Embed Size (px)
Citation preview
• Copyright John “Four” Flynn 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Modern Incident ResponseTools and TechniquesJohn “Four” Flynn - GWU
Obligatory Overview Slide• Rootkits
• What they are• How they work
• Discovery techniques• Detecting Rootkits
• FRISK/IR• Best tool ever made
• No upwardly sloping charts
Rootkits• Definition
• Post exploitation• Hide actions on the host
• Why is this a threat?• Difficult to detect• Difficult to remove
A Little History
• Binary modification• Tripwire
• Rootkit techniques
Rootkits• Privilege Levels – Ring 0,3
• Intel supports 4 levels, why not use them?
• Kernel Mode vs. User Mode
• Kernel mode means full write access to ALL of memory
User Mode Rootkits• Win32 API vs. Native API
• PE file format
• Import Table Hooking
Win32 Function1()
Win32 Function2()
Application Binary Win32 API DLL e.g. kernel32.dll
Application Binary
?
Compile Time Run Time
Explorer.exe
Example – User Mode Hooking
FindFirstFile
FindNextFile
Real Functions
HideFirstFile
HideNextFile
Hooked Functions
Inserted Functions FILTER Results
Obtaining Ring 0• Exploiting the Kernel
• Symantec FW DNS mishandling vuln• Old and patched but illustrative
• Device Drivers
• Other Kernel Overflows/Exploits
Kernel Mode Techniques• System Dispatch Table Hooking
• Process Unlinking• Remove pointer to EPROCESS structure• Process still gets CPU time!
• DKOM – (FU)
• Hoglund’s 2 bit patch
• Sky is truly the limit
Detecting Rootkits• Execution Path Analysis
• See where the PE Import Pointers go• Walk the dispatch table and follow pointers
• API Diff• Compare Results from Win32 vs. Native API
• Kernel Data Structure Analysis• Process Table• Kernel Dispatcher Thread Table
5 10 15 20 25 30 35 40 45 50 55 60
Time (Minutes)
0
10
20
30
40
50
60
Number of people asleep in this talk
I Lied: Upward Sloping Chart
A losing battle?• Intrinsic Problem: Full Memory Write Access =
Infinite possiblities
• Live response vs offline analysis• Offline Analysis will catch all of these threats• Offline analysis is expensive
• So is doing incident response worth it?
Incident Response in Higher-Ed• Small number of security staff
• Relatively high number of incidents due to “open network” policies
• Distributed support network
• Massive number of endpoints
• Sound Familiar?
The Solution: FRISK/IR• Flexible HTML template-driven output system
• Secure uploading of results to a central location
• Robust plugin architecture
• Forensically Sound and Automated
• Open Source, Perl Based, Clean Design
• Perform Response on Critical Systems Quickly
FRISK: Secure Uploads• HARD problem
• Assume credentials can be stolen
• Authenticated SSL Upload communication with a CGI script
• View data with a different set of credentials
FRISK - Plugins• Perl Based
• OS Aware
• Can call 3rd party binary or perform operations directly in perl
• Hope to start a nessus-style update system
FRISK/IR• Forensically Sound
• Never touches disk on local system• Can be run from read-only media (CD-ROM)
• Plugin System• Easy to write and add new plugins• Full Perl!• Automatic Update… (soon)
Rootkit detection• VICE: Execution Path Analysis• RootkitRevealer: Win32 API vs Raw Reads(reg/fs)• Klister – Lists Threads used by Kernel Dispatcher• Blacklight• Rkdetector• Strider Ghostbuster - offline vs. online diff• FHS – Find Hidden Service• Unhackme• Others…
Conclusions• While live response is imperfect, it is often our
first and most important line of defense
• Thanks for your attention!
• Please help me make FRISK even better!
References/Links• www.sourceforge.net/projects/frisk
• www.rootkit.com
• “Step into the Ring 0” Barnaby Jack – Eeye
• Greg Hoglund – Exploiting Software
• James Butler – Misc Papers
• Holy Father – Papers on hxdef etc
