Post on 23-Dec-2015
Root Kits and Windows Hardening
Team BAM!Scott Amack
Everett BlochMaxine Major
Overview
• What is a rootkit?• Types of rootkits• Rootkit history• Rootkit tools & removal• Rootkit demonstration• Windows Hardening• Microsoft Security Essentials (MSE)
What is a “rootkit” ??
“… originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access.”
(Wikipedia)
What is a “rootkit” ??
Current definition:
A rootkit is designed to hide the existence of certain processes or programs from normal methods of detection.
(Wikipedia)
History of Rootkits
Brain Virus (1968)• First documented computer virus• Used cloaking techniques to hide itself• Intercepted attempts to read the boot
sector and redirected to disk where copies of the original boot sector were kept.
History of Rootkits
C compiler exploit (1983)
• Discovered by Ken Thompson of Bell Labs (one of the creators of Unix)
• Subverted the C compiler by recompiling with two Trojan Horses
History of Rootkits
C compiler exploit (1983)
– First, detected attempts to compile “login” command• Login would accept users correct password and
one that the attacker specified• Allowed attacker to log into any account on the
system
History of Rootkits
C compiler exploit (1983)
– Second, detected attempts to recompile• Inserted same exploits into the new compiler• Inspection of source would not reveal any malicious
code
These exploits are equivalent to a rootkit
History of Rootkits
Earliest known rootkit (1990)
• Written by Lane Davis and Steven Dake• Targeted SunOS UNIX operating system
History of Rootkits
NTRootkit(1999)• First malicious rootkit for Windows NT• Created by Greg Hoglund• Implemented as a Trojan• Used OS hooks to conceal presence
(McAfee)
History of Rootkits
HackerDefender (2003)
• First rootkit targeting Mac OS X• Used OS hooks to conceal presence
(McAfee)
History of Rootkits
Greek wiretapping (2004-2005)AKA “Greek Watergate”
• Targeted mobile phones of important Greek government members and civil servants– Rootkit targeted the telephone exchange– Patched memory of exchange, audit log, active
processes, and active data blocks
History of Rootkits
Greek wiretapping (2004-2005)AKA “Greek Watergate”
– Modified the data block checksum verification command
– Backdoor allowed operator with sysadmin status to access surveillance information and allow rootkit updates
– Rootkit discovered after an update prevented SMS messages from being delivered
– Identity of perpetrators is still unknown
History of Rootkits
Sony BMG (2005)• Published CD’s with copy protection software
Extended Copy Protection, created by First 4 Internet
• Software included a music player that silently installed a rootkit to hide files that started with $sys$
• Discovery of this rootkit led to malware taking advantage of affected systems
()
History of Rootkits
RootkitRevealer (2006)
• Created by Mark Russinovich• Windows rootkit discovery software• Identifies Windows Registry and file
system API discrepancies, which may indicate the presence of a rootkit
History of Rootkits
Stuxnet (2010)• First to target programmable logic
controllers (PLC)
(Wikipedia)
History of Rootkits
Ubisoft DRM (2012)• Ubisoft’s game DRM used internet connection to ensure
any game played was legal• Created a backdoor allowing continued privileged access
to user’s machine.
• Ubisoft: “…not a rootkit.” Just a “coding error”
Hanlon’s Razor - “Never attribute to malice that which is adequately explained by stupidity.”
(Geek, lazygamer)
(Geek)
Types of Rootkits
• Persistent Rootkits• Memory-Based Rootkits• User-mode Rootkits• Kernel-mode Rootkits
(Windows Sysinternals)
Types of Rootkits
Persistent Rootkits• Malware activates each time the system
boots• Store code in a persistent store, such as
the Registry or file system • Configure a method by which the code
executes without user intervention
Types of Rootkits
Memory-Based Rootkits• Has no persistent code• Does not survive a reboot
Types of Rootkits
User-mode Rootkits• Attempts to evade detection:
– Windows native API is interface between user-mode clients and kernel-mode services
– Sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API
– This prevents detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration
Types of Rootkits
Kernel-mode Rootkits• Can intercept native API and directly
manipulate kernel-mode data structures– Hides the presence of malware processes by
removing the process from the kernel's list of active processes.
– Malware process will not display in process management tools like Task Manager or Process Explorer.
Rootkit Removal
• OS Reinstall– May require boot sector repair
• Rootkit Detection/Removal Tools– Some tools are specific to one type of rootkit– We will demo two of these tools today.
• Manual Removal– Complicated.
– It is advised that you do this in conjunction with rootkit detection tools. (e.g.: Blacklight)
Rootkit Tools
• The tools we will be using for our demo:
–RootkitRevealer
–Blacklight
–FU Rootkit
Rootkit Tools
• RootkitRevealer– Displays Registry and File System API
discrepancies– Works on user-mode and kernel-mode rootkits– Runs on Windows XP and Windows Server
2003
Rootkit Tools
• Blacklight– Detects hidden processes, files, and
directories– Helps remove hidden files and directories– Runs on Windows
Rootkit Tools
• FU Rootkit– Kernel-mode rootkit– Hides running processes and Kernel-mode
modules– Directly modifies certain kernel data structures
used by the operating system– Does not actively try to hide itself
RootkitDemonstration
Windows Hardening
• Download current Anti-Virus Solution and Update
• Install all current Windows Patches• Do not use windows with an Admin level
account• Always choose public network when
setting up networking
Windows Hardening
• Turn on Data Execution Prevention– If DEP sees a program using memory
incorrectly it will shut the program down– Disable unnecessary network protocols like
IPV6 and NetBIOS if not in use• Practice Safe Browsing Habits:
if in doubt don’t click it.
Microsoft Security Essentials
• Built on the Microsoft Malware Prevention Engine
• Designed for Small Business or Home User
• Does not include a firewall
– (uses Windows Firewall)
• Does not include centralized management features.
Microsoft Security Essentials
• Initial Public Beta – June 23 2009– Final Build of Version 1.0 Released Sept 29 2009
• Version 2.0 released Dec 16 2010 – 2.0 Included a Network Inspection System– Network intrusion detection for Windows Vista & 7– 2.0 Included new engine employing heuristics in
malware detection.– Suspicious files are executed in a virtual machine that
looks for suspect activity
Microsoft Security Essentials
• Version 4.0 released April 24 2012– Improved memory overhead– Improved Scanning Engine
• September 2012– MSE loses AV-Test Certification with poor
protection score
Microsoft Security Essentials
• October 2012 Windows 8 is released– does not have MSE– It is speculated that Microsoft switched their
focus to windows defender for Windows 8
• For a Free Solution MSE is still a very good product
Conclusions
• Rootkits evade detection by intercepting the native system calls and disguising its activities.
• Rootkit detection software can identify potential rootkits (but may not remove them)
• Windows hardening starts with basics: updates and a security software solution!
Summary
• Definition of a Rootkit
• Rootkit History
• Types of Rootkits• Rootkit Removal• Rootkit Tools & Demonstration• Windows Hardening• Microsoft Security Essentials
References• McAfee:
http://web.archive.org/web/20060823090948/http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_akapoor_rootkits1_en.pdf
• http://en.wikipedia.org/wiki/Rootkit• http://en.wikipedia.org/wiki/RootkitRevealer• http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx• http://www.f-secure.com/v-descs/fu.shtml• http://www.softpedia.com/get/Antivirus/F-Secure-BlackLight-Rootkit-Detection.shtml• http://www.geek.com/games/ubisoft-uplay-drm-found-to-include-a-rootkit-1506163/• http://www.lazygamer.net/general-news/ubisoft-rootkit-just-a-bug/