White Paper
Root Out RootkitsAn inside look at McAfee® Deep Defender
Root Out Rootkits2
Table of ContentsRootkits: Rotten Code in the Core 3
Rootkits cloak and disable defenses 3
Designed to conceal a payload 4
Meet Koutodoor and TDSS 4
Rootkits Dodge Detection 5
Win at Rootkit Limbo 5
McAfee Deep Defender with McAfee DeepSAFE take out kernel-mode malware 5
Updates the cloud 6
McAfee VirusScan Enterprise can remove related malware 6
Inside the Detection and Scanning Functions 7
Real-time visibility into memory 7
Scenarios 7
Clean installation 7
A phishing attack 9
A rootkit in residence 10
Conclusion 11
3Root Out Rootkits
McAfee Labs has identified:•More than 2.8 million
unique rootkits•180,000 new rootkits
each quarter•2,000 new rootkits per day
Researchersdiscoveranaverageof2,000rootkitseachday,accordingtoMcAfee®Labs™.Rootkitsareanincreasinglycommonformofmalwarebuiltexplicitlytohidemaliciouscode.Onceinstalled,arootkitconcealsitselfandlooksinnocenttotraditionalfile-basedscans.Thelongeritstayshidden,themoredamagetherootkitcando,especiallywhenrootkitsconcealsecondarymalwarecomponents,acommonlineofattack.
Topreventtherootkitfrominstallingandcloakingitselfandrelatedmalware,McAfeehasinventedendpointdetectionmoresophisticatedthanmalwaresignaturesandoperating-systemlevelheuristics.ThispaperdescribeshowMcAfeeDeepDefendermovesendpointsecuritybeyondtheoperatingsystem.McAfeeDeepDefendergetshardwareassistancefromIntelandusesaprivilegedearlyloadpositiontouncloak,block,andremovethekernel-modeactivitiesofstealthyrootkits.OnceMcAfeeDeepDefenderhasneutralizedtherootkit,anymalicioususer-modepayloadtherootkitwasconcealingliesexposedfordetectionandcleanupbythetraditionalfile-basedscanningofMcAfeeVirusScan®Enterprisesoftware.BothproductsinteractwithMcAfeeGlobalThreatIntelligence™tominimizetimetoprotectionforthesystemandotherpotentialtargets.
Rootkits: Rotten Code in the CoreRootkitsmayseemlikejustanothertypeofmalware—anothervirus,Trojan,orworm—buttheycanbefarmoredangerous.Twocharacteristics—theconcealmentenabledbylow-leveloperationandtheirroleinhidingcomplexthreats—distinguishrootkitsfromthetraditionalmaliciouscodethatweexpectfile-basedantivirusandhostintrusionpreventionsystemstocatch.
Rootkits cloak and disable defenses
Themostdistinctiveattributeofarootkitisitsabilitytoconcealitspresence.Therearetwotypesofrootkits:usermodeandkernelmode.Kernel-moderootkitsarethehardesttodetectandcleanbecausetheyliedeepinsidetheoperatingsystem.Theyloadbeforemostbootorotherdriversandbeforetraditionaluser-modelevelprotections.Kernel-moderootkitsusethisearlyloadpositiontohidetheirpresencebymanipulatingthekernel,memory,andothersystemelements.Theserootkitscancontrolbasiccomputingfunctions,soinadditiontohidingtheirownexistence,theycan
• Disableprotections(includingantivirus)• Reinfectiftheyareremoved• Concealothercode,suchasapayloadwithintherootkitorseparateelementsoftheattack• Denyread/writeaccesstorootkitfilestoblockremoval1
“Rootkits can target any system,
from database servers to point-
of-sale terminals, from mobile
phones to automobile electronics.
Because rootkits can operate
within and below the operating
system, they can disguise or
conceal the files, processes, and
registry keys touched by other
malware. These traits make
rootkits a vital component of
multistage threat operations.”
