Rootkits Sec4 Draft

From CyberSecurity
Jump to: navigation, search

Section Four: Responses

Research is being conducted along a number of threads to combat rootkits. Common rootkit signatures are being added to security packages (references), but this thread is vulnerable both to polymorphic code and the hiding activities which define rootkits. Other methods involve the cataloging of techniques commonly used by rootktis, such as API hooks. These methods are vulnerable, because it is not guaranteed that you can monitor all the API’s that rootkits might hook, and it is also difficult to distinguish legitimate from malicious hooks. New research is being conducted in generalized rootkit detection methods that look for the effects of rootkits – hidden files or processes. These methods involve comparison between multiple methods of querying files or processes, ideally one “infected view” which contains the “lie” and one clean view which contains the “truth” from which comparisons can be made. The truth can be constructed in a variety of ways – through known good backups, through low-level API’s which are less likely to be infected than high-level API’s, or through the examination of resources from a known good operating system, which could be an external machine or a clean boot CD.

Responding to a rootkit threat has two stages: detection and removal. The prime value in rootkits is that they hide their presence from the user, thus making it difficult to determine if a computer has been compromised. Beyond that, rootkits are often difficult to remove without destabalising a system, since they often involve alterations made to important system processes. In some cases, users have been recommended to reinstall rather than attempt to clean a system once it is determined that it is rootkit-infected.

Virus Scanners

Can traditional virus-scanning software respond to the threat of rootkits? Anti-virus software companies continually update the list of virus and malware signatures that their products recognize. The McAfee website lists both the FU rootkit and Hacker Defender rootkit in their database of threats which their product can handle. The Norton product does not list either of these rootkits, and acknowledge the difficulty in detecting these products once they are installed. Microsoft’s Malicious Software Removal Tool advertises that it can remove the Hacker Defender family. Other companies probably represent a mixed bag of whether or not their products can recognize the signatures of common rootkits.

(Antispyware - http://www.microsoft.com/security/malwareremove/families.mspx )

Although some of the anti-virus companies seem aware of rootkit threats, they are generally not seen as a high priority – rootkits are perhaps logically secondary to the exploits which allow their installation. Additionally, rootkits are more difficult to fight, and so might not be presently an efficient use of anti-virus scanner company resources.

Indeed, it seems likely that code polymorphism means that rootkits are widely available that anti-virus software can not detect. Hacker Defender offers 6 month guarantees that your copy will not be catchable by eight common anti-virus softwares for 150 Euros! Any rootkit purchased has scrambled code in relation to the “public” version, which is part of how it evades detection from these packages.

(hacker defender purchase - http://hxdef.czweb.org/antidetection.php )

Rootkit Technique Detectors

Many common rootkits for windows, such as Hacker Defender, use API hooking to hide files and processes. Software can specifically be designed to detect this type of behavior. VICE is a program designed by Jamie Butler, designer of the FU rootkit, which catalogues API hooks. This type of technique could reveal rootkits which depend upon API hooking, assuming of course that the implementation is done such that the rootkit does not know that it is being watched and change its behavior at the proper time. It could not detect rootkits that use other techniques, such as DKOM. Also, seen as a rootkit detection tool, VICE has many false positives, since there are many API hooks which are legitimate, which the user must distinguish from malicious hooks.

{I know there are other API hooking detectors – personally I wouldn’t trust rootkit.com as a source for a rootkit detector} {are there other really common methods, and detectors specifically for those methods?}

Multiple View Comparisons Seemingly most effective in detecting rootkits are new softwares which are specifically designed to detect the behavior of rootkits, which is to hide files and processes from higher level API calls. These generalized solutions rely on the ability to use different methods to create a “truth” about the state of the system to compare to the “lie” that is generated by querying the high-level APIs.

One general method for detecting unwanted to changes for a system is by using a “cross-time diff” comparison to catalogue changes made to a system. To use this method effectively, the software must be installed in a known clean state. From this point forward, the cross-time diff can compare the present state to the known clean state, and allow the user to merge changes into the known-clean state. Tripwire and Strider Troubleshooter are two software implementations of this approach. The advantage of this method is that it can detect a wide variety of malware, the disadvantage is that there are many changes made to a system which are not malicious which the user must distinguish from problems. This property means that this type of tool might only be workable for system administrators and very knowledgable users.

A method which specifically targets the behaviors of rookits in hiding files and processes involves using different viewpoints at the same point in time. An inside-the-box solution would perform two scans, one with a high-level API and a second with a low-level API. If the rootkit works by hooking APIs between these layers, then the low-level scan will be the “truth” about the state of the system, and the high-level scan will contain the “lie”. Commonly used rootkit detection softwares F-Secure Blacklight and RootKitRevealer from SysInternals use this type of technique. Although this type of implementation could probably detect a wide variety of rootkits, even the low-level scan could be intercepted by a well-designed rootkit, necessitating an external viewpoint to detect file and process-hiding definitively. This is straightforward for fixed resources like hard disk space, which could be accessed from a known-good machine for the scan. Alternatively, a machine could be booted from a known-clean OS, such as from a CD. Comparing an external scan not employing the infected APIs to the internal infected scan reveals any file-hiding behavior.

(Strider Ghostbuster – Microsoft Research - ftp://ftp.research.microsoft.com/pub/tr/TR-2005-25.pdf)

http://www.eweek.com/article2/0,1895,1872253,00.asp Microsoft will bundle its Strider Ghostbuster project technology into antispyware, which will al be bundled with VISTA, the next version of the operating system, (with the option to use another vendor’s product, to avoid the antitrust problems).



  • Signature Detection
    • MS Anti-spyware beta, big security products
    • MS malicious software removal tool Versus hacker defender
    • McAfee – FU rootkit and Hacker Defender
    • Symantec – search did not yield HD or FU
    • Sophos – no HD or FU, but a variety of “rootkits”
  • API hooks or method detection
    • VICE
  • Multiple view comparisons
    • F-secure blacklight, rootkit revealer, strider ghostbuster

ftp://ftp.research.microsoft.com/pub/tr/TR-2005-25.pdf

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Rootkits_Sec4_Draft&oldid=2925"