Windows Rootkit Overview



Similar documents
Norton Personal Firewall for Macintosh

Symantec Endpoint Protection (SEP) 11.0 Configuring the SEP Client for Self-Protection

Threats to Online Banking

Malicious Yahooligans

INSIDE. Malicious Threats of Peer-to-Peer Networking

Norton AntiVirus 9.0 for Macintosh

WHITE PAPER: ENTERPRISE SECURITY MANAGEMENT. Sarbanes-Oxley Compliance Reports Security and Audit Directors Live For

MANAGED SECURITY SERVICES

Stories From The DRM World: The Settec Case

Symantec AntiVirus Enterprise Edition

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

A Testing Methodology for Antispyware Product s Removal Effectiveness

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

INSIDE. Cyberterrorism and the Home User By Sarah Gordon, Senior Research Fellow

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

A Hypervisor IPS based on Hardware assisted Virtualization Technology


Data Sheet: Archiving Altiris Server Management Suite 7.0 from Symantec Essential server management: Discover, provision, manage, and monitor

Symantec Endpoint Protection 11.0 Securing Virtual Environments Best Practices White Paper. Updated 7/20/2010

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

SYMANTEC LICENSING PROGRAMS. Symantec Licensing Programs. Designed to streamline the purchase of Symantec software and support offerings

Data Sheet: Server Management Altiris Server Management Suite 7.0 Essential server management: Discover, provision, manage, and monitor

WHITE PAPER: ENTERPRISE SOLUTIONS. Symantec Insight Inquire Symantec i 3 Application Availability and Performance Management Solution

Symantec Enterprise Vault Technical Note. Backing up Enterprise Vault in a clustered environment. Windows

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities

Symantec Critical System Protection Configuration Monitoring Edition Release Notes

Symantec Endpoint Protection

NetBackup Backup, Archive, and