Transcript Protection Against Rootkits “Defense In Depth”

Protection Against Rootkits
“Defense In Depth”
• The Symantec technology portfolio offers a multi-layered
defense including Network Filtering, Behavior Blocking and
Storage Filtering layers. All of these layers encompass a
wide variety of protection technologies which interact and
integrate together to provide a defense in-depth protection.
Rootkit Protection Highlights
• Network Filtering
• Vulnerability signatures allow protection prior to exploit knowledge
• Addresses changing paradigm, and shortening window between vulnerability
announcement and exploit discovery
• Provides protection from diskless threats and fast-moving network worms
• Dramatically reduces “time-to-protection” for customers, minimizing disruption
• Behavior Blocking technology
• Enumerate processes
• Analyze process behavior
• Score each process
• Automatic protection
• Storage Filtering Layer
• Direct Volume Scanning (VxMS) allows our engine to bypass the Windows
File System APIs and directly access the raw NTFS volume
Network Filtering
• The Network Filtering, is the first line of defense against attacks. This
layer examines incoming traffic and can stop threats before they have an
impact on the PC. Network filtering layer includes the Network Intrusion
Prevention System , and the desktop Firewall security technologies.
• Many of today’s threats including rootkits attempt to exploit known OS
and application vulnerabilities to execute their code on the PC. The
Network IPS engine (using it’s Generic Exploit Blocking capabilities) can
filter out attempts to exploit these vulnerabilities, thus keeping malware
from executing.
Intrusion Prevention System
rule tcp, tcp_flag&ack, daddr=$LOCALHOST, msg="[182.1] RPC DCOM buffer
overflow attempt detected", content="\x05\x00\x00\x03\x10\x00\x00\x00"(0,8)
SSH
HTTP
FTP
IM
Custom Sig Engine
GEB
SMTP
Signature IDS
RCP
Intrusion Prevention Features
• Deep packet inspection
• IDS engine allows admins to create their own signatures
• Uses signature format similar to SNORT™
• Regex support
• Signatures applied only to vulnerable applications
• Resistant to common and advanced evasion techniques
SMTP
RCP
SSH
HTTP
FTP
IM
Generic Exploit Blocking
Vulnerability Announcement
Vulnerability Exploit
Virus Signature
0 Day
<24 Hours
6-7 Days
~3 Hours Later
Generic Exploit Blocking
 Vulnerability-Based Signature
 Based on vulnerabilities’
characteristics
TruScanTM
 Proactive Threat Scan technology
 Behavior Analysis
Number of
Variants
Blocked
Single GEB
Signature
Threat
814
MS RPC DCOM
BO
Blaster
426
MS_RPC_NETDD
E_BO
W32.Mytob.IM@
mm
394
MS LSASS BO
Sasser
250
RPC_NETAPI32_B
O
W97M.Invert.B
121
NetBIOS MS NO
(TCP)
W32.Gaobot.AA
Y
Behavior Blocking technology
• The second layer of our multilayered protection is the Behavior Blocking
technology. This technology monitors the execution activity of code on
the PC and attempts to prevent the code from completing its malicious
activitiesAt this layer there are two main proactive technologies :
• TruScan
• Outbound Email Heuristic (OEH).
• All of these technologies have the capability of detecting threats
(including rootkits) executing on the PC and can automatically take action
on these threats. This protection layer does not rely on specific detection
signatures thus providing zero day protection against new threats release
in the wild.
TruScan (Proactive Threat Protection)
Enumerate
processes
Analyze
process behavior
Enumerate all
processes &
embedded
components
Assess behavior
& characteristics
of each
process
?
Score each
process
Automatic
protection
Detection
routines are
weighted &
processes are
classified
Malicious code
is identified,
reported &
automatically
mitigated
Storage Filtering Layer
• This layer is adds:
• AV engine, threat remediation engine ERASER (Extendable,
Replaceable, Advanced Side-Effects Repair),
• Direct Volume Scanning (VxMS)
• AutoProtect features.
• These are traditional signature-based technologies. These technologies
continue to demonstrate their efficacy as the baseline of defense.
Signature-base technology has a very low false positive rate, and is very
efficient in detecting and removing known threats on the PC
Direct Volume Scanning (VxMS)
• Our strong results are attributed to the integration of VxMS (Veritas
Mapping Service—a Veritas technology) into our Symantec products.
This technology allows our engine to bypass the Windows File System
APIs and directly access the raw NTFS volume. From a rootkit removal
perspective is important to understand that the Windows File System is
designed to have exclusive access to the volume. As such, any direct
modification can be unsafe while the system is running.
•
• To avoid harming system integrity, Symantec’s native application
disables the driver and then reboots the system, allowing removal and
clean up of the rootkit from the system. This method protects against
kernel-mode rootkits and is at the lowest level within the operating
system.
Improved Detection and Removal
– Not dependant on new releases
• Enhancements in SEP 11
– Lower level rootkit detection
– Admin specified homepage restore
– Surgical cookie cleanup
Direct Volume Access
– Improvements are ongoing
ERASER Today
• Repair engine (Eraser) is extensible
ERASER
MS File System API
User Mode
Kernel Mode
Windows File
System
Reboot
Volume Manager
Physical
Disk
Rootkit Hook Points