Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nürnberg, Germany
Rootkits • Stealthy malware • Hide attacker • Modifying the OS kernel in memory • Injecting new code • Injecting new code • Threat model: – “Root” privileges – Full memory access 2
In the news… 3
Rootkit techniques 4
Rootkit techniques adore-ng • • Linux 2.4/2.6 Linux 2.4/2.6 • Kernel module • Adds “custom” functions 5 5
Rootkit techniques adore-ng hp • • Linux 2.4/2.6 Linux 2.4/2.6 • • Linux 2.4 Linux 2.4 • Kernel module • Kernel module • Adds “custom” • Modifies kernel functions objects 6 6
Profiling a rootkit? • Quickly reveal behavior • Tool for malware investigators • Honeypot environment • This is hard, rootkits are highly privileged! • This is hard, rootkits are highly privileged! 7
Profiling: Determining behavior 1. What code does it run? 2. What kernel objects does it modify? 3. How does it modify control flow? 4. What system calls are affected at user- level? 8 8
PoKeR: Architecture Virtual Machine Kernel Symbols & Kernel Object Types User-level Applications User-level Applications Kernel Object Kernel Object Log Guest Kernel Interpretation Interpretation Logging and Logging and Right-Before Context Context Detection Tracking Tracking Profile Profile Virtual Machine Monitor 9
PoKeR: Architecture Logging and Logging and Right-Before Context Context Detection Tracking Tracking 10
“Right before” detection? VM Applications Guest OS VMM VMM NICKLE Module Standard Shadow 11 11
“Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 12 12
“Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Guest Kernel Instruction Fetch Standard Shadow 13 13
“Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 14 14
“Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Other Memory Access Standard Shadow 15 15
“Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Standard Shadow 16 16
“Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Other Memory Access Guest Kernel Instruction Fetch Standard Shadow 17 17
“Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Memory Access Standard Shadow 18 18
“Right before” detection? VM Applications Guest OS Memory Access Memory Access VMM VMM NICKLE Module Memory Access Compare Standard Shadow 19 19
What code does it run? • Compare standard and shadow memories – Extract code as – Extract code as you go 20 20
PoKeR: Architecture Virtual Machine Kernel Symbols & Kernel Object Types User-level Applications User-level Applications Kernel Object Kernel Object Log Guest Kernel Interpretation Interpretation Logging and Logging and Right-Before Context Context Detection Tracking Tracking Profile Profile Virtual Machine Monitor 21
Kernel Symbols & Kernel Object Types Kernel Object Kernel Object Log Interpretation Interpretation Logging and Logging and Context Context Tracking Tracking 22
Logging and context tracking • Logging rootkit code… – Execution – Reads – Writes – Writes 23 23
What kernel objects does it modify? • We have memory writes from rootkit code • Use static analysis to build a map – Kernel with debug symbols 24
What about dynamic allocation? • Some objects are allocated dynamically 25 25
What about dynamic allocation? • Some objects are allocated dynamically Static Objects Dynamic Objects task_struct task_struct init_task init_task 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11a0000 0xc11b0000 0xc11c0000 … … … 26 26
Simple observation #1 Static Objects Dynamic Objects 27 27
Simple observation #1 Static Objects Dynamic Objects 28 28
Simple observation #2 • The rootkit is just as ignorant as we are • It will find dynamic objects by starting at static ones 29 29
“Combat tracking” • Track rootkit reads • Build a map of dynamic memory • Reverse VMI 30 30
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 31 31
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid � 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 32 32
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 33 33
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 34 34
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 35 35
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 36 36
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid � pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 37 37
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 38 38
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 39 39
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 � next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 40 40
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 41 41
Combat tracking example Static Objects Dynamic Objects task_struct task_struct init_task 0xc11a0000 0xc11b0000 0xc0300000 � pid pid pid 0 1 2 next_task next_task next_task 0xc11c0000 0xc11c0000 0xc11a0000 0xc11a0000 0xc11b0000 0xc11b0000 … … … Memory Map Output 0xc0300000 – task_struct 0xc11a0000 – task_struct 0xc11b0000 – task_struct 42 42
Recommend
More recommend