—Dave Marcus and Thom Sawicki
The New Reality of Stealth Crimeware
4 Root Out Rootkits
“Modern rootkits do not elevate
access, but instead are used to
make another typically malicious
software payload undetectable
by adding stealth capabilities.
The payload might covertly
steal user passwords, credit
card information, or computing
resources, or conduct other
unauthorized activities. Due
to the stealthy nature of this
malicious activity, the attack may
go unnoticed for an extended
length of time, perhaps years.”
—Jason Brown
McAfee Deep Defender Best
Practices Guide3
Designed to conceal a payload
Arootkitcanmakesystemchangesorcreatesystempoliciesthatcompromisesecurity.Usingthesetactics,therootkit’sprimaryjobistoconcealothermalware,maliciouspayloadsintheformofviruses,Trojans,orwormsuntilthetimeisrightforattack.That’swhyrootkitsareapreferredtoolinstealthythreatslikeStuxnetorNecurs.2Thelow-levelcontroloftherootkitallowsittocloakthepresenceofthatsecondarymalware,hidingitfromtraditionaloperatingsystem(OS)andapplication-levelsecurityproducts.Often,theattackerappliescreativitytobuildingtherootkitandthenleveragesoff-the-shelfmalwarepayloadsfortherestofthecrime:datatheft,keylogging,andreconnaissance.Bothpartsoftheattacker’staskhavebecomeeasierwithmalwaretoolkitsthatrivalcommercialdevelopmenttools.Whenuser-modeandkernel-moderootkitsareusedtogether,anattackerleverageskernel-levelaccesstodisguisetheattackanduser-levelfunctionalitytomanipulatethesystem,resultinginasophisticatedandessentiallyinvisibleattack.
Meet Koutodoor and TDSS
Whileafewattacks—likeStuxnetanditsderivative,DuQu—receivedwidespreadnewsattention,otherrootkitfamilieslikeKoutodoorandTDSShavehadgreaterimpactwithlessfanfare.TheKoutodoorprogenyrepresent21 percentoftherootkitzoo.4InthecaseofKoutodoor,cybercodershavebeenperfectingthisbrainchildsince 2007.5
Koutodooroperatesinseveralstages:
• InstallsTrojan(asrootkit)• Installssecondarymalwarefromitsdownloadsites• SecondarymalwaresendstraffictospecificURLs,generating“clicks”onbanneradsandwebcounters
Thissequencedrivesrevenuebasedonthepay-per-clickInternetbusinessmodel.Byinstallingtherootkitoninfectedsystems,thecriminalsboostclick-throughincomewithouthavingtoomanyclicksoriginatefromthe same address.6
Koutodoorhasmanycleverattributes.Itusespolymorphicdropperstoavoidrecognitionandchangesafunctionvalueandread-writeprivilegestodenyfileaccessandpersistoninfectedsystems.Also,itchangesitsfilenameateveryboot.Likemanyrootkits,itcanpreventthelaunchoflegitimateprograms,includingantivirus.Itsingenuitiesseemendless:itadds11filestothesystem,changesthetimestamp,addsandremovessixfiles(onemysteriouslylabeleddogkiller.exe),andcreatesorchangesseveraldozenregistryelements.7,8
Alloftheseactionsaredesignedtoconcealthepresenceorensurethesurvivaloftherootkitonthehost.AslongastherootkitcanconcealthevariousKoutodoorfiles,theattackremainsactive.
Modern Cyberwarfare
“Someoftoday’stoolsworkagainstsomeoftoday’srootkits.Toolslikevirusscannersandhostintrusionpreventionsystemsoperateattheoperatingsystemandabove.Theycanexaminememoryandmonitoruser-modeprivilegestodetectandremediatetherelativelyhigh-level,user-moderootkits.However,stealthtechniquesthatoperateatthekernel-levelandbelowflyunderneaththeradaroftraditionaloperatingsystem,vulnerability,andvirusscanningtools.Kernel-moderootkitshavesystem-levelprivileges,sotheyarehardertodetectandrepair.
