Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
-
Upload
cori-gallagher -
Category
Documents
-
view
213 -
download
1
Transcript of Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
![Page 1: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/1.jpg)
INTRODUCTION TO INFORMATION SECURITY -
ROOTKITSItamargi at post.tau.ac.ilNirkrako at post.tau.ac.il
![Page 2: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/2.jpg)
Rootkits
What are they? Various types of rootkits. Detection Famous case
![Page 3: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/3.jpg)
What is a rootkit ?
The name rootkit originally came from UNIX/linux set of utilities that was used post gaining root via a privilege escalation (PE) or a remote root exploit.
The goal of the rootkit is to allow a hacker to roam free about the system, while still maintaining root.
The rootkit hides the hacker and allows him to evade detection by the system admin.
Modus operandi:1. Hack the system.2. Install the system.3. Explore the system.4. **** the system.
![Page 4: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/4.jpg)
What can/should a rootkit do ?
Hide the hackers files – a hacker would usually have a drop-off directory where he will create temporary files (such as zip files) or keep a PE file: echo “int main{setuid(0);setgid(0);system(“/bin/sh”);} > a.c ;
gcc a.c –o a ; chmod 4755 a Eg: all files in /usr/bin/.w00t/ are completely hidden.
Hide the hackers process: Eg. Any process starting with the words: “w00t” will not be
visible. Hide sniffing: hide working in promiscuous mode. Hide open ports Let the hacker back in without using the exploit:
Using the exploit to re-enter usually makes too much noise. No need to cleanup after re-entry.
![Page 5: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/5.jpg)
Application based rootkits
The first rootkits seen in the 90s were replacements for the set of system utilities in /bin/.
For example hackers used a modified version of /bin/ls.
In open-source systems such as linux this is very easy: Download original code, modify, compile, spread.
In closed-source systems such as windows, older UNIX: Binary patch the relevant files.
![Page 6: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/6.jpg)
Application Layer Dilemmas
If you patch one program, you never know if you covered all your bases. Eg.: patch ‘ps’ but forget to patch ‘top’ Patch ‘ls’ but forget to patch ‘mc’ (midnight
commander) Software upgrades, if the software is
upgraded
![Page 7: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/7.jpg)
Library Rootkits
Patch the system libraries, such as libc, eg.: readdir
Patching can be done offline to the library or via code injection techniques.
![Page 8: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/8.jpg)
Code Injection/API Hooking
The idea is to dynamically patch a program’s behavior. This is necessary for debuggers to work properly
We load a “shellcode” in the process memory using some technique. Eg. Windows:
BOOL WriteProcessMemory( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten );
Eg. Linux: ptrace with POKETEXT: PTRACE_POKETEXT, PTRACE_POKEDATA Copies the word data to location
addr in the child's memory. As above, the two requests are currently equivalent.
The shellcode can load a DLL that does some more work. Subverting functions is done by patching the original code.
Linux: The code segment permissions can be changed via mprotect() Windows: VirtualProtect(). Windows has Detours – a library used to Hook APIs
![Page 9: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/9.jpg)
Syscall rootkit
Rootkit based in a kernel driver. The rootkit driver is loaded into the operating system, once it is loaded it modifies the system_call table and subverts the original
![Page 10: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/10.jpg)
Rootkit detection
Looking at the rootkit from a different perspective Signature based:
Look for signatures in files and memory know to belong to the rootkit. blacklist based.
This is the technique most anti-viruses use. Difference based
Difference between view from memory to view on disk. Offline vs. Online.
Integrity checking of binaries. Compare md5 of files to whitelist.
Eg.: tripwire application for *n?x
[Trace buster video]
![Page 11: Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.](https://reader035.fdocuments.in/reader035/viewer/2022072006/56649d215503460f949f62f5/html5/thumbnails/11.jpg)
Sony DRM: Famous Rootkit Case
https://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx?Redirected=true