170 likes | 190 Views
Root-kit . And its Evolution. By, Nimish Agarwal Graduate Student, School of Computing Clemson. Agenda. What is Root-Kit Important Dates Types of Root-Kit How Root-Kit Works Windows based Root-Kit Detection Removal. What is a RootKit. Root-Kit= “Root” + “Kit”.
E N D
Root-kit And its Evolution By, NimishAgarwal Graduate Student, School of Computing Clemson
Agenda • What is Root-Kit • Important Dates • Types of Root-Kit • How Root-Kit Works • Windows based Root-Kit • Detection • Removal
What is a RootKit • Root-Kit= “Root” + “Kit”. • Originally designed for Unix. • Maliciously enables privileged or root access to a computer. • Hide its presence from Administrator. • Toolkit used for Preservation of Remote Access or root. • Root-Kit is not a Virus or a Worm
Important Dates • 1990 :- Earliest Root-Kitby Lane Davis and Steven Dake for Sun OS 4.1.1. • 1999 :- Created by Greg Hoglund, was the first Root-Kit to be written for Windows NT. • 2000 :- Designed by Russian Programmer. Behaves like Root-Kit. Works in Kernel Mode. Not malicious. • 2002 :- Hack Defender, more powerful that he hook. Works in user mode. • 2003 :- Vanquish. Used to hide files, directories, and registry keys. Logs password. Works in user mode. • 2003 :- Haxdor. Backdoor that uses Root-Kit to conceal its presence. Works in Kernel Mode. • 2004 :- FU, A tool to conceal processes. Introduces technique for modifying system structure itself. Works in Kernel Mode. There are many more, but these early versions were the key to understanding the evolution of Root-Kit
Types of RootKit • Memory RootKit • Loaded into memory • No Persistent Programming Code • Do not survive Reboot • Persistent RootKit • Persistent Code and storage (Registry or System File) • Avoid user intervention (can be at startup) • Kernel RootKit • Worst among all above • Modifies data structure on Kernel
How Root-Kit Works • Vulnerable system is detected and targeted. • Admin access gained on the targeted system. • Root-Kit installed. • Root-Kit activated, by either force restart, or delayed until scheduled restart. • Hide from Processes • Hide from Services • Hide listening from TCP/UDP Ports • Hide Kernel Modules • Hide Drivers
Two basic Classes of Root-Kit • Kernel Mode Root-Kit • Ring 0 :- Kernel Mode • User Mode Root-Kit • Ring 1 :- Device Drivers • Ring 2 :- Device Drivers • Ring 3 :- Applications • Ring 0 is the most privileged and Ring 3 is the least privileged.
User Mode Root-Kit (Windows Based) • Operates in Ring 3. • Hooks in user or application space. • Hijacks a predefined path to execute a system call. • Can be done by modification or injection of a library (DLL). • Patch every program running in user space. • Monitor for any new application and patch before they fully execute.
Kernel Mode Root-Kit (Windows Based) • Hooking or modification in Kernel Space. • Ideal place, since it is lowest level. • Can be invoked by Interrupts or Model Specific Registers. • System Service Descriptor Table (function pointer table in kernel memory). • Direct Kernel Object Modification (Modify the data structure in kernel memory).
How Root-Kit Works (contd …) docs rootkit windows docs windows rootkit filters the results to hide itself RootkitDLL dir c:\ docs ReadFile() rootkit windows DLL “tricked” into thinking it can’t execute command, calls rootkit NTFS command C:\
Detection Methods to detect the presence of Root-Kit are as follows • Alternative trusted medium • Behavioral Medium • Signature Based • Difference Based • Memory Dumps
Detection (cont…) • Alternative Trusted Medium :- Shut down the infected system and boot the storage on a trusted machine. Almost all the Root-Kit cannot function properly when not active. • Behavioral Medium :- Infers by detecting any Root-Kit like behavior. Complex and High Incidence of False Positive. • Signature Based :- Antivirus which use fingerprints detection, stealthy detector can be useful. Effective against well-published Root-Kit.
Detection (cont…) • Difference Based :- Compares the trusted raw data with the one returned from the Root-Kit filter. • Memory Dumps :- A memory dump of the entire system and offline analysis will avoid Root-Kit to take any measures to cloak itself.
Removal • There are a lot of tools that can be used for Detection and Removal of Root-Kit • Behavioral Detection • PatchFinder • VICE • Signature Scanner • Antivirus and Anti-Spyware Applications • Integrity Checker • TripWire • Microsoft Strider Troubleshooter • Difference Scanner • Microsoft Ghost Buster • F-Secure Backlight
Removal (cont…) • Apart from the earlier mentioned tools there are some techniques that can be used. • Clean from another Kernel • Use Technologies that revert to previous state if the environment allows. • Though some experts claim that once the machine has been compromised, the best and the true method is a low level format.
References • http://en.wikipedia.org/wiki/Rootkit • http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf • http://en.wikipedia.org/wiki/File:CPU_ring_scheme.svg • http://www.net-security.org/article.php?id=1173&p=2