StuxnetandZeusdemonstratehowmuchmoresophisticatedcybercrimeistodaycomparedtojustafewyearsago.
TheStuxnetattackappearstohavebeendesignedtodisruptindustrialcontrolsystemswithinIraniannuclearprograms.Stuxnetusedbothuser-andkernel-moderootkits,plusarootkitwithintheprogrammablelogiccontroller(PLC),ausagenotpreviouslyseeninthewild.Theuserandkernel-moderootkitshidfilesanddecryptedandinjectedcodeinrunningprocesses.Thespring2010versionofthekernel-moderootkitincludedstolensigneddevicedrivers,sothattherootkitlookedlikelegitimatecode.”
—The New Reality of Stealth Crimewarewww.mcafee.com/stealthcrimeware
5Root Out Rootkits
Rootkits Dodge DetectionManyuser-moderootkitsandtheincreasingnumberofkernel-moderootkitsgoundetectedbytraditionalfile-basedtoolslikeantivirusandintrusionpreventionsystems(IPS).Detectionrequireslow-levelinstrumentationandactivesystemmonitoringactionsbelowandwithinthekernelleveloftheoperatingsystemthatarenotpartofstandardandIPS.
Ifandwhenrootkitsaredetected,cleanupismessy.Sincetherootkitlikelyactedtoreplicateitselfandhideothermaliciouscomponents,systemadministratorsmustbecomeorbringinforensicinvestigatorstounderstandthecompleteattacksequenceandfindandremoveanyotherattackcomponents,particularlydata-stealingmalware.Formany,theeasiestandsafestremediationisacompletere-imagewithaproductivitytaxofanaverageof10hourspersystem.9Withoutareimage,therootkitmayjustreinstallitselffromanotherpartofthesystemandrepeatthecloakingeffortonthemalware,orcontactitscommandandcontrolcentertoreinitiatetheattacksequence.
Anotherrootkit,TDSS,representsmorethan37percentoftherootkitzooandshowshowadeptlyrootkitfamiliesevolvetostayaheadofantivirustools.Forexample,arecentincarnationinfectedtheMasterBootRecordtoloadaheadofotherdriversandallantivirussolutions,allowingittodisableantivirusandoperatingsystemprotections,debuggers,andothertools.TDSSalsoinfectsexistingfilesasaparasite.Itcreatesandmaintainsanencryptedfilesystemwhereitwillstoreitspayload.Passwordstealersandotherthreatsstoredintherootkit’svaultareundetectablebyon-accessscanners;theyareoffthegrid.10
Inaddition,somerootkitswillhook,orintercept,functiontablestodisguisethemselves.Forexample,thesystemservicedispatchtable(SSDT)isaninternaldispatchtablewithinMicrosoftWindowsthathousescoreOSfunctions.Whenarootkithooksthistable,itcanconcealitselfandrelatedcomponentsbyprovidingfakememoryvaluestoanycodeinsearchofapointer.Hookingofthistableallowsarootkitto“stealth”anything,fromfilesandfolderstoprocessestopartsoftheregistry.
Win at Rootkit Limbo11
ThroughadevelopmentpartnershipwithIntel,McAfeehascreatedanewtierofsecurityproductsthatactsbeyondtheoperatingsystem.Thefirstofthese,McAfee®DeepDefender,canmonitorandcontrolfunctionslowinthesystemstack,revealingandthendisablingrootkitsinthekernel.Unlikestaticscanningtoolsthatneedtobetoldtorun,McAfeeDeepDefendersitsinline,monitoringandevaluatingkerneleventsinrealtime.Whenitseessuspiciousormaliciousevents,itcanblockthemand,ifyouchoose,remediatemaliciouscodewithinthekernel.
