Transcript honeypot-rootkit

Acknowledgement

Some contents on honeypot are from

http://staff.washington.edu/dittrich/talks/arohoneynets.ppt
1
What Is a Honeypot?


Abstract definition:
“A honeypot is an information
system resource whose value lies
in unauthorized or illicit use of
that resource.” (Lance Spitzner)
Concrete definition:
“A honeypot is a faked
vulnerable system used for the
purpose of being attacked,
probed, exploited and
compromised.”
2
Example of a Simple Honeypot

Install vulnerable OS and software on a
machine

Install monitor or IDS software

Connect to the Internet (with global IP)


Wait & monitor being scanned, attacked,
compromised
Finish analysis, clean the machine
3
Benefit of Deploying Honeypots

Risk mitigation:


Lure an attacker away from the real production
systems (“easy target“).
IDS-like functionality:

Since no legitimate traffic should take place to or
from the honeypot, any traffic appearing is evil
and can initiate further actions.
4
Benefit of Deploying Honeypots

Attack analysis:
Find out reasons, and strategies why and how
you are attacked.
 Binary and behavior analysis of capture
malicious code


Evidence:


Once the attacker is identified, all data captured
may be used in a legal procedure.
Increased knowledge
5
Honeypot Classification

High-interaction honeypots


A full and working OS is provided for being attacked
VMware virtual environment


Low-interaction honeypots


Only emulate specific network services
No real interaction or OS


Several VMware virtual hosts in one physical machine
Honeyd
Honeynet/honeyfarm

A network of honeypots
6
Low-Interaction Honeypots

Pros:





Easy to install (simple program)
No risk (no vulnerable software to be attacked)
One machine supports hundreds of honeypots, covers
hundreds of IP addresses
Can distinguish most attacks on the same port
Cons:

No real interaction to be captured



Limited logging/monitor function
Hard to detect unknown attacks; hard to generate filters
Easily detectable by attackers
7
Emulation of Services
QUIT* )
echo -e "221 Goodbye.\r"
exit 0;;
SYST* )
echo -e "215 UNIX Type: L8\r"
;;
HELP* )
echo -e "214-The following commands are recognized (* =>'s unimplemented).\r"
echo -e "
USER
PORT
STOR
MSAM*
RNTO
NLST
MKD
CDUP\r"
echo -e "
PASS
PASV
APPE
MRSQ*
ABOR
SITE
XMKD
XCUP\r"
echo -e "
ACCT*
TYPE
MLFL*
MRCP*
DELE
SYST
RMD
STOU\r"
echo -e "
SMNT*
STRU
MAIL*
ALLO
CWD
STAT
XRMD
SIZE\r"
echo -e "
REIN*
MODE
MSND*
REST
XCWD
HELP
PWD
MDTM\r"
echo -e "
QUIT
RETR
MSOM*
RNFR
LIST
NOOP
XPWD\r"
echo -e "214 Direct comments to ftp@$domain.\r"
;;
USER* )
8
High-Interaction Honeypots

Pros:
Real OS, capture all attack traffic/actions
 Can discover unknown attacks/vulnerabilites
 Can capture and anlayze code behavior


Cons:
Time-consuming to build/maintain
 Time-consuming to analysis attack
 Risk of being used as stepping stone
 High computer resource requirement

9
Honeynet


A network of honeypots
High-interaction honeynet


A distributed network composing many honeypots
Low-interaction honeynet


Emulate a virtual network in one physical machine
Example: honeyd
10
Gen II Honeynet
11
Data Control

Prevent a honeypot being used by attackers
to attack others (legal/ethnical issues)
12
The Evolution of Malware


Malware, including spyware, adware and viruses
want to be hard to detect and/or hard to remove
Rootkits are a fast evolving technology to achieve
these goals




Cloaking technology applied to malware
Not malware by itself
Example rootkit-based viruses: W32.Maslan.A@mm,
W32.Opasa@mm
Rootkit history

Appeared as stealth viruses


One of the first known PC viruses, Brain, was stealth
First “rootkit” appeared on SunOS in 1994

Replacement of core system utilities (ls, ps, etc.) to hide malware
processes
Cloaking

Modern rootkits can cloak:







Several major rootkit technologies





Processes
Services
TCP/IP ports
Files
Registry keys
User accounts
User-mode API filtering
Kernel-mode API filtering
Kernel-mode data structure manipulation
Process hijacking
Visit www.rootkit.com for tools and information
User-Mode API Filtering

Attack user-mode system query APIs
Taskmgr.exe
Explorer.exe,
Winlogon.exe
Ntdll.dll
Rootkit
user mode
kernel mode

Explorer.exe, Malware.exe, Winlogon.exe
Con: can be bypassed by going directly to kernelmode APIs

Pro: can infect unprivileged user accounts

Examples: HackerDefender, Afx
Kernel-Mode API Filtering
Attack kernel-mode system query APIs

Taskmgr.exe
Explorer.exe,
Winlogon.exe
Ntdll.dll
user mode

kernel mode
Explorer.exe,
Winlogon.exe

Explorer.exe, Malware.exe,
Winlogon.exe

Cons:


Requires admin privilege to install
Difficult to write

Pro: very thorough cloak

Example: NT Rootkit
Rootkit
Kernel-Mode Data Structure
Manipulation


Also called Direct Kernel Object Manipulation (DKOM)
Attacks active process data structure


Query API doesn’t see the process
Kernel still schedules process’ threads
Active
Processes




Malware.exe
Cons:


Explorer.exe
Requires admin privilege to install
Can cause crashes
Detection already developed
Pro: more advanced variations possible
Example: FU
Winlogon.exe
Process Hijacking

Hide inside a legitimate process
Explorer.exe
Malware

Con: doesn’t survive reboot

Pro: extremely hard to detect

Example: Code Red
Detecting Rootkits

All cloaks have holes
Leave some APIs unfiltered
 Have detectable side effects
 Can’t cloak when OS is offline


Rootkit detection attacks holes
Cat-and-mouse game
 Several examples





Microsoft Research Strider/Ghostbuster
RKDetect
Sysinternals RootkitRevealer
F-Secure BlackLight
Simple Rootkit Detection

Perform a directory listing online and
compare with secure alternate OS boot
(see http://research.microsoft.com/rootkit/ )
Offline OS is Windows PE, ERD
Commander, BartPE
dir /s /ah * > dirscan.txt
windiff dirscanon.txt
dirscanoff.txt


This won’t detect non-persistent rootkits
that save to disk during shutdown
RootkitRevealer

RootkitRevealer (RKR) runs online

RKR tries to bypass rootkit to uncover cloaked objects



All detectors listed do the same
RKR scans HKLM\Software, HKLM\System and the file
system
Performs Windows API scan and compares with raw data
structure scan
RootkitRevealer
Filtered Windows API
omits malware files and keys
Rootkit
Windows API
Raw file system,
Raw Registry hive
Malware files and keys
are visible in raw scan
Demo

HackerDefender


HackerDefender before and after view of file system
Detecting HackerDefender with RootkitRevealer
Dealing with Rootkits

Unless you have specific uninstall
instructions from an authoritative source:
Reformat the system and reinstall Windows!

Don’t rely on “rename” functionality
offered by some rootkit detectors
It might not have detected all a rootkit’s
components
 The rename might not be effective
