Unit 3a8 - Rootkits
Rootkit payloads may be use for:
-Backdoor access -Conceal other malware such as key loggers/viruses -Be used for a "zombie" computer and DoS attacks -Enforce DRM (digital rights management)
How is a Rootkits beneficial for a user?
-Uses may be legal/illegal but will benefit the owner of the computer. -Some software will lift the copy-protection mechanisms. -Some Laptops will have anti-theft protection BIOS based rootkit software installed which will wipe all information if reported stolen. -Rootkit will send periodic reports to a central system.
What are 3 ways to mitigate Rootkits?
1. Remove with third party software. 2. Reinstall OS. 3. Replace Hardware.
Additional Rootkit Info
A Rootkit is a form of malware that embeds itself into system files. This enables it to effectively sit between the Operating System and the hardware. This allows it to hook the system calls, enabling resources to be redirected as the rootkit demands. This can be compared to a Man-in-the-Middle attack for system software. Rootkits are hard to both detect and remove because of where they sit within the system. Mitigation techniques include rootkit removal tools. Often these tools will require systems to be booted into an alternate state operating system, such as Helix or Trinity Rescue Disk. Well-Known Rootkit Examples: Lane Davis and Steven Dake - wrote the earliest known rootkit in the early 1990s. NTRootkit - one of the first malicious rootkits targeted at Windows OS. HackerDefender - this early Trojan altered/augmented the OS at a very low level of functions calls. Machiavelli - the first rootkit targeting Mac OS X appeared in 2009. This rootkit creates hidden system calls and kernel threads. Greek wiretapping - in 2004/05, intruders installed a rootkit that targeted Ericsson's AXE PBX. Zeus, first identified in July 2007, is a Trojan horse that steals banking information by man-in-the-browser keystroke logging and form grabbing. Stuxnet - the first known rootkit for industrial control systems Flame - a computer malware discovered in 2012 that attacks computers running Windows OS. It can record audio, screenshots, keyboard activity and network traffic.
Rootkit
A collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that is not otherwise allowed and often masks its existence or the existence of other software.
Memory dump
A display or printout of all or selected contents of RAM. After a program "abends" (crashes), a memory dump is taken in order to analyze the status of the program. The programmer looks into the memorybuffers to see which data items were being worked on at the time of failure. A method used when attempting to identify the presence of certain types of rootkits.
Interrupt
A signal to the processor emitted by hardware or software indicating an event that needs immediate attention.
Cloaking
A technique where the rootkit hides itself or its payload from the user and/or the kernel depending on the type.
Rootkit Mitigations:
Although rootkits are hard to detect, some software companies have developed software to remove rootkits. -Microsoft's has Windows Malicious Software Removal Tool which is able to detect and remove some classes of rootkits. -3rd party companies like Kaspersky TDSSKiller will remove rootkits.
Rootkit
Is a kit of software that gives you root access, super-user rights, or full admin access with the possibility of being hidden and it is not easy to uninstall the software. - It will give the user full control of a system. - It is typically used for malicious actions. - However, it can be used to prevent access to particular files. For example: a long time ago when CD's were played in computers, what stopped a user from copying or "ripping" it to save an illegal copy? - A music company made a rootkit to prevent this. When inserted into a computer, the CD installed a piece of software which provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. - This rootkit was found and exploited many security vulnerabilities.
Hooking
Techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components.
More Rootkit info
ROOTKIT • Focuses on being Undetectable by using processes or programs(or combo), that can be leveraged for complete access to network or computer resource • Need to be installed on Administrative level for complete access while being undetected so they start at a general access level and work their ways up • 5 Types: application, library, kernel, virtualized and firmware • Rootkit - Software program that has the ability to obtain root-level access and hide certain things from the operating system. • Malware that has the ability to hide spyware blockers, anti-virus program, and system utilities • Runs at the root level or admin access • "Root" comes from UNIX (root: user with the most privileges). A rootkit is a technique that allows malware to hide from computer operating systems and from computer users. Rootkit techniques create stealth programs that run at a "lower" level than the user can see with normal software utilities. Malware attempts to use this method to avoid detection by security software. PROFESSOR MESSER • Root - originally Unix technique, the root in rootkit means admin access • Modifies core system files (part of the kernel) • Can be invisible to OS, wont see it in Task Manager • Hide in OS ( Windows\System(800 MB, 2,000 files), w/ similar naming config • EX The Sony BMG Rootkit • MITIGATION: RootkitRevealer, usually built after the rootkit is discovered CLARKE pg. 196-197, 731 • Software installed on the system buy the hacker that is typically hidden from admin and gives the hacker privileged access to the system • Five major types of rootkits are 1. APPLICATION-LEVEL - an executable file that gives the hacker access to the system TROJANs 2. LIBRARY-LEVEL - not an executable but rather a library of code that can be called by an application; are DLL files typically will replace a SLL on the system in order to hide themselves 3. KERNEL-LEVEL - loaded by the operating system kernel and typically planted on a system by replacing a device driver file on the system 4. VIRTUALIZED - loads instead of the OS when a system starts; then loads the real OS in a virtual environment; hard to detect because the OS has no idea it is being hosted and because no application code or DLLs have been replaced in the OS 5. FIRMWARE - stored in firmware code on a system or device and is hard to detect because it is not present in the OS GIBSON pg. 265-266, 275-276, 387 • A group of programs( or in rare instances, a single program) that hides the fact that the system has been infected or compromised by malicious code • A user may suspect something is wrong but antivirus scans and other checks may indicate everything is fine because the rootkit hides its running processes to avoid detection • They modify the internal OS processes, system files such as the Registry and system access • System level access to systems, ROOT LEVEL access or KERNEL LEVEL ACCESS - they have = access as the OS • Rootkits use hooked processes or hooking techniques to intercept calls to the operating system • Hooking refers to intercepting system-level function calls, events, or messages and installs the hooks into memory to use them to control the systems behavior • Rootkits prevent the antivirus software from making call to the PS that could detect malware • ANTIVIRUS software can usually detect the hooked processes by examining the content of the systems random access memory • Boot into safe mode or have the system snacked before it boots • DIFFICULT TO DETECT because they can hide so much of their activity • ROOTKITS have system lever or kernel-level access and can modify system files and system access. Rootkits hide their running processes to avoid detection with hooking techniques. Tools that can inspect RAM can discover these hidden hooked processes :MITIGATION- Checking file integrity - compare hashes of basline against current
What are the 3 Rootkit levels?
Rootkits can be installed to affect the application, the operating system (OS), and the hardware. 1. User space - application (easy to write, easy to detect). 2. Kernel Space - operating system. 3. Firmware Space - Hardware (harder to write, harder to detect). These there layers use the layers above and below.
Rootkit Detection
Rootkits may be hard to detect because it gives root access so anti-virus and anti-malware may not detect it. -The software installed may look like legit "root" files and will not stand out as "rogue" files. -Depending on the level of the rootkit, it can give access to beyond the application layer, such as kernel (OS) and firmware. So detection and removal may be impossible so only a reinstallation of the OS will remove the toolkit. -When firmware rootkits are installed, you may have to replace the hardware itself.
Root
The administrator user in Unix (e.g. GNU/Linux) systems with the highest level of permissions. Also used as a generic term to describe the highest administrative account on windows.
Firmware
The programming that is burned onto the chips found in embedded devices. They operate at low level directly with the hardware and provide basic functionality or may be used as a pre-load environment to run a more complex environment.
Kernel
a computer program that is the core of a computer's operating system, with complete control over everything in the system. On most systems, it is one of the first programs loaded on start-up (after the bootloader).