Beruflich Dokumente
Kultur Dokumente
Brent Boe
Vasanthanag Vasili
(Typical)
Rootkit Functionality
Maintain Access
Destroy evidence
Local attack tools - Password Cracking, Capture root and access and obtain
access to machines
Remote attack tools - Scanners and Autorooters
DOS tools Conduct DOS attack on remote server
More than one rootkit can cause system instability and compromise the rootkit
attackers files
The attackers processes (eg: sniffers, PW
crackers)
The attackers user account
Unusual environment variables (network
cards in promiscuous mode)
Specific network connections to and from
compromised machines
Necessary Background
User Space
Kernel Space
Necessary Background
Types of Rootkits
Binary Rootkits
Kernel Rootkits
System call Rootkits
Library Rootkits
Virtual Machine
Rootkits
Database Rootkits
Runtime Kernel
Patches
User Space
Kernel Space
Kernel Space
User Space
Kernel Space and User
Space
User Space
Kernel Space
Binary Rootkits
CRC checksums
Cryptographic checksums
Better to store the checksums on separate media (i.e. CDROM) so an advanced attacker cannot modify the files
In practice, if a file (legitimately) changes frequently, this
may lead to frequent checksum recomputations and false
positives.
Kernel Rootkits
First
reported in 1997
Loadable Kernel Modules hook into system
kernel and modifies selected sys_call
addresses stored in the system call table
Replaces the addresses of the legitimate
sys_calls with the addresses of the sys_calls
that are to be installed by the hackers LKM
Eg: KNARK ( targeting Linux2.2 Kernel)
Kernel Rootkits
Use
User Space
Kernel Space
LKM
StMichael
Necessary Background
When
Reboot and
The target system is now running as a guest, you can
interfere with them, but they cant interfere with you
VM Rootkit Detection
Database Rootkits
A
Users
Processes
Executables
Jobs
Symbolic Links
Database Rootkits
changes
Examine the internal system variables for any
changes or new, unrecognized variables
Behavioral Detection
Conclusion
References
Beck, M et al. Linux Kernel Programming. 3rd ed. London: Addison Wesley,
2002.
Cesare, Silvio. Runtime Kernel Patching. 03 Mar 2007.
< http://www.uebi.net/silvio/runtime-kernel-kmem-patching.txt >
Chuvakin, Anton. An Overview of Unix Rootkits. iDefense Labs: Feb 2003.
< www.rootsecure.net/content/downloads/pdf/unix_rootkits_overview.pdf >
Hoglund, Greg, Jamie Butler. Rootkits: Subverting the Windows Kernel. Addison
Wesley Professional: Upper Saddle River, NJ, 22 July 2005.
King, Samuel T. et al. SubVirt: Implementing malware with virtual machines.
Mar 01
2007. < www.eecs.umich.edu/virtual/papers/king06.pdf >
Kornbrust, Alexander. Oracle Rootkits 2.0. Black Hat 2006 USA, Las Vegas,
NV. 02
Aug 06. < http://www.red-database-security.com/wp/oracle_rootkits_2.0.pdf >
References