McAfeeDeepDefenderworksinconjunctionwithMcAfeeVirusScanEnterprisesoftware.WhileMcAfeeDeepDefenderdriveseffective,real-timeprotectionintothekernelitselftofightrootkits,McAfeeVirusScanEnterprisedetectsandremediatesotherkindsofmalwareattheuserlevelusingbothsignature-basedandreal-time,cloud-basedmalwaresystems.Thetwoproductsshouldbeusedtogethertodetectandcleanuprootkitsandtheircompanionfilesthroughoutthesoftwarestack,aswellasunstealthymalwareintheuserandapplicationlevels.
McAfee Deep Defender with McAfee DeepSAFE take out kernel-mode malware
McAfeeDeepDefenderisthefirstproductbuiltwithMcAfeeDeepSAFE™technology,anadvancedintegrationofIntelhardwareandMcAfeesecurityexpertise.McAfeeDeepSAFEtechnologyprovidesreal-timememorymonitoringviahardwarefeaturesintheIntelCorei3,i5,andi7processors.Specifically,McAfeeDeepSAFEusestheIntelVirtualizationTechnologyorVT-xtogetanunfetteredviewofsystemmemory.LeveragingMcAfeeDeepSAFE,McAfeeDeepDefenderhasagreat,unprecedentedvantagepointtowitnessandselectivelyinterveneintheflowofeventsinthelowestlevelsoftheoperating system.
Root Out Rootkits6
Ifarootkitorotherstealthmalwareisactive,McAfeeDeepSAFEwillcatchitsattempttoloadintomemoryandalerttheMcAfeeDeepDefenderagent.McAfeeDeepDefenderidentifiespeculiaractionsatkernelmemorylocationsandmakestheconnectionbetweenthesesuspiciousmemoryI/Oeventsandotherthreatsonthedisk.McAfeeDeepDefendercanthenunloadorblacklistthesemaliciousorinfecteddriverstorenderthemuseless.
Applications
Operating System
CPU
McAfee DeepSAFE
Intel® Core™ i3, i5, i7
AV HIPSMcAfee
DeepDefender
OtherProtection
Figure 1. McAfee DeepSAFE technology provides low-level monitoring to enable rootkit detection and removal.
Updates the cloud
Sinceitismonitoringmemoryactivityandtriggeringonsuspiciousbehavior,McAfeeDeepDefenderwilldetectzero-daymalware.Toalertothersystemstoazero-dayrootkit,McAfeeDeepDefenderwilltransmittelemetrydatatotheMcAfeeGlobalThreatIntelligence™(McAfeeGTI™)cloud.Thedataitcommunicates—ahashoftheblacklisteddriverthatattemptstoloadanditsmetadata,suchasfilesize,pathname,servicename,digitalsignatureinformation,andfilefingerprint—informsMcAfeeresearchandanalysis.Thetelemetrydatawillbeconvertedintocloud-basedprotection,aswellasa.DATsignature.The.DATsignaturecanbeusedbyMcAfeeVirusScanEnterprisesoftwareonanysystem—eventhosewithoutMcAfeeDeepSAFEorMcAfeeDeepDefender—toprotectagainstinstallationofthatrootkitonthosesystems.McAfeeGTI-enabledproductsbenefitsecond-handfromthishardware-assistedsecurity,gainingmoreaccuratedetection.12
McAfee VirusScan Enterprise can remove related malware
Oncethekernel-moderootkitisexposedandremoved,anyuser-modemalwareithasbeenhidingbecomesvisible.McAfeeVirusScanEnterprisesoftwaremaydetectituponthenextscanifitisaknownvirus,Trojan,worm,orothermalware.Iftherevealedmalwareisnotyetknown(doesnotyethavea.DATsignature),McAfeeVirusScanEnterprisesoftwaremayconsulttheMcAfeeGTIfilereputationserviceforariskassessmentofthesuspiciousfile.IfMcAfeeGTIconfirmsthefileasathreat,McAfeeVirusScanEnterprisewillblockandcleanthemalware.
