multi aspect profiling of kernel rootkit behavior
play

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, - PowerPoint PPT Presentation

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS


  1. Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nürnberg, Germany

  2. Rootkits • Stealthy malware • Hide attacker • Modifying the OS kernel in memory • Injecting new code • Injecting new code • Threat model: – “Root” privileges – Full memory access 2

  3. In the news… 3

  4. Rootkit techniques 4

  5. Rootkit techniques adore-ng • • Linux 2.4/2.6 Linux 2.4/2.6 • Kernel module • Adds “custom” functions 5 5

  6. Rootkit techniques adore-ng hp • • Linux 2.4/2.6 Linux 2.4/2.6 • • Linux 2.4 Linux 2.4 • Kernel module • Kernel module • Adds “custom” • Modifies kernel functions objects 6 6

  7. Profiling a rootkit? • Quickly reveal behavior • Tool for malware investigators • Honeypot environment • This is hard, rootkits are highly privileged! • This is hard, rootkits are highly privileged! 7

  8. Profiling: Determining behavior 1. What code does it run? 2. What kernel objects does it modify? 3. How does it modify control flow? 4. What system calls are affected at user- level? 8 8

  9. PoKeR: Architecture Virtual Machine Kernel Symbols & Kernel Object Types User-level Applications User-level Applications Kernel Object Kernel Object Log Guest Kernel Interpretation Interpretation Logging and Logging and Right-Before Context Context Detection Tracking Tracking Profile Profile Virtual Machine Monitor 9

  10. PoKeR: Architecture Logging and Logging and Right-Before Context Context Detection Tracking Tracking 10

  11. “Right before” detection? VM Applications Guest OS VMM VMM NICKLE Module Standard Shadow 11 11

  12. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 12 12

  13. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Guest Kernel Instruction Fetch Standard Shadow 13 13

  14. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 14 14

  15. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Other Memory Access Standard Shadow 15 15

  16. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 16 16

  17. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Other Memory Access Guest Kernel Instruction Fetch Standard Shadow 17 17

  18. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Memory Access Standard Shadow 18 18

  19. “Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Memory Access Compare Standard Shadow 19 19

  20. What code does it run? • Compare standard and shadow memories – Extract code as – Extract code as you go 20 20

  21. PoKeR: Architecture Virtual Machine Kernel Symbols & Kernel Object Types User-level Applications User-level Applications Kernel Object Kernel Object Log Guest Kernel Interpretation Interpretation Logging and Logging and Right-Before Context Context Detection Tracking Tracking Profile Profile Virtual Machine Monitor 21

  22. Kernel Symbols & Kernel Object Types Kernel Object Kernel Object Log Interpretation Interpretation Logging and Logging and Context Context Tracking Tracking 22

  23. Logging and context tracking • Logging rootkit code… – Execution – Reads – Writes – Writes 23 23

  24. What kernel objects does it modify? • We have memory writes from rootkit code • Use static analysis to build a map – Kernel with debug symbols 24

  25. What about dynamic allocation? • Some objects are allocated dynamically 25 25

  26. What about dynamic allocation? • Some objects are allocated dynamically Static Objects Dynamic Objects task_struct task_struct init_task init_task 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11a0000 0xc11b0000 0xc11c0000 … … … 26 26

  27. Simple observation #1 Static Objects Dynamic Objects 27 27

  28. Simple observation #1 Static Objects Dynamic Objects 28 28

  29. Simple observation #2 • The rootkit is just as ignorant as we are • It will find dynamic objects by starting at static ones 29 29

  30. “Combat tracking” • Track rootkit reads • Build a map of dynamic memory • Reverse VMI 30 30

  31. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 31 31

  32. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid � 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 32 32

  33. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 33 33

  34. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 34 34

  35. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 35 35

  36. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 36 36

  37. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid � pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 37 37

  38. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 38 38

  39. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 39 39

  40. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 40 40

  41. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 41 41

  42. Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 � pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 42 42

Recommend


More recommend