Raising The Bar For Windows Rootkit Detection Aurthors

Raising The Bar For Windows Rootkit Detection Aurthors: Sherri Sparks, Jamie Butler Publication: Phrack Magazine, 2005 Presenter : Richard Bares

What is a Rootkit n n n Code that tries to hide itself along with other components from detection by other software Can be used by virus detection software to hide from malicious code Can also be used by malicious code to hide from virus detection software

First generation Rootkits n n n Replaced or modified key system files with maliciously enhanced versions Designed to avoid detection or perform other malicious actions Example changing login programs to record password as well as verify them

Second Generation Rootkits n n Moved from changing files on hard disk to memory Altered execution path of application and operating system components instead of changing the targeted files themselves

Third generation Rootkits n n Direct Kernel Object Manipulation Targeted dynamically changing kernel data structure in operating system Prevented detection software from getting a baseline reading Example the FU rootkit

Detection of Rootkits n n n Misuse detection based on Signatures Anomaly Detection based on statistical deviations from normal behavior Integrity Detection based on snapshots of file systems or memory compared to a baseline

Rootkit of the Future n n n Code that does not try to hide by altering it’s code but changes what detection software sees When detection software tries to access memory the rootkit will return a fake view of the memory without itself Does this by gaining control of virtual memory on computer system

Virtual Memory

Keeping Track Of Virtual Memory n n Page Fault handler which allows for swapping of large files Two Translation Lookaside Buffer (TLB) which is used to keep track of frequently used instruction and data

Modified FU Rootkit n n Replaces page fault handler code Modifies Data TLB to redirect data access of rookit data by detection software to wrong location

Taking over the TLB

Conclusion n Could be a valid new form of rootkit on some systems The modified FU rootkit was able to hide from most detection attempts But more tested and modification are needed

Contributions n n Added a new understanding of possible future development in rootkits by attacking system x 86 architecture Ways to detect these attacks by looking at the page fault handler

Weaknesses n n Does not work on 4 MB page block No way to hide the replaced page fault handler Modified rootkit has a performance impact of the installed system Only works on x 86 CPUs