7Root Out Rootkits
Inside the Detection and Scanning FunctionsMcAfeeDeepSAFE,McAfeeDeepDefender,andMcAfeeVirusScanEnterprisecomponentsallperformscanning,buteachscanisabitdifferent.Theresources,access,andcharacteristicsofthelevelinwhichtheyoperatedeterminethetypesofscansandremediationstheyperform.Forexample,thelowestlevelMcAfeeDeepSAFEcomponentlivesinthelimitedworldofkerneloperations.Ithaslightweightlogicfocusedentirelyonmemoryaccess—what’snormalandwhat’sanomalous.Ithasthepowertoblockdriversfromloadingandsuspendkernelthreats.Fortheactualremovalofthecode,itpassestheinformationithasgleanedaboutthedriver’smisbehaviorupthestacktotheMcAfeeDeepDefender agent.
TheMcAfeeDeepDefenderagenthasmoreresources(bothtimeandcompute)toperformmorerobustanalysis.ItreceivestheinformationfromMcAfeeDeepSAFEandconsidersitsimplications.TheMcAfeeDeepDefenderagenthasafocusedsetofantiviruscontentthatlooksatfile,registry,stealthmemory,andprocessscanningtechniques.Ifitsanalysisidentifiesarootkitfamily,itcaninitiateadditionalscanningandremediation.
Real-time visibility into memory
Throughreal-timeinsightintobothmemoryaccessesandtheinteractionsofmaliciouscode,McAfeeDeepDefendercanperformrich,subtledetectionandremediationthatisunlikethefile-orientedscanningoftraditionalantivirus.Thevisibilityintomemoryandkernel-leveleventsalsogivesMcAfeeDeepDefendermoreinformationthanthatavailabletointrusionpreventionsystems.
AfewotherthingsdifferentiateMcAfeeDeepDefenderfromtraditionaluser-modesecuritytools.
• Anon-demandscanwillonlydetectwhenitisrun,eithermanuallyoraspartofascheduledtask.Ifamaliciousrootkithasalreadybeeninstalled,therootkithashadtimetocloakitselfandreplicateoractivateitsself-healingregimesbeforethescangetsachancetofindit.
• Traditionaltoolsarevisibletorootkits.Theycanbemanipulatedbyrootkits,forexample,bydeactivatingtheantivirusdriver.
• Thefirstdrivertoloadwins.ViaMcAfeeDeepSAFE,theMcAfeeDeepDefenderdriveralwaysloads first
ScenariosTohighlightthetechnicalmagicinMcAfeeDeepDefender,let’swalkthroughafewusecases:acleanlaptopandaninfectedsystem.First,youwillinstallMcAfeeDeepDefenderonalaptopwithanInteli3/i5/i7CPUwithVT-xenabled.ThesystemisalreadyrunningMcAfeeVirusScanEnterprise(VSE)andaMcAfeeePolicyOrchestrator®(McAfeeePO™)agent.
Clean installation
McAfeeDeepDefenderusesthesameMcAfeeePOpolicyandagentinfrastructureasMcAfeeVirusScanEnterprise.Todeploy,youjustcheckinanewMcAfeeePOpackage,andtheMcAfeeagentwillpullitdowntotheendpoints.McAfeeDeepSAFEtechnologyisincludedinthesameMcAfeeePOpackage.McAfeeDeepDefendergainslow-levelvisibilitythroughtwoMcAfeeDeepSAFEcomponents:theMcAfeeDeepSAFEmemorylayerandtheMcAfeeDeepSAFEloader/in-bandagent.OnceyouhaveinstalledtheMcAfeeDeepDefenderpackage,eitherlocallyoroverthenetwork,yourebootthesystem.
8 Root Out Rootkits
Figure 2. McAfee Deep Defender installation and initial execution after first boot.
