Hidden Rootkits in Windows

1
Hidden Rootkits in Windows
Prepared by CMS Consulting Inc. Confidential
CMS Consulting Inc.
Presented by Brian Bourne, CISSP, MCSESecurity
2
DISCLAIMER

• The contents of this presentation are the
  property of CMS Consulting Inc. No portion, in
  whole or in part can be used without the express
  written consent of CMS. You may email
  brian_at_cms.ca for permission to re-post or re-use
  any of this content.

3
CMS Consulting Inc.
Microsoft Infrastructure and Security Experts
Active Directory - Windows Server - Exchange -
SMS - ISA MOM - Clustering - Office Desktop
Deployment - SQL Terminal Services - Security
Assessments - Lockdown Wireless Training by
Experts for Experts MS Infrastructure Security
- Vista and Office Deployment Visit us online
www.cms.ca Downloads Resources White Papers
For Security Solutions For Advanced
Infrastructure For Network Solutions For
Information Worker
4
AGENDA

• What is a rootkit?
• Kernal mode vs user mode
• Popular and New rootkits
• History of Rootkits
• What can they hide
• DEMO Hacker Defender Anatomy 101
• How they hide and go undetected
• DEMO - Hacker Defender In Action!
• DEMO Covert Channels
• DEMO FUTo
• Detection, Protection and Removal
• DEMO Detection
• Hardware Virtualization Rootkits
• Vista
• Trends

5
Overview
What is a rootkit?

• A root kit is a set of tools used by an intruder
  after cracking a computer system. These tools can
  help the attacker maintain his or her access to
  the system and use it for malicious purposes.
  Root kits exist for a variety of operating
  systems such as Linux, Solaris, and versions of
  Microsoft Windows
• Reference http//en.wikipedia.org/wiki/Rootkit

6
Types of rootkits 1 of 3

• Persistent RootkitsA persistent rootkit is one
  associated with malware that activates each time
  the system boots. Because such malware contain
  code that must be executed automatically each
  system start or when a user logs in, they must
  store code in a persistent store, such as the
  Registry or file system, and configure a method
  by which the code executes without user
  intervention.
• Memory-Based RootkitsMemory-based rootkits are
  malware that has no persistent code and therefore
  does not survive a reboot.

7
Types of rootkits 2 of 3

• User-mode RootkitsThere are many methods by
  which rootkits attempt to evade detection.
  Example
• a user-mode rootkit might intercept all calls to
  the Windows FindFirstFile/FindNextFile APIs,
  which are used by file system exploration
  utilities, including Explorer and the command
  prompt, to enumerate the contents of file system
  directories.
• When an application performs a directory listing
  that would otherwise return results that contain
  entries identifying the files associated with the
  rootkit, the rootkit intercepts and modifies the
  output to remove the entries.

8
Types of rootkits 3 of 3

• Kernel-mode RootkitsKernel-mode rootkits can be
  even more powerful since, not only can they
  intercept the native API in kernel-mode, but they
  can also directly manipulate kernel-mode data
  structures. A common technique for hiding the
  presence of a malware process is to remove the
  process from the kernel's list of active
  processes. Since process management APIs rely on
  the contents of the list, the malware process
  will not display in process management tools like
  Task Manager or Process Explorer.
• Reference http//www.sysinternals.com

9
Windows Architecture
10
History of Rootkits
Reference http//www.phrack.org/archives/63/p63-0
x08_Raising_The_Bar_For_Windows_Rootkit_Detection.
txt
11
Popular Rootkits

• AFX Rootkit 2005
• FU
• Hacker Defender
• HE4Hook
• NT Root

• NTFSHider
• NTIllusion
• Vanquish
• Winlogon Hijack

12
New Rootkits

• FUTo
• KIrcBot
• SubVirt
• Shadow Walker
• BluePill (PoC)

13
Commercial Stealth
Commercially available products that use rootkit
type technologies.

• Sony DRM
• Mr. Mrs. Smith DVD (Alpha-Disc DRM)
• Norton System Works
• Hide Folders XP
• Tracking and Monitoring software

14
What can they hide

• Covert Channels
• Custom GINAs
• Files and Directories
• Processes
• Registry Keys
• Services
• TCP/UPD ports
• Memory pages (New)
• VMs (New)

15
How they hide and go undetected

• Kernel Native API hooking
• User Native API hooking
• Dynamic Forking of Win32 EXE
• Direct Kernel Object Manipulation (DKOM)
• Interrupt Descriptor Table Hooking
• Memory Hooking (Shadow Walker)
• Reference www.security.org.sg / www.hbgary.com /
  www.rootkit.com

