Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Information Security Rootkits Dr. Randy M. Kaplan Rootkits What is a Rootkit? Been around for more than 10 years A kit consisting of small and useful programs that allow an attacker to maintain access to “root” root is the user with the highest privilege 2 Rootkits What is a rookit? a set of programs and code that allows a permanent or consistent, undetectable presence on a computer the key word in this definition is “undetectable” 3 What Rootkits Can Do? Rootkits can hide code on a system hide data on a system Many rootkits can - hide files hide directories 4 What Can Rootkits Do? Rootkits can - remote access eavesdropping sniffing packets from the network 5 Are Rootkits Bad? Rootkits are not inherently bad Not always used by the bad guys Why? 6 Are Rootkits Bad? Rootkits are not inherently bad Not always used by the bad guys Why? A rootkit is just a technology Its use makes it bad or good 7 Rootkits Why Do Rootkits exist? Rootkits are a relatively new phenomena Spying is a very old phenomena People want to see or control what other people are doing 8 Leaving a rootkit behind raises the probability of detection What are rootkits for? 9 Sample Rootkit Commands ps help debugint buffertest sniffkeys hidedir echo <string> hideproc Legitimate Uses of Rootkits wsZ Used by law enforcement agencies to collect evidence in an advanced bugging operation Applies to any crime in which a computer is used Examples of crimes are computer trespass, creating or distributing child pornography 11 How long have Rootkits been around? Methods used in modern rootkits are the same methods used in viruses in the 1980s These methods include modifying system tables modifying memory modifying program logic 12 How long have Rootkits been around? With the advent of Windows NT, virus writers could no longer exploit key system tables This caused a lapse in hard virus technology No virus authors were using the new Windows kernel 13 How long have Rootkits been around? With the advent of the Internet it would be dominated by UNIX servers viruses were very uncommon for this operating system This time is when network worms were born The famous Morris Worm was a wake up call to the profession 14 Hackers in the 1990’s Hackers figure out how to exploit buffer overflows “the nuclear bomb of all exploits” The virus writing community did not catch on to this approach for more than a decade 15 Hackers in the 1990’s A hacker would - penetrate a system set up camp use a freshly compromised computer to launch new attacks 16 Hackers in the 1990’s Once a hacker penetrated a system she needed to maintain access Thus, the first rootkits were born These rootkits were backdoor programs they used very little stealth In some cases they replaced key system binaries with modified versions 17 Hacker’s in the 1990’s These modified versions hide files and processes For example on UNIX the program that displays directories is named ls Supposing a hacker replaces ls with one of their own that is specially coded to never list a file named “hacker_stuff” 18 Hacker’s in the 1990’s Anytime the hacker wanted to saved information they could simply save it in a file named hacker_stuff 19 Response of the Administrators Write programs like Tripwire determines whether a program has been changed In our example a program like Tripwire could examine ls and determine it had been altered At that point the incursion is discovered 20 The Hackers Respond (Uh-Oh) Hackers naturally moved from the programs that were extern to the operating system into the actual operating system This core part of the operating system is called the “kernel” (The term was coined by Orville Reddenbacher - can’t you hear the popping?) 21 The Hackers Respond (Uh-Oh) By moving into the kernel, hackers could subvert ANY security utility on the computer at the time Trojan files were no longer needed All stealth could be applied by modification of the kernel 22 A Word From Orville A kernel is a core part of an operating system All operating systems have kernels The kernel includes components that manage memory, schedule processes, swap between processes, and respond to interrupts These fundamental functions, if changed, compromise the operating system 23 How Do Rootkits Work? Modification a simple concept software is designed to make specific decisions on specific data A rootkit modifies software so that the decisions it makes are incorrect 24 Where are modifications made? Patching Easter Eggs Spyware Modifications Source-Code Modification 25 Where are modifications made? Patching Executable code consists of a series of statements encoded as data bytes The bytes come in a very specific order Each byte means something to the computer An instruction or data for an instruction 26 Where are modifications made? Patching The functioning of a piece of software can be changed if the sequence of bytes are changed The technique is sometimes called patching Similar to the idea of placing a patch of a different color fabric on a quilt 27 Where are modifications made? Patching Byte patching is one of the major techniques used by “crackers” to remove software protections 28 Where are modifications made? Easter Eggs Software logic modifications may be built into a piece of software A programmer may place a backdoor in a program The back door is not documented The software has a hidden feature 29 Where are modifications made? Easter Eggs A programmer may leave something behind as a signature That they were the one who wrote the program Earlier versions of Microsoft Excel contained an Easter Egg that allowed a user who found it to play a Doom-like game 30 Where are modifications made? Spyware Modifications Sometimes a program will modify another program to infect it with spyware Spyware can - track the web sites visited Spyware may be difficult to detect 31 Where are modifications made? Spyware Modifications Spyware may be difficult to detect Some spyware will attach itself to a browser or program shell making removal very difficult 32 Where are modifications made? Source-Code Modification Sometimes software is modified at the source A programmer can insert malicious lines of source code into a program that she authors This possibility caused the military to avoid using Linux 33 Where are modifications made? Source-Code Modification Open-source projects allow almost anyone any being someone you don’t know to add code to the sources 34 Where are modifications made? Source-Code Modification For critical software like BIND, Apache, and Sendmail there is peer review of code Does anyone really look at every line of the code that has been written? 