1. Thesystem’sOSloaderbeginsinitializationoftheMicrosoftWindowsoperatingsystem.Bootdriversbegintoload.ThefirstoftheseistheMcAfeeDeepSAFEloader/in-bandagent.Thisagentcontainslightweightdetectionlogicthatanalyzesactivity,noteswhenadriverisbehavingsuspiciously,andexposesanyrootkits.WeusemultiplemethodstoensurethattheMcAfeedriveralwaysloadsfirst.Forexample,rootkitsoftenalterregistrykeys.McAfeelocksthespecificregistrykeysusedtochangeloadorder,soouragentwillalwaysloadaheadofothercode.ThisguaranteedearlyloadprocessensuresthatMcAfeeDeepSAFEcanmonitorandinspecteachdriverloadedafteritandpreventsotherdriversfromcompromisingtheMcAfeeDeepSAFEagent.NOTE: Withthisloadpositionandmemorymonitoring,wecanseeakernel-modedriverattemptingtomakeamemorychangeandactbeforeanythingbadhappens.Othersecuritysystemsthatloadlater,afterthedriverorhigherinthestack,wouldonlyseewhatthemaliciousdriverwantedthemtosee—thealteredrealitycreatedbytherootkit’smanipulationofmemory.Instead,weseetheattempttoaltermemoryandcanactbeforeanychangeismade.McAfeedoesnotneedtohavepriorknowledge(asignatureorpattern)oftherootkit.Wecatchittryingtodoitsjob.Thisgivesyoutruezero-daydetection.
2. Next,otherstandarddrivers,includingtheMcAfeeVirusScandriver,load.OtherMcAfeeproducts,suchasMcAfeeSiteAdvisor®andMcAfeeHostIntrusionPrevention,havedriversloadinginthisspaceaswell.
3. User-levelservicesandapplicationsstarttoload,includingtheMcAfeeDeepDefenderagent.Thisagentcontainsthehigher-end,heavier-weightlogicofremediationandremoval.Wherethelightweightlogicinthekernel-modeMcAfeeDeepSAFEloader/agentwilldetectamaliciousdriver,theheavyweightrulesinMcAfeeDeepDefenderpinpointothercomponentsinvolvedintheattack.
9Root Out Rootkits
A phishing attack
That’stheoverviewofwheretheMcAfeecomponentsliveinthesystemandwhattheydo.Now,let’sputthemtoworkdetectingunknownrootkitsonthefly.Today,theuserofthismachinegetsaphishingemailwithacompellingoffertoattendanindustryseminarforfreeiftheysignupthroughaspecialwebsite.Thevalue-conscioususerclicksthroughtothelink,andarootkitTrojandownloadsinthebackgroundastheuserisfillingouttheform.
Normally,therootkitwouldattempttohideinthekernelasabootdriver.However,thistime,McAfeeDeepSAFEcatchestherootkit’sattempttoloadintomemory.TheMcAfeeDeepSAFEcomponentalertstheMcAfeeDeepDefenderagent,whichblocksandremediatestherootkit.Here’showitworks:
Figure 3. McAfee Deep Defender operation during malicious attack.
1. Anewkerneldriver(mal.sys)loads.Atthispoint,thedriverhasnotbeenclassifiedasgood(andthereforenotwhitelisted)orbad(andalsonotblacklisted)andsoisclassifiedasunknownbytheMcAfeeDeepSAFEloader/agent.
2. Mal.sysbehavessuspiciouslybyattemptingtoloadtheinterruptdescriptortable(IDT)atanewaddress.ThisoperationisnormallysomethingonlytheOSwouldattempttoperform.Alternatively,thedrivermaytrytopatchtheSSDT,aconstructwedescribedearlier.
3. Sincethemal.sysdriverisclassifiedasunknown,McAfeeDeepDefenderblockstheattemptedloadoftheIDT,blackliststhedriver,andgeneratesaneventasaresultoftheattemptedaction.
