Hacking Exposed, Malware AND Rootkits. McGraw-Hill

MICHAEL DAVIS

SEAN BODMER

AARON LEMASTERS

Malware & Rotkits Secret & Solutions

MCGRAW-HILL
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto

e-books shop
Hacking Exposed, Malware AND Rootkits

ABOUT THE AUTHORS
Michael A. Davis is CEO of Savid Technologies, Inc., a national technology
and security consulting firm. Michael is well-known in the open source
security industry due to his porting of security tools to the Windows
platforms, including tools like snort, ngrep, dsniff, and honeyd. As a member
of the Honeynet Project, he works to develop data and network control
mechanisms for Windows-based honeynets. Michael is also the developer of sebek for
Windows, a kernel-based data collection and monitoring tool for honeynets. Michael
previously worked at McAfee, Inc., a leader in antivirus protection and vulnerability
management, as Senior Manager of Global Threats, where he led a team of researchers
investigating confidential and cutting-edge security research. Prior to being at McAfee,
Michael worked at Foundstone.

 Sean M. Bodmer is Director of Government Programs at Savid Corporation,
Inc. Sean is an active honeynet researcher, specializing in the analysis of
signatures, patterns, and the behavior of malware and attackers. Most notably,
he has spent several years leading the operations and analysis of advanced
intrusion detection systems (honeynets) where the motives and intent of
attackers and their tools can be captured and analyzed in order to generate actionable
intelligence to further protect customer networks. Sean has worked in various systems
security engineering roles for various federal government entities and private corporations
over the past decade in the Washington D.C. metropolitan area. Sean has lectured across
the United States at industry conferences such as DEFCON, PhreakNIC, DC3, NW3C,
Carnegie Mellon CERT, and the Pentagon Security Forum, covering aspects of attacks
and attacker assessment profiling to help identify the true motivations and intent behind cyber attacks.

 Aaron LeMasters (M.S., George Washington University) is a security
researcher specializing in computer forensics, malware analysis, and
vulnerability research. The first five years of his career were spent defending
the undefendable DoD networks, and he is now a senior software engineer at
Raytheon SI. Aaron enjoys sharing his research at both larger security
conferences such as Black Hat and smaller, regional hacker cons like Outerz0ne. He
prefers to pacify his short attention span with advanced research and development issues
related to Windows internals, system integrity, reverse engineering, and malware
analysis. He is an enthusiastic prototypist and enjoys developing tools that complement
his research interests. In his spare time, Aaron plays basketball, sketches, jams on his
Epiphone Les Paul, and travels frequently to New York City with his wife.

About the Contributing Author
Jason Lord is currently Chief Operating Officer of d3 Services, Ltd., a consulting firm
providing cyber security solutions. Jason has been active in the information security
field for the past 14 years, focusing on computer forensics, incident response, enterprise
security, penetration testing, and malicious code analysis. During this time, Jason has
responded to several hundred computer forensics and incident response cases globally.
He is also an active member of the High Technology Crimes Investigation Association
(HTCIA), InfraGard, and the International Systems Security Association (ISSA).

About the Technical Editor
Alexander Eisen is CEO of FormalTechnologies.com, an associate professor with the
University of Advancing Technology, and, as a public servant, an enterprise architect for
a DoD agency. Always an unconventional experimentalist, since 1999 he has played all
sorts of roles—offensive and defensive, tactical and strategic—in the fields of penetration
testing, enterprise incident response, forensics, RE, and security software evaluation—a
career sparked by the award of an NSA-sponsored Information Assurance Fellowship
for multidisciplinary research in Computer Science, Crypto, and Law. He has led over a
dozen major red team and incident response efforts for the DoD and affiliated
organizations, many of which have received widespread media coverage such as
“Pentagon 1500 hacked.” As a core member of the National Cyber Initiative, he has
researched large-scale enterprise incident response and software assurance
methodologies. With certifications from the Defense Language Institute, Defense Cyber
Crime Center Training Academy, (ISC)2, and the Committee on National Security
Systems, he is an active member of InfraGard, AFCEA, IEEE, and various federal
advisory boards. He has spoken internationally on emerging security issues at many
industry conferences such as Black Hat Japan and the Ukraine IT Festival and in closed
venues such as the Pentagon, and has published in trade journals on topics of national
infrastructure protection and IPv6. Through teaching InfoSec curriculum and supporting
UAT’s NSA Center of Academic Excellence, his passion has grown toward leveraging
the talent and resources of academia to explore pioneering socioeconomic technology
topics. He enjoys recruiting and mentoring aspiring youth to jumpstart their careers via
Scholarship for Service programs. By night, his right-brain explores visual arts, extreme
sports, roasting coffee, and engineering binaural Hang drum music. His daily life is now
sustained by the support of his lovely wife Marina. 
Codeword: BH”96mae3ajme2ie18memsdmal2rhbkkgppsjngcpaz24.

