Recent Rootkit History

Download Report

Transcript Recent Rootkit History

Rootkits
What are they?
What do they do?
Where do they come from?
Introduction

Bill Richards
• Adjunct Professor at Rose Since 2004

Defense Information Systems Agency
• Defense Enterprise Computing Center – Oklahoma
City (Tinker AFB) since 1995
• Network Security Officer since 2002
• Responsible for the security for 9 remote networks



45+ Mainframes (IBM, UNISYS and TANDEM)
1400+ Mid-Tier Servers (UNIX and Windows)
400+ Network devices (Cisco, Juniper, Sidewinder, BigIP,
etc)
Rootkits are a serious threat to network and
system security and most administrators know little
about them

Defining characteristic is Stealth
• Viruses reproduce but rootkits
hide!



Difficult to detect
Difficult to remove
Carry a variety of payloads
•
•
•
•
•
Key loggers
Password Sniffers
Remote Consoles
Back doors
And more!!!
What is a Rootkit?




The term rootkit is old and pre-dates
MS Windows
It gets it’s name from the UNIX
superuser UserID - - root
aka administrator for windoze users
A rootkit does not typically not cause
deliberate damage
What is a Rootkit?


A collection files designed to hide from
normal detection by hiding processes,
ports, files, etc.
Typically used to hide malicious software
from detection while simultaneously
collecting information:
• userid’s
• Password
• ip addresses, etc

Some rootkits phone home and/or set up
a backdoors
What is a Rootkit?



A rootkit does NOT compromise a host by
itself
A vulnerability must be exploited to gain
access to the host before a rootkit can be
deployed
The purpose of a rootkit is NOT to gain
access to a system, but after being
installed, to preserve existing access and
support the goals of the bad guy
Recent Rootkit History
NAME
Troj/Stex-A
Troj/NTRootK-AS
Troj/RusDrp-D
Troj/Lager-R
Troj/Shellot-L
Troj/Dloadr-APN
Troj/Agent-DPN
Troj/Small-DLH
Troj/NetAtk-Gen
Troj/Goldun-EH
~
Linux/Rootkit-V
~
SunOS/Rootkit-B
~
OS
Discovered
Alias
Windows 10-Nov-06 TROJ_DLOADER.ESG
Windows 8-Nov-06 Generic RootKit.a
Windows 7-Nov-06 Win32/Rustock.NAE
Windows 7-Nov-06
Windows 6-Nov-06
Windows 4-Nov-06 Trojan-Downloader.Win32.Tiny.eo
Windows 4-Nov-06 Win32/TrojanDropper.Small.APR
Windows 4-Nov-06 Win32/TrojanClicker.Small.KJ
Windows 2-Nov-06 Backdoor.Win32.Zosu.a
Windows 2-Nov-06
~
~
~
Linux
Jan-06
~
~
~
SunOS
Dec-05
~
~
~
Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm
Rootkit History
1998 to 2002
NAME
OS
Discovered
Alias
~
~
~
~
Troj/RootKit-I
SunOS
Nov-02
Backdoor.HackDefender,
Linux/Rootkit-FKit Linux
Nov-02
FreeBSD.Rootkit FreeBSD
Oct-02
Linux/Kokain
Linux
Aug-02
Troj/Rootkit-A
Linux
Jun-02
Troj/Rootkit-C
Linux
Feb-02
Beastkit 7.0
Linux
Jan-02
Linux/RootKit-BTM Linux
Oct-01
Hacktool.Rootkit Windows
Sep-01
Linux/Rootkit
Linux
Apr-01
Troj/Lrk4
Linux
Mar-01
Troj/T0rn-Kit
Linux
Mar-01
Linux/Rootkit-Knark Linux
Mar-01
Linux/Rootkit-Lrk
Linux
Nov-98
Source: http://www.antirootkit.com/stealthware/rootkit-list-1998-2002.htm
How rootkits work

A vulnerable system is detected and targeted
• unpatched, zero-day exploit, poor configuration,
etc.




The targeted system is exploited host via
automated or manual means
Root or Administrator access is obtained
Payload is installed
Rootkit is activated and redirects system calls
• Prevents the OS from “seeing” rootkit processes
and files EVEN AFTER host is patched and original
malware is removed
How rootkits work
docs
rootkit
windows
rootkit filters the
results to hide itself
Rootkit
DLL
dir c:\
docs
ReadFile()
DLL “tricked” into
thinking it can’t
execute command,
calls rootkit
rootkit
windows
NTFS command
DLL
C:\
Common Windows rootkits
•
•
Hacker Defender (Hxdef)
•
A rootkit for Windows NT 4.0, Windows 2000 and Windows XP
•
Avoids antivirus detection
•
Is able to hook into the Logon API to capture passwords
•
The developers accept money for custom versions that avoid
all detectors
FU
•
Nullifies Windows Event Viewer
•
Hides Device Drivers
•
Recently added “Shadow Walking”
(Read Phrack63)
Common UNIX rootkits

SucKIT
• Loaded through /dev/kmem
• Provides a password protected remote access connect-back shell
initiated by a spoofed packet
• This method bypasses most of firewall configurations)
• Hides processes, files and connections

Adore
•
•
•
•

Hides files, processes, services, etc.
Can execute a process (e.g. /bin/sh) with root privileges.
Controlled with a helper program ava
Cannot be removed by the rmmod command
kis
• A client/server system to remotely control a machine,
with a kernel rootkit as the server on the remotely
controlled machine
• It can hide processes, files, connections, redirect
execution, and execute commands.
• It hides itself and can remove security modules already
loaded
Detection & Removal
• Detection that doesn’t always work:
• Antivirus (Norton, McAfee, AVG, etc.)
• Anti-Spyware (AdAware, Giant, Spybot, etc.)
• Port Scanning
• Manually Looking
• Detection that can work:
• Sudden System Instability/Sluggishness
• Sudden Spike in Traffic
•MS RootkitRevealer
• F-Secure Black Light
Detection & Removal
“list running processes”
“nothing to see here”
“Hooked”
DLL
Compromised OS
Rootkit
“Online” detection (ex: virus scans) relies on
the OS’s API to report files and processes. The
API has been “hooked,” however, so the rootkit
remains concealed.
Detection & Removal
“list running processes”
“nothing found”
“Hooked”
DLL
Compromised OS
Black Light
Rootkit Revealer
Etc.
Results !=
Possible
Rootkit
Alternate
API
“something found”
Rootkit
Detection compares the results of the OS’s API with the
results of a clean API (Raw) provided by the tool.
Discrepancies are potentially rootkits
Detection & Removal
“list running processes”
Compromised OS
Knoppix
WindowsPE
W.O.L.F.
Etc.
Alternate
OS
Rootkit
“rootkit detected”
Doing an “Offline” detection with a different OS
to report files and processes. If the alternate
OS is clean, the rootkit will be detected.
Detection & Removal

Only 100% sure removal:
• Format drive and a clean install

Some tools can remove some rootkits
• But what was hidden may not get cleaned
• You cannot trust a system that’s been rootkit’ed

Passwords on the rootkit’ed system are
suspect
• So change your passwords on the clean host
Prevention

Keep hosts updated
• OS
• Applications

Limit host exposure
• Un-needed services


Use Firewalls
Situational Awareness
• CERT, Bugtraq, Security Web sites, etc.
Some Reference Sites



http://www.rootkit.com
http://www.packetstormsecurity.org
http://www.rootkit.nl
Questions?
Questions?