4. Theeventisescalatedtoheavyweightrules(HWRs)forprocessingbytheMcAfeeDeepDefenderagentwhenthesystementersusermode.TheHWRsusemorecomplexdetectionandremovallogictocleanmal.sys;thispartofMcAfeeDeepDefenderhasthecapabilityofquarantiningthefile,forexample.Inthiscase,theHWRspromptthesystemtorebootinordertoejectthemalwaredriver.Afterreboot,themalwaredriverattemptstoload,butitisdeniedbytheblacklist.Thisdenialtriggersarescanofthekerneldriver.
10 Root Out Rootkits
A rootkit in residence
Alternatively,youmightinstallMcAfeeDeepDefenderonasystemalreadyinfectedwithoneormorerootkits.Intheexamplebelow,youhavetwoclassesofrootkits,“bootdriverrootkits”androotkitsthatarejuststandardkernel-modedrivers.Thelattercategoryisthemostcommon.
Withrootkitsalreadyinresidence,weinstallMcAfeeDeepDefenderusingMcAfeeePOsoftwareasbefore.Whenwereboot,ourbootsequencestartsoutthesame,butMcAfeeDeepDefenderprotectionkicksinduringthestartupprocess,andMcAfeeVirusScanEnterprisehelpswithremediation:
Figure 4. McAfee Deep Defender detecting and cleaning an existing rootkit.
1. Asthesysteminitializes,thefirstcomponentofMcAfeeDeepSAFEbecomesactiveinthememory layer.
2. Thesystems’OSloaderbeginsinitializationoftheWindowsoperatingsystem.
3. Bootdriversbegintoload,startingwiththeMcAfeeDeepSAFEloader/agent.
4. Theremainingbootdriversload.Adriverattemptstomodifythekernel,andtheMcAfeeDeepSAFEmemorycomponent(fromstep1)seestheactionandrelaystheattempttotheMcAfeeDeepSAFEloader/agent(fromstep3).TheMcAfeeDeepSAFEagentwillprocessitsactivityagainstitslightweightdetectionlogic.Ifweidentifythememoryaccessasmalware,theMcAfeeDeepSAFEloader/agentwillblockthemaliciousbootdriver’sactivities.Therootkitwillbeneutralized,butitwon’tyetbegonefromthesystem.
5. Windowsloadstheotherstandarddrivers,includingtheMcAfeeVirusScandriver.McAfeeDeepSAFEdetectsanotherattempttomodifythekerneland,asbefore,tellstheMcAfeeDeepSAFEloader/agenttostepinandblockthatmaliciouscode.Note:Theantivirusdriver—orothersecuritydriversinthislevelsuchastheIPSorSiteAdvisordriver—couldloadbeforethemaliciousdriver,buttheywouldn’tseeanythingwrongunlessthedriverhappenedtoexhibitknownbadbehavior(somethingdetectedbytheproduct’sheuristicfileorbehavioridentification).Anynew,orzero-day,behaviorwouldgounnoticed.OnlyMcAfeeDeepSAFEtechnologyprovidesthereal-timevisibilityintorootkitkernelmemoryaccesses.
11Root Out Rootkits
6. Asbefore,theuser-levelservicesandapplicationsstarttoload,includingtheMcAfeeDeepDefender agent.
7. TheMcAfeeDeepDefenderagentremovesbothmaliciousdriverrootkits.
8. Oncethekernelmodecodethatprovidedcamouflageisgone,themalwareitwashidingbecomesvisible.Thenexttimethemaliciousfileisaccessedorexecuted,ifthemalwareisknown,aMcAfeeVirusScanEnterpriseon-accessscanwilldetectandcleanit,oritwillbedetectedatthenextscheduledscan.Ifthemalwareisunknownbutsuspicious,McAfeeVirusScanEnterprisewilluseMcAfeeGTIlookupsandpotentiallyidentifyandcleanthisnon-rootkitmalware.
