an
exploit tool
Software exploits are in great supply
48
Software Exploits
A conjecture (reasonable)
At any point in time
there are more than 100
working exploitable holes in the latest
version of Microsoft Windows
(even more when a new version is
released)
49
Software Exploits
Some software bugs are found by
independent researchers
These may never be reported
They are “deadly” because no one knows
about then except the attacker
No defense against them
50
Software Exploits
Many exploits have been publicly known for
more than a year and are still being widely
exploited today
Even if a patch is available, most system
administrators don’t apply the patches in a
timely fashion
Fixing bugs in an operating system is
extremely expensive AND
51
Software Exploits
Fixing bugs in an operating system is
extremely expensive AND
many bugs are not fixed for long periods of
time
If a bug is not made public, there is no
incentive to correct the bug
A company, eEye has devised a clever way to
make public serious vulnerabilities without
releasing details
52
Software Exploits
(eEye’s site no longer looks as it was
described)
But they do offer what they call a vulnerability
scanner for a single asset (one computer)
53
Type-Safe Languages
Programming languages that are type-safe are
more secure from certain exploits
Without type safety program data is just a
large ocean of bits
The program can grab any arbitrary handful of
bits and interpret them in limitless ways
regardless of the original purpose of the data
54
Type-Safe Languages
If the string “GARY” were placed in memory it
could be used as a 32-bit integer
0x47415259
1,195,463,257
55
Type-Safe Languages
In a type-safe language a string like “GARY”
would always be treated as a string
56
Exploits - still a problem
Need for software security known for a long
time
Exploits continue to be a problem
Root of the problem is the software itself
MOST SOFTWARE IS NOT SECURE
MOST SOFTWARE IS IMPLEMENTED
TODAY IN C and/or C++
57
Exploits - still a problem
MOST SOFTWARE IS IMPLEMENTED
TODAY IN C and/or C++
C and/or C++, by their very nature introduce
severe security holes
58
Offensive Rootkit
Technologies
A good rootkit should be able to bypass any
security measures like
firewalls
intrusion-detection systems (IDes)
Two primary types of IDes
Network based (NIDS)
Host-based (HIDS)
59
Offensive Rootkit
Technologies
We will call all such systems, HIPS
host-based intrusion protection systems
60
HIPS
HIPS Technology can be home-grown or
bought off-the-shelf
Blink (www.eEye.com)
61
62
HIPS
Integrity Protection Driver (IPD, Pedastal
Software, www.pedastal.com)
No longer exists
63
Pedestal Software
This might be why
64
HIPS
Entercept (www.networkassociates.com)
Entercept was purchased by McAfee
Associates
65
66
HIPS
Okena Storm Watch
Now, Cisco Security Agent
Cisco has retired this product
67
68
HIPS
LIDS
Linux Intrusion Detection System
(www.lids.org)
Does not look like it is current any longer
69
70
HIPS
Watchguard ServerLock
www.watchguard.com
71
72
HIPS
Open source IDSes
http://sectools.org/tag/ids/
73
NIDS
Network-based IDS
also a concern for rootkit developers
a well designed rootkit can evade a
production NIDS
In theory, statistical analysis can detect
covert communication
74
NIDS
Network-based IDS
In theory, statistical analysis can detect
covert communication
In reality this is rarely done
Network connections to a rootkit will likely
use a covert channel hidden within
innocent-looking packets
75
NIDS
Network-based IDS
Important data transfer will be encrypted
76
Bypassing IDS/IPS
Two types
Active
Passive
77