35 What a Rootkit is Not A Rootkit is not an exploit A Rootkit is not a virus 36 A Rootkit is not an Exploit The rootkit may be used in conjunction with an exploit but The rootkit itself is a fairly straightforward set of utility programs The programs may use undocumented functions and methods They typically do not depend on software bugs 37 A Rootkit is not an Exploit A rootkit is typically deployed after a successful software exploit Hackers have many exploits available to them On the other hand a hacker may only have one or two rootkit programs 38 A Rootkit is not an Exploit A rootkit is not an exploit BUT a rootkit may employ an exploit A rootkit usually requires access to the kernel One or more programs start when the system is booted There are only a limited number of ways to get software into the kernel 39 A Rootkit is not an Exploit For example, a component of a rootkit may masquerade as a device driver These methods can be detected forensically 40 A Rootkit is not an Exploit A novel way to install a rootkit is to use a software exploit Many software exoloits allow arbitrary code or third part software to be installed Imagine that there is a buffer overflow in the kernel that allows arbitrary code executed 41 Using a Software Exploit Kernel buffer overflows can exist in almost any device driver On system startup a loader program can use the buffer overflow to load a rootkit The loader program does not employ any documented methods for loading or registering a device driver or otherwise installing a rootkit 42 Using a Software Exploit The loader exploits the buffer overflow to install the kernel-mode parts of a rootkit The buffer-overflow exploit is a mechanism for loading code into the kernel Most people think of this as a bug The rootkit developer may think of this as an undocumented feature 43 Using a Software Exploit Because this feature is not documented this path to the kernel is not likely to be included as part of a forensic investigation More importantly, it won’t be protected by a host-based firewall program It would take someone well versed in software engineering to discover something like this 44 A Rootkit is Not a Virus A virus program in a self-propagating automaton A rootkit does not make copies of itself it does not have a mind of its own A rootkit is under the control of a human attacker while a virus is not 45 The Virus Problem We know that a rootkit is not a virus But The techniques used in a rootkit can easily be employed by a virus When a rootkit is combined with a virus a very dangerous technology is born 46 The Virus Problem Understanding rootkit technology is very important defending against viruses Virus programmers have been using rootkits for many years to “heat up” their viruses A very dangerous trend 47 Software Exploits There is a strong relationship between rootkits and exploits A rootkit may be employed as a part of an exploit tool Software exploits are in great supply 48 Software Exploits A conjecture (reasonable) At any point in time there are more than 100 working exploitable holes in the latest version of Microsoft Windows (even more when a new version is released) 49 Software Exploits Some software bugs are found by independent researchers These may never be reported They are “deadly” because no one knows about then except the attacker No defense against them 50 Software Exploits Many exploits have been publicly known for more than a year and are still being widely exploited today Even if a patch is available, most system administrators don’t apply the patches in a timely fashion Fixing bugs in an operating system is extremely expensive AND 51 Software Exploits Fixing bugs in an operating system is extremely expensive AND many bugs are not fixed for long periods of time If a bug is not made public, there is no incentive to correct the bug A company, eEye has devised a clever way to make public serious vulnerabilities without releasing details 52 Software Exploits (eEye’s site no longer looks as it was described) But they do offer what they call a vulnerability scanner for a single asset (one computer) 53 Type-Safe Languages Programming languages that are type-safe are more secure from certain exploits Without type safety program data is just a large ocean of bits The program can grab any arbitrary handful of bits and interpret them in limitless ways regardless of the original purpose of the data 54 Type-Safe Languages If the string “GARY” were placed in memory it could be used as a 32-bit integer 0x47415259 1,195,463,257 55 Type-Safe Languages In a type-safe language a string like “GARY” would always be treated as a string 56 Exploits - still a problem Need for software security known for a long time Exploits continue to be a problem Root of the problem is the software itself MOST SOFTWARE IS NOT SECURE MOST SOFTWARE IS IMPLEMENTED TODAY IN C and/or C++ 57 Exploits - still a problem MOST SOFTWARE IS IMPLEMENTED TODAY IN C and/or C++ C and/or C++, by their very nature introduce severe security holes 58 Offensive Rootkit Technologies A good rootkit should be able to bypass any security measures like firewalls intrusion-detection systems (IDes) Two primary types of IDes Network based (NIDS) Host-based (HIDS) 59 Offensive Rootkit Technologies We will call all such systems, HIPS host-based intrusion protection systems 60 HIPS HIPS Technology can be home-grown or bought off-the-shelf Blink (www.eEye.com) 61 62 HIPS Integrity Protection Driver (IPD, Pedastal Software, www.pedastal.com) No longer exists 63 Pedestal Software This might be why 64 HIPS Entercept (www.networkassociates.com) Entercept was purchased by McAfee Associates 65 66 HIPS Okena Storm Watch Now, Cisco Security Agent Cisco has retired this product 67 68 HIPS LIDS Linux Intrusion Detection System (www.lids.org) Does not look like it is current any longer 69 70 HIPS Watchguard ServerLock www.watchguard.com 71 72 HIPS Open source IDSes http://sectools.org/tag/ids/ 73 NIDS Network-based IDS also a concern for rootkit developers a well designed rootkit can evade a production NIDS In theory, statistical analysis can detect covert communication 74 NIDS Network-based IDS In theory, statistical analysis can detect covert communication In reality this is rarely done Network connections to a rootkit will likely use a covert channel hidden within innocent-looking packets 75 NIDS Network-based IDS Important data transfer will be encrypted 76 Bypassing IDS/IPS Two types Active Passive 77