LKM Rootkits

Instructor: Dr. Harold C. Grossman

Student: Subhra S. Sarkar

What are rootkits? Brief history What are LKM rootkits? Malware classification and rootkit’s standing Rootkit objectives LKM rootkit features Case study – Phalanx Detection mechanisms Conclusion

Agenda

tools to conceal information hides files and processes prevents detection backdoor creation remote injection/execution of scripts stealing of confidential information

What are rootkits?

Ken Thompson’s rootkit Brain virus SunOS rootkit, 1990 SonyBMG rootkit Greek wiretapping CarrierIQ rootkit on smartphone and handheld

devices

Brief history

Insertion of malicious code into kernel on the fly Enables overriding kernel system calls Enables manipulation of /dev/kmem device file,

allowing intruder to virtually control the kernel on runtime, monitoring every read/write memory operations

Allows for CPU register hooking Facilitates Kernel object hooking Allows direct kernel object manipulation

What are LKM rootkits?

As per the proposed malware classification by Joanna Rutkowska in Black Hat 2006, malwares can be classified as below –

Type 0 malware Type 1 malware Type 2 malware Type 3 malware

Malware classification and rootkit’s standing

Based on the analysis of Nick Petroni and J. Hicks from University of Maryland, College Park, the objectives of each rootkit fall in one or more of the following categories HID PE REE REC NEU

Rootkit objectives

File hiding Process hiding Backdoor creation Defense neutralization Survival beyond system reboot Keystroke logging Network layer obfuscation

LKM rootkit features

Phalanx’s special features include the following – SSH credential stealing Manipulating memory operations by hijacking

/dev/kmem Sophisticated socket, process and file hiding

mechanisms TTY sniffer, keystroke logging Doesn’t show up in process listing via ps or ls /proc

Case study - Phalanx

Use of signature based rootkit detection software like rkhunter, chkrootkit etc.

Regularly examining systems where SSH keys are used as part of password less authentication mechanism

Encouraging users to use keys with passphrases Applying regular security patches to the system LKM filtering HIDS LIDS State based control-flow integrity test (SBCFI) Detection based on distribution of system calls (Anderson-

Darling)

Detection mechanisms

In this presentation, we have provided a general overview of rootkit, LKM rootkits in particular, their objectives, specific features, infection mechanisms/attack methodologies and various detection mechanisms for both user-space and kernel-space rootkits.

Conclusion

Below is the list of references – http://smartech.gatech.edu/jspui/handle/1853/34844 http://www.cs.umd.edu/~mwh/papers/CS-TR-4880.pdf http://

bitblaze.cs.berkeley.edu/papers/hookfinder_ndss08.pdf

http://dl.acm.org/citation.cfm?id=1368515 http://

research.microsoft.com/pubs/153181/hookmapraid08.pdf

http://www.mobile-download.net/Soft/Soft_2334.htm http://en.wikipedia.org/wiki/Rootkit http://packetstormsecurity.org/search/?q=phalanx

References

Questions?

Thank You