 ACKNOWLEDGMENTS
I would like to thank Jane, our editor, for her diligent commitment to keeping us on track
even though it may have seemed impossible at times. I would also like to acknowledge
the great team of people at Savid Technologies who allowed me to take time off to focus on writing.
—Michael A. Davis
First and foremost, I need to thank my editor, Jane, who gave me so much positive
feedback and constructive criticism, as this is my first publication. Without her, I would
not have known which way was up at times. Also, my homie, Tj Egan, for helping kill
mobs on Forgotten Coast (GO ALLIANCE) to relieve the stress when writing got tough.
I also cannot finish without thanks to Zac Culbertson and the Cowboy Café for giving
me a place to come and think while writing this book. 
There is no better place in Arlington, Virginia, for a g33k to eat, drink, and think when looking to relax away from the chaos that is Washington DC.
—Sean Bodmer
I would like to extend my gratitude and appreciation to our technical editor, Alex Eisen,
without whom I would not be typing this acknowledgement. Thanks Alex (until next
time). I also want to thank my editor and coauthors for making this opportunity a reality
for me and sharing the suffering through countless hours of painful authoring woes. I
would not be where I am today without the guidance of Dr. Ray Vaughn and other
distinguished professors at my undergraduate alma mater, Mississippi State University.
I would be remiss if I did not also mention the wealth of security researchers in the
community—past, present, and future—who have made this industry what it is today
and continue to redefine the boundaries of cyber security due to their passionate work.

—Aaron LeMasters

Introduction
THE INSIDER THREAT NO LONGER COMES
FROM THE “INSIDE”
Every security conference and security study today is focused on getting enterprise
security administrators and home users to understand the threat from the inside. Insider
threats are growing and becoming more malicious. Theft for financial gain, IT sabotage,
and business advantage are the three largest categories of insider attacks. Security experts
say the user is causing the problem and the user is the threat. The experts are technically
correct, but the actual user himself or herself is not always the true threat to an organization
but rather the role or access that user has. If a secretary has enough user privileges to
view the Accounting folder on the network file share, then so does the malware that
infected her machine.

Today’s malware is taking over or emulating the insider role by bypassing external
defenses, executing on machines, and running within the insider’s user account, enabling
the malware to attack, control, and access the same resources as the insider. So in Hacking
Exposed Malware & Rootkits, we focus on the capabilities and techniques used by malware
in today’s world. Malware is the insider, and attackers want to maintain control of this
insider role. Here, we focus on the protections that do and do not work in solving the
malware threat and ultimately the insider threat. As the original Hacking Exposed books
emphasize, whether you’re a home user or part of the security team for a Global 100
company, you must be vigilant. Keep a watchful eye on malware and you’ll be rewarded—
personally and professionally. Do not let your machine become another zombie in the
endless malware army.

ABOUT THE WEBSITE
Since malware and rootkits are being released all the time, you can find the latest tools
and techniques on the Hacking Exposed Malware & Rootkits website at http://www
.malwarehackingexposed.com. The website contains the code snippets and tools
mentioned in the book as well as some never-before released tools discussed in the
Appendix. We’ll also keep a copy of all the tools mentioned in the book so you can
download them even after the maintainer has stopped writing the tool.

