honeypot-rootkit
Download
Report
Transcript honeypot-rootkit
Acknowledgement
Some contents on honeypot are from
http://staff.washington.edu/dittrich/talks/arohoneynets.ppt
1
What Is a Honeypot?
Abstract definition:
“A honeypot is an information
system resource whose value lies
in unauthorized or illicit use of
that resource.” (Lance Spitzner)
Concrete definition:
“A honeypot is a faked
vulnerable system used for the
purpose of being attacked,
probed, exploited and
compromised.”
2
Example of a Simple Honeypot
Install vulnerable OS and software on a
machine
Install monitor or IDS software
Connect to the Internet (with global IP)
Wait & monitor being scanned, attacked,
compromised
Finish analysis, clean the machine
3
Benefit of Deploying Honeypots
Risk mitigation:
Lure an attacker away from the real production
systems (“easy target“).
IDS-like functionality:
Since no legitimate traffic should take place to or
from the honeypot, any traffic appearing is evil
and can initiate further actions.
4
Benefit of Deploying Honeypots
Attack analysis:
Find out reasons, and strategies why and how
you are attacked.
Binary and behavior analysis of capture
malicious code
Evidence:
Once the attacker is identified, all data captured
may be used in a legal procedure.
Increased knowledge
5
Honeypot Classification
High-interaction honeypots
A full and working OS is provided for being attacked
VMware virtual environment
Low-interaction honeypots
Only emulate specific network services
No real interaction or OS
Several VMware virtual hosts in one physical machine
Honeyd
Honeynet/honeyfarm
A network of honeypots
6
Low-Interaction Honeypots
Pros:
Easy to install (simple program)
No risk (no vulnerable software to be attacked)
One machine supports hundreds of honeypots, covers
hundreds of IP addresses
Can distinguish most attacks on the same port
Cons:
No real interaction to be captured
Limited logging/monitor function
Hard to detect unknown attacks; hard to generate filters
Easily detectable by attackers
7
Emulation of Services
QUIT* )
echo -e "221 Goodbye.\r"
exit 0;;
SYST* )
echo -e "215 UNIX Type: L8\r"
;;
HELP* )
echo -e "214-The following commands are recognized (* =>'s unimplemented).\r"
echo -e "
USER
PORT
STOR
MSAM*
RNTO
NLST
MKD
CDUP\r"
echo -e "
PASS
PASV
APPE
MRSQ*
ABOR
SITE
XMKD
XCUP\r"
echo -e "
ACCT*
TYPE
MLFL*
MRCP*
DELE
SYST
RMD
STOU\r"
echo -e "
SMNT*
STRU
MAIL*
ALLO
CWD
STAT
XRMD
SIZE\r"
echo -e "
REIN*
MODE
MSND*
REST
XCWD
HELP
PWD
MDTM\r"
echo -e "
QUIT
RETR
MSOM*
RNFR
LIST
NOOP
XPWD\r"
echo -e "214 Direct comments to ftp@$domain.\r"
;;
USER* )
8
High-Interaction Honeypots
Pros:
Real OS, capture all attack traffic/actions
Can discover unknown attacks/vulnerabilites
Can capture and anlayze code behavior
Cons:
Time-consuming to build/maintain
Time-consuming to analysis attack
Risk of being used as stepping stone
High computer resource requirement
9
Honeynet
A network of honeypots
High-interaction honeynet
A distributed network composing many honeypots
Low-interaction honeynet
Emulate a virtual network in one physical machine
Example: honeyd
10
Gen II Honeynet
11
Data Control
Prevent a honeypot being used by attackers
to attack others (legal/ethnical issues)
12
The Evolution of Malware
Malware, including spyware, adware and viruses
want to be hard to detect and/or hard to remove
Rootkits are a fast evolving technology to achieve
these goals
Cloaking technology applied to malware
Not malware by itself
Example rootkit-based viruses: W32.Maslan.A@mm,
W32.Opasa@mm
Rootkit history
Appeared as stealth viruses
One of the first known PC viruses, Brain, was stealth
First “rootkit” appeared on SunOS in 1994
Replacement of core system utilities (ls, ps, etc.) to hide malware
processes
Cloaking
Modern rootkits can cloak:
Several major rootkit technologies
Processes
Services
TCP/IP ports
Files
Registry keys
User accounts
User-mode API filtering
Kernel-mode API filtering
Kernel-mode data structure manipulation
Process hijacking
Visit www.rootkit.com for tools and information
User-Mode API Filtering
Attack user-mode system query APIs
Taskmgr.exe
Explorer.exe,
Winlogon.exe
Ntdll.dll
Rootkit
user mode
kernel mode
Explorer.exe, Malware.exe, Winlogon.exe
Con: can be bypassed by going directly to kernelmode APIs
Pro: can infect unprivileged user accounts
Examples: HackerDefender, Afx
Kernel-Mode API Filtering
Attack kernel-mode system query APIs
Taskmgr.exe
Explorer.exe,
Winlogon.exe
Ntdll.dll
user mode
kernel mode
Explorer.exe,
Winlogon.exe
Explorer.exe, Malware.exe,
Winlogon.exe
Cons:
Requires admin privilege to install
Difficult to write
Pro: very thorough cloak
Example: NT Rootkit
Rootkit
Kernel-Mode Data Structure
Manipulation
Also called Direct Kernel Object Manipulation (DKOM)
Attacks active process data structure
Query API doesn’t see the process
Kernel still schedules process’ threads
Active
Processes
Malware.exe
Cons:
Explorer.exe
Requires admin privilege to install
Can cause crashes
Detection already developed
Pro: more advanced variations possible
Example: FU
Winlogon.exe
Process Hijacking
Hide inside a legitimate process
Explorer.exe
Malware
Con: doesn’t survive reboot
Pro: extremely hard to detect
Example: Code Red
Detecting Rootkits
All cloaks have holes
Leave some APIs unfiltered
Have detectable side effects
Can’t cloak when OS is offline
Rootkit detection attacks holes
Cat-and-mouse game
Several examples
Microsoft Research Strider/Ghostbuster
RKDetect
Sysinternals RootkitRevealer
F-Secure BlackLight
Simple Rootkit Detection
Perform a directory listing online and
compare with secure alternate OS boot
(see http://research.microsoft.com/rootkit/ )
Offline OS is Windows PE, ERD
Commander, BartPE
dir /s /ah * > dirscan.txt
windiff dirscanon.txt
dirscanoff.txt
This won’t detect non-persistent rootkits
that save to disk during shutdown
RootkitRevealer
RootkitRevealer (RKR) runs online
RKR tries to bypass rootkit to uncover cloaked objects
All detectors listed do the same
RKR scans HKLM\Software, HKLM\System and the file
system
Performs Windows API scan and compares with raw data
structure scan
RootkitRevealer
Filtered Windows API
omits malware files and keys
Rootkit
Windows API
Raw file system,
Raw Registry hive
Malware files and keys
are visible in raw scan
Demo
HackerDefender
HackerDefender before and after view of file system
Detecting HackerDefender with RootkitRevealer
Dealing with Rootkits
Unless you have specific uninstall
instructions from an authoritative source:
Reformat the system and reinstall Windows!
Don’t rely on “rename” functionality
offered by some rootkit detectors
It might not have detected all a rootkit’s
components
The rename might not be effective