Presented Talk : PoC(k)ET, les détails d'un rootkit pour Windows Cédric Halbronn, Sogeti - ESEC R&D Keywords : Rootkit, Mobile, Windows Quentin Pernier : quentin.pernier@ensimag.fr Kévin Gellenoncourt : kevin.gellenoncourt@ensimag.fr Zak Pavel : zak.pavel@ensimag.fr https://ensiwiki.ensimag.fr/index.php/4mmsr 1/17
Paper's author: Cédric Halbronn - Security engineer and researcher at Sogeti Skills - Smartphone security - Development of network/security VoIP softwares - Network - etc. 2/17
Objectives Create a rootkit proof of concept using Windows (WM 6) Why WM6? WM6 use the same APIs as Windows PC => easier to implement. Some attacks have already been done on Windows CE5 which is the kernel of WM 6 3/17
What is a Rootkit? A set of software hidden from users/programs Give an administrator access to the system Characterized by 4 steps: Injection: integration into OS Protection: hide its existence and activities Backdoor: communication with owner Services: access to camera, GPS data... 4/17
I. Environment Summary II. Technical Aspect of Windows III. Rootkit Architecture IV. Rootkit Implementation V. Rootkit Provided Services 5/17
Environment Constraints and assets comparison : PC-based Rootkit + Connectivity : Internet + Services : Wi-Fi Client, Web Browser, microphone Smartphone-based Rootkit - Limited Battery and memory +/- Connectivity : localisation by GSM, depend on the operator + Services : same as PC + 3G,GPS, Camera 6/17
Environment Operating-System (OS) on smartphone in 2012 Source : Gartner 7/17
Technical aspect of WM6 Based on Windows CE CE = Compact, Connectable,Compatible, Companion, and Efficient. PS: Compact edition,consumer electronic OS developed by Microsoft for embedded systems Same API (application programming interface) asstandard Windows Virtual memory address space(2gb kernel, 2GB user) Limited to 32 processes 8/17
Technical aspect of WM6 Registers: HKLM\Security\Policies\Policies Policy ID Description Auto run policy 2 0 (allowed), 1 (restricted) Unsigned Applications Policy 1006 1 (allowed), 0 (restricted) Unsigned Prompt Policy 101A 0 (user prompted), 1 ( ) Password Required Policy 1023 0 (required), others ( ) 9/17
Rootkit architecture 10/17
Rootkit Implementation Possibilities and choice for Injection: Remote exploitation of a vulnerability WAP Push message, Ex : Blackberry 2009 - Etisalat Bootloader Injection Smartphone access 11/17
Protection: Rootkit Implementation Auto-booting using Register Key Avoid unsigned-application notification Hide rootkit from running process list Hide files used by the rootkit using API hooking Hide the fact that the installation of the rootkit has occured 12/17
Rootkit Implementation Backdoor: Connection «User to Server» require a detection of connection TCP/IP SMS protocol definition, compression, encryption 13/17
Rootkit Provided Services Types of Services : Real-time Saved on device (GPS) Activation/Deactivation by attacker Gathering of PIM information: Contacts, SMS, Email, Call History 14/17
Limitations New release of WM : 7.5 (2011) Windows Mobile less and less used: Ventes mondiales de smartphones par systèmes d'exploitation Unités Evolution Parts de vendus T3 annuelle marché T3 2011 (en des parts de 2011 millions) marché Android 60,49 52,5% +27,2 points Symbian 19,5 16,9% -18,4 points ios 17,3 15% -1,6 point RIM 12,7 11% -4,4 points Bada 2,48 2,2% +1,1 point Microsoft 1,7 1,5% -1,2 point Autres 1,02 0,9% -1,6 point Total 115,19 100% 100% 15/17
Conclusion WM6 very permissive Permit gathering lots of information Undetected by antivirus : Airscanner, BitDefender Mobile Security, BullGard Mobile Antivirus 16/17
References www.journaldunet.com esec-lab.sogeti.com/dotclear/public/publications/10-ssticwm6_article.pdf 17/17