ConclusionRootkitsrepresentjustthelatestescalationinthedecades-longbattlebetweenmalwaredevelopersandsecurityresearchers.Byinsertingpreviouslyunavailablemonitoringandcontroloperationswithinthekernel,McAfeeDeepDefenderoffersenterprisesawaytofightbackagainstthesestealthyattacks.McAfeeDeepDefenderworksalongsideotherhostprotectionsandwithinthefamiliarMcAfeeePOmanagementtomakeiteasytolayerinanewbaselineofprotection.
ThissolutionleveragesIntelhardwarecapabilitiestoprovidethestrongestMcAfeesoftwareprotectionforthesystem—protectionthatgoesbeyondtheoperatingsystem.Unlikestaticscansanduser-modeprotections,McAfeeDeepDefendermonitorsmemoryoperationsinrealtime,stoppingunknown,zero-dayinfectionsbeforetheyhaveachancetododamage.Iftherootkithasbeenconcealingsecondarymalware,thatmalwarewillberevealedforcleanupbyuser-levelprotectionslikeMcAfeeVirusScan Enterprise.
McAfeeDeepDefender,builtonMcAfeeDeepSAFEtechnology,providesmust-haveprotectionforendpointsonthefrontline.Itcanfreeyoursystemofrootkitsandrelatedpayloadssomultistageattacksnevergetpastthefirstcontact.Learnmoreatwww.mcafee.com/deepdefenderandwww.mcafee.com/deepsafe.
About McAfeeMcAfee,awhollyownedsubsidiaryofIntelCorporation(NASDAQ:INTC),istheworld’slargestdedicatedsecuritytechnologycompany.McAfeedeliversproactiveandprovensolutionsandservicesthathelpsecuresystems,networks,andmobiledevicesaroundtheworld,allowinguserstosafelyconnecttotheInternet,browse,andshopthewebmoresecurely.Backedbyitsunrivaledglobalthreatintelligence,McAfeecreatesinnovativeproductsthatempowerhomeusers,businesses,thepublicsector,andserviceprovidersbyenablingthemtoprovecompliancewithregulations,protectdata,preventdisruptions,identifyvulnerabilities,andcontinuouslymonitorandimprovetheirsecurity.McAfeeisrelentlesslyfocusedonconstantlyfindingnewwaystokeepourcustomerssafe.http://www.mcafee.com
2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com
1 “PredictingtheFutureofStealthAttacks,”October 2011 Virus Bulletin,KapoorandMathur2 http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide3 Contactyoursalesrepresentativeforaccesstothisresource.4 McAfeeLabs5 “PredictingtheFutureofStealthAttacks,”October 2011 Virus Bulletin,KapoorandMathur6 http://www.eset.eu/encyclopaedia/win32-koutodoor-hm-trojan-e-backdoor-cep-gen-cq?lng=en7 “PredictingtheFutureofStealthAttacks,”October 2011 Virus Bulletin,KapoorandMathur8 http://home.mcafee.com/virusinfo/virusprofile.aspx?key=568093#none9 CostsaveragefivehoursforeachITadministratoranduserpersystemreimaged(10hourstotal),foranapproximatecostperendpointof$585;ata
5,000nodecompany,a1percentinfectionratewouldequateto$30,000incleanupcosts.10 “PredictingtheFutureofStealthAttacks,”October 2011 Virus Bulletin,KapoorandMathur11 Thetraditionalpartygamewherethewinneristhepersonthatgetslowesttotheground:http://www.partycity.com/product/
inflatable+cactus+limbo+game.do.12 FindouthowtoactivateMcAfeeGTIinyourMcAfeeproductathttps://kc.mcafee.com/corporate/index?page=content&id=KB70130
McAfee, the McAfee logo, McAfee DeepSAFE, McAfee Global Threat Intelligence, McAfee GTI, McAfee Labs, ePolicy Orchestrator, McAfee ePO, SiteAdvisor, and VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee, Inc. 45703wp_rootkits_0512_fnl_ETMG