INTRODUCTION TO INFORMATION SECURITY -

ROOTKITSItamargi at post.tau.ac.ilNirkrako at post.tau.ac.il

Rootkits

What are they? Various types of rootkits. Detection Famous case

What is a rootkit ?

The name rootkit originally came from UNIX/linux set of utilities that was used post gaining root via a privilege escalation (PE) or a remote root exploit.

The goal of the rootkit is to allow a hacker to roam free about the system, while still maintaining root.

The rootkit hides the hacker and allows him to evade detection by the system admin.

Modus operandi:1. Hack the system.2. Install the system.3. Explore the system.4. **** the system.

What can/should a rootkit do ?

Hide the hackers files – a hacker would usually have a drop-off directory where he will create temporary files (such as zip files) or keep a PE file: echo “int main{setuid(0);setgid(0);system(“/bin/sh”);} > a.c ;

gcc a.c –o a ; chmod 4755 a Eg: all files in /usr/bin/.w00t/ are completely hidden.

Hide the hackers process: Eg. Any process starting with the words: “w00t” will not be

visible. Hide sniffing: hide working in promiscuous mode. Hide open ports Let the hacker back in without using the exploit:

Using the exploit to re-enter usually makes too much noise. No need to cleanup after re-entry.

Application based rootkits

The first rootkits seen in the 90s were replacements for the set of system utilities in /bin/.

For example hackers used a modified version of /bin/ls.

In open-source systems such as linux this is very easy: Download original code, modify, compile, spread.

In closed-source systems such as windows, older UNIX: Binary patch the relevant files.

Application Layer Dilemmas

If you patch one program, you never know if you covered all your bases. Eg.: patch ‘ps’ but forget to patch ‘top’ Patch ‘ls’ but forget to patch ‘mc’ (midnight

commander) Software upgrades, if the software is

upgraded

Library Rootkits

Patch the system libraries, such as libc, eg.: readdir

Patching can be done offline to the library or via code injection techniques.

Code Injection/API Hooking

The idea is to dynamically patch a program’s behavior. This is necessary for debuggers to work properly

We load a “shellcode” in the process memory using some technique. Eg. Windows:

BOOL WriteProcessMemory( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten );

Eg. Linux: ptrace with POKETEXT: PTRACE_POKETEXT, PTRACE_POKEDATA Copies the word data to location

addr in the child's memory. As above, the two requests are currently equivalent.

The shellcode can load a DLL that does some more work. Subverting functions is done by patching the original code.

Linux: The code segment permissions can be changed via mprotect() Windows: VirtualProtect(). Windows has Detours – a library used to Hook APIs

Syscall rootkit

Rootkit based in a kernel driver. The rootkit driver is loaded into the operating system, once it is loaded it modifies the system_call table and subverts the original

Rootkit detection

Looking at the rootkit from a different perspective Signature based:

Look for signatures in files and memory know to belong to the rootkit. blacklist based.

This is the technique most anti-viruses use. Difference based

Difference between view from memory to view on disk. Offline vs. Online.

Integrity checking of binaries. Compare md5 of files to whitelist.

Eg.: tripwire application for *n?x

[Trace buster video]

Sony DRM: Famous Rootkit Case

https://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx?Redirected=true