Hacking Exposed™ Malware & Rootkits Reviews
“Accessible but not dumbed-down, this latest addition to the Hacking Exposed
series is a stellar example of why this series remains one of the best-selling security
franchises out there. System administrators and Average Joe computer users alike
need to come to grips with the sophistication and stealth of modern malware, and
this book calmly and clearly explains the threat.”
—Brian Krebs,
Reporter for The Washington Post and author of the Security Fix Blog
“A harrowing guide to where the bad guys hide, and how you can find them.”
—Dan Kaminsky,
Director of Penetration Testing, IOActive, Inc.
“The authors tackle malware, a deep and diverse issue in computer security,
with common terms and relevant examples. Malware is a cold deadly tool in
hacking; the authors address it openly, showing its capabilities with direct technical
insight. The result is a good read that moves quickly, filling in the gaps even for the
knowledgeable reader.”
—Christopher Jordan,
VP, Threat Intelligence, McAfee; Principal Investigator to DHS Botnet Research
“Remember the end-of-semester review sessions where the instructor would go
over everything from the whole term in just enough detail so you would
understand all the key points, but also leave you with enough references to dig
deeper where you wanted? Hacking Exposed Malware & Rootkits resembles this! A
top-notch reference for novices and security professionals alike, this book provides
just enough detail to explain the topics being presented, but not too much to
dissuade those new to security.”
—LTC Ron Dodge,
U.S. Army
Hacking Exposed Malware & Rootkits provides unique insights into the
techniques behind malware and rootkits. If you are responsible for security, you
must read this book!”
—Matt Conover,
Senior Principal Software Engineer, Symantec Research Labs


Screenshot

e-book shop

Purchase Now !
Just with Paypal



Product details
 Price
 File Size
 10,668 KB
 Pages
  401 p
 File Type
  PDF format
 ISBN
 978-0-07-159119-5
 Copyright
 2010 by The McGraw-Hill 