16
How they hide and go undetected 1 of 3

• Kernel Native API hooking
• SDT
• This technique is typically implemented by
  modifying the ServiceTable entries in the Service
  Descriptor Table (SDT).
• Directly unlinking the process's EPROCESS entry
  from ActiveProcessLink.
• User Native API hooking
• Import Address Table (IAT) / Export Address Table
  (EAT)
• Each process and module(DLL) have their own
  Import Address Table (IAT) that contains the
  entry-point addresses of the APIs that are used.
  These addreseses will be used whenever the
  process makes a call to the repective APIs.
  Therefore, by replacing the entry-point address
  of an API (in the IAT) with that of a replacement
  function, it is possible to redirect any calls to
  the API to the replacement function.
• Every DLL has an Export Address Table (EAT) that
  contains the entry-point addresses of the APIs
  that are implemented within the DLL. Hence, by
  replacing the entry-point of an API within the
  EAT with the relative address of the replacement
  function, we can cause GetProcAddress to return
  the address of the replacement function instead.

17
How they hide and go undetected 2 of 3

• Dynamic Forking of Win32 EXE
• Under Windows, a process can be created in
  suspend mode using the CreateProcess API with the
  CREATE_SUSPENDED parameter. The EXE image will be
  loaded into memory by Windows but execution will
  not begin until the ResumeThread API is used.
  Before calling ResumeThread, it is possible to
  read and write this process's memory space using
  APIs like ReadProcessMemory and
  WriteProcessMemory. This makes it possible to
  overwrite the image of the original EXE with the
  image of another EXE, thus enabling the execution
  of the second EXE within the memory space of the
  first EXE.
• Direct Kernel Object Manipulation (DKOM) in
  memory
• A device driver or loadable kernel module has
  access to kernel memory
• A sophisticated rootkit can modify the objects
  directly in memory in a relatively reliable
  fashion to hide.

18
How they hide and go undetected 3 of 3

• Interrupt Descriptor Table (IDT)
• Interrupts are used to signal to the kernel that
  it has work to perform.
• By hooking one interrupt, a clever rootkit can
  filter all exported kernel functions.
• Memory Hooking (Shadow Walker)
• Hooking pages of memory to hide code
• Reference www.security.org.sg / www.hbgary.com /
  www.rootkit.com

19
DEMO Network
20
DEMO Introduction

• Hacker Defender - Anatomy 101
• Hxdef100.exe
• Hxdef100.ini
• Hxdefdrv.sys (Embedded in hxdef100.exe)
• Rdrbs100.exe
• Rdrbs100.ini
• Bdcli100.exe
• Reference http//hxdef.czweb.org

DEMO
21
DEMO

• Hacker Defender In Action!
• Security Compromise - Exploit
• Avoiding Antivirus Detection
• Hiding Folders/Files
• Hiding Services
• Hiding TCP Ports
• Hacker Defender Covert Channel
• Backdoor shell access via SMTP

DEMO
22
Covert Channel Summary
23
DEMO

• FUTo
• Security Compromise - Exploit
• Avoiding Antivirus Detection
• Changing Security Token
• Hiding Process

DEMO
24
Detection

• How to detect rootkits?

25
DEMO

• Detecting rootkits
• F-Secure Blacklight
• GMER
• Rootkit Revealer
• IceSword

DEMO
26
Detection Results
1 Could not detect FU because it does not hide
folders/files. Only processes.
27
Detection Summary

• All stock rootkits discovered with various
  detection tools
• Custom recompiled rootkits by pass antivirus
  detection
• Commercially available customized rootkits that
  hide files, services, processes, registry keys
  would not be detected in the compromised OS

28
Hardware Virtualization Rootkits

• Dino Dai Zovi presented an essentially
  undetectable hypervisor rootkit using
• Intel VT processor
• Mac OS-X
• Vitriol to be demod at BlueHat
• Joanna Rutkowska presented an essentially
  undetectable hypervisor rootkit using
• AMD Pacifica processor
• Microsoft Vista Beta 2
• SUMMARY THIS IS NOT AN AMD OR INTEL NOR VISTA OR
  MAC ISSUE!

29
Hardware Virtualization Rootkits

• Preventing detection was a design goal
• There is no software-visible bit whose setting
  indicates whether a logical processor is in VMX
  non-root operation. This fact may allow a VMM to
  prevent guest software from determining that it
  is running in a virtual machine -- Intel VT-x
  specification
• The design goals of AMD and Intel were to provide
  full virtualization. This means FULL
  virtualization.
• There is no hardware bit or register that
  indicates that the processor is running in VMX
  non-root mode
• Read Dino and Joannas presentations for details
  regarding new CPU instructions and how
  hypervisors work.

30
Bypassing Vista Kernel Signed Drivers

• Well Joanna did have some extra complexity to
  deal with because of Vista requiring all kernel
  drivers to be signed.
• Essentially, she figured out a way to cause it to
  page out null.sys, then modified the pagefile.sys
  directly using raw disk access to get Vista to
  run her rootkit. The process
• Allocate lots of memory to cause unused drivers
  code to be paged
• Replace the paged out code (inside pagefile) with
  some shellcode
• Ask kernel to call the driver code which was just
  replaced
• Fixed in Vista RC2 by disabling raw disk
  access from user mode (including administrator)

31
BP Detection

• Some ideas for BluePill detection were presented
  by both Dino and Joanna. Essentially they are
• Attempt to use VMX to create a VM
• Bluepill a box with Bluepill although this
  exception could be handled and the second
  Bluepill to run would end up being virtualized
  also)
• Attempt to detect VM exit latency
• Dino demod using CPUID, but a number of
  instructions cause a VM Exit and you could
  measure latency. Although the timer could be
  altered by the Bluepill and hence would require
  an external time source. How could is your stop
  watch?
• Joanna came up with an undisclosed method to blue
  screen a BluePilled box, but thats not really
  great detection.

32
Hardware Virtualization Rootkits Bottom line

• Arbitrary code can be injected into Vista x64
  kernel despite code signing requirement, and in
  really any other operating system.
• This could be abused to create Blue Pill based
  malware on processors supporting virtualization
• BP installs itself on the fly and does not
  introduce any modifications to BIOS nor hard disk
• BP can be used in many different ways to create
  the actual malware
• BP should be undetectable in any practical way
  (when fully implemented)
• Blocking BP based attacks on software level will
  also prevent ISVs from providing their own VMMs
  and security products based on SVM technology
• Changes in hardware (processor) could allow for
  easy BP detection

33
Protection

• Defence in Depth practices!
• Application Layer firewalls
• Add rootkit detection and removal software to
  your toolkit
• Baseline your systems in another kernel (WinPE)
  using the Microsoft Strider technique for
  comparing modified/added binaries on a regular
  basis

34
Removal

• Rootkit removal tools (eg. Unhackme by Greatis
  Software, F-Secure Blacklight, GMER, IceSword)
• Clean from another kernel (eg. BackTrack, WinPE,
  etc)
• Use technology that reverts back to a previous
  state if your environment allows for it
• Undo disks in Microsoft Virtual PC/Server
• Microsoft Shared Computer Toolkit v1.1
• Faronics Deep Freeze
• Symantec Norton GoBack
• Winternals Recovery Manager
• Once a machine has been compromised, the only
  true cleaning method is to low-level format and
  reload!

35
Trends 1 of 2

• Its a cat and mouse game
• As rootkit detection methods/signatures are
  updated so are the techniques/methods of the
  rootkits evading detection just like viruses but
  much more sophisticated
• Encrypting the memory pages where the rootkit is
  running to avoid detection
• Polymorphism
• Spyware and Viruses utilizing functions of
  rootkits to hide their presence and payload This
  has already happened and will continue to
  escalate to an extremely stealthy version

36
Trends 2 of 2

• Memory Hiding (e.g. Shadow Walker)
• Using other system writeable memory locations.
  (e.g. VideoCardKit, MTDWin, ACPI, BIOS)
• Boot sector rootkits (e.g. BootRootKit)
• Virtual Machine rootkits
• Database rootkits (presented in concept by
  Alexander Kornbrust at BH2005)
• Hardware based rootkit detection
• Intel Rootkit detection (Code name LaGrande)
• TPM (Trusted Platform Module)
• Co-Pilot (PCI card) http//www.komoku.com

37
VISTA

• Windows Defender (Beta 2)
• Microsoft plans to move device drivers out of the
  kernel and in to the user level.
• Address Space Layout Randomization (ASLR)
• Digital Signatures for Kernel Modules on
  x64-based Systems Running Windows Vista
• Microsoft Patch Guard on x64 Based Systems
• Reference http//www.microsoft.com

38
Need to Know
Prevention
Response
LearnMore
39
CMS Training Offerings

• INSPIRE Infrastructure Workshop
• 4 days of classroom training - demo intensiveAD,
  Exchange, ISA, Windows Server, SMS, MOM, Virtual
  Server
• Business Desktop Deployment Deploying
  Vista/Office
• 3 days of classroom training - hands on labs
  (computers provide)Business Desktop Deployment
  Concepts, Tools, Processes, etc. Vista and Office
  
• Securing Internet Information Services
• Securing ActiveDirectory
• Securing Exchange 2003
• 1 day classroom training per topic
• TRAINING BY EXPERTS FOR EXPERTS

40
Contacting Us.
_at_

• Brian Bourne, President brian_at_cms.ca
• Robert Buren, VP Business Development
  robert_at_cms.ca
• CMS Consulting Inc. http//www.cms.ca/
• CMS Training http//www.cms.ca/training/
• Toronto Area Security Klatch http//www.task.to/
  

41
Q A
CMS Consulting Inc.

• Thank You!
• Visit CMS Consulting at http//www.cms.ca
• Join Toronto Area Security Klatch at
  http//www.task.to