Table of Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Part I Malware
Case Study: Please Review This Before Our Quarterly Meeting . . . . . . . . . . 2
▼ 1 Method of Infection
This Security Stuff Might Actually Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Decrease in Operating System Vulnerabilities . . . . . . . . . . . . . . . . . . . 9
Perimeter Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Why They Want Your Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Intent Is Hard to Detect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
It’s a Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Signifi cant Malware Propagation Techniques . . . . . . . . . . . . . . . . . . . . . . . . . 14
Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
File Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Modern Malware Propagation Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
StormWorm (Malware Sample: trojan.peacomm) . . . . . . . . . . . . . . . . 22
Metamorphism (Malware Sample: W32.Evol, W32.Simile) . . . . . . . . 24
Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Dynamic Domain Name Services (Malware Sample:
W32.Reatle.E@mm) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Fast Flux (Malware Sample: trojan.peacomm) . . . . . . . . . . . . . . . . . . . 29
Malware Propagation Injection Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Malicious Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Peer-To-Peer (P2P) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Samples from the Companion Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
▼ 2 Malware Functionality
What Malware Does Once It’s Installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Pop-Ups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Search Engine Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Data Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Click Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Keylogging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Malware Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Identifying Installed Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Typical Install Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Installing on Local Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Modifying Timestamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Affecting Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Disabling Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Modifying the Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Part II Rootkits
Case Study: The Invisible Rootkit That Steals Your Bank Account Data . . . 82
Disk Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Firewall Bypassing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Backdoor Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Intent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
▼ 3 User-Mode Rootkits
Maintain Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Network-Based Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Stealth: Conceal Existence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Types of Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
User-Mode Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
What Are User-Mode Rootkits? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Background Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Injection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Hooking Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
User-Mode Rootkit Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
▼ 4 Kernel-Mode Rootkits
Ground Level: x86 Architecture Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Instruction Set Architectures and the Operating System . . . . . . . . . . 121
Protection Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Bridging the Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Kernel Mode: The Digital Wild West . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
The Target: Windows Kernel Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
The Win32 Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
What Are These APIs Anyway? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
The Concierge: NTDLL.DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Functionality by Committee: The Windows Executive
(NTOSKRNL.EXE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
The Windows Kernel (NTOSKRNL.EXE) . . . . . . . . . . . . . . . . . . . . . . . 127
Device Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
The Windows Hardware Abstraction Layer (HAL) . . . . . . . . . . . . . . 128
Kernel Driver Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Kernel-Mode Driver Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Gross Anatomy: A Skeleton Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
WDF, KMDF, and UMDF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Kernel-Mode Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
What Are Kernel-Mode Rootkits? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Challenges Faced by Kernel-Mode Rootkits . . . . . . . . . . . . . . . . . . . . 134
Getting Loaded . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Gaining Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Communicating with User Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Remaining Stealthy and Persistent . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Methods and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Kernel-Mode Rootkit Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Klog by Clandestiny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
AFX by Aphex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
FU and FUTo by Jamie Butler, Peter Silberman, and C.H.A.O.S . . . . 162
Shadow Walker by Sherri Sparks and Jamie Butler . . . . . . . . . . . . . . 164
He4Hook by He4 Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Sebek by The Honeynet Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Summary of Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
▼ 5 Virtual Rootkits
Overview of Virtual Machine Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Types of Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
The Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Virtualization Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Virtual Memory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Virtual Machine Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Virtual Machine Rootkit Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Rootkits in the Matrix: How Did We Get Here?! . . . . . . . . . . . . . . . . . 179
What Is a Virtual Rootkit? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Types of Virtual Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Detecting the Virtual Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Escaping the Virtual Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Hijacking the Hypervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Virtual Rootkit Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
▼ 6 The Future of Rootkits: If You Think It’s Bad Now
Increases in Complexity and Stealth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Custom Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Part III Prevention Technologies
Case Study: A Wolf in Sheep’s Clothing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Rogue Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Great Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
They Work! Sometimes… . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
▼ 7 Antivirus
Now and Then: The Evolution of Antivirus Technology . . . . . . . . . . . . . . . . 216
The Virus Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Defi nition of a Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Classifi cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Simple Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Complex Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Antivirus—Core Features and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Manual or “On-Demand” Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Real-Time or “On-Access” Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Signature-Based Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Anomaly/Heuristic-Based Detection . . . . . . . . . . . . . . . . . . . . . . . . . . 227
A Critical Look at the Role of Antivirus Technology . . . . . . . . . . . . . . . . . . . 228
Where Antivirus Excels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Top Performers in the Antivirus Industry . . . . . . . . . . . . . . . . . . . . . . 229
Challenges for Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Antivirus Exposed: Is Your Antivirus Product a Rootkit? . . . . . . . . . . . . . . . 238
Patching System Services at Runtime . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Hiding Threads from User Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
A Bug? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
The Future of the Antivirus Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Fighting for Survival . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Death of an Industry? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Possible Antivirus Replacement Technologies . . . . . . . . . . . . . . . . . . . 245
Summary and Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
▼ 8 Host Protection Systems
Personal Firewall Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
McAfee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Symantec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Personal Firewall Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Pop-Up Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Opera . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Safari . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Chrome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Example Generic Pop-Up Blocker Code . . . . . . . . . . . . . . . . . . . . . . . . 261
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
▼ 9 Host-Based Intrusion Prevention
HIPS Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Growing Past Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Behavioral vs. Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Behavioral Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Signature Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Anti-Detection Evasion Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
How Do You Detect Intent? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
HIPS and the Future of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
▼ 10 Rootkit Detection
The Rootkit Author’s Paradox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
A Quick History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Details on Detection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
System Service Descriptor Table Hooking . . . . . . . . . . . . . . . . . . . . . . 288
IRP Hooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Inline Hooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Interrupt Descriptor Table Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Direct Kernel Object Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
IAT Hooking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Windows Anti-Rootkit Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Software-Based Rootkit Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Live Detection vs. Offl ine Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
System Virginity Verifi er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
IceSword and DarkSpy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
RootkitRevealer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
F-Secure’s Blacklight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Rootkit Unhooker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
GMER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Helios and Helios Lite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
McAfee Rootkit Detective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Commercial Rootkit Detection Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Offl ine Detection Using Memory Analysis: The Evolution of Memory
Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Virtual Rootkit Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Hardware-Based Rootkit Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
▼ 11 General Security Practices
End-User Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Security Awareness Training Programs . . . . . . . . . . . . . . . . . . . . . . . . 320
Defense in Depth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Baked-In Security (from the Beginning) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
▼ Appendix System Integrity Analysis: Building Your Own Rootkit Detector
What Is System Integrity Analysis? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
The Two Ps of Integrity Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Pointer Validation: Detecting SSDT Hooks . . . . . . . . . . . . . . . . . . . . . 335
Patch/Detour Detection in the SSDT . . . . . . . . . . . . . . . . . . . . . . . . . . 340
The Two Ps for Detecting IRP Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
The Two Ps for Detecting IAT Hooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Our Third Technique: Detecting DKOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Sample Rootkit Detection Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
▼ Index . . . . . . . . . . . . . . . . . . . . . . 367

  ●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●

═════ ═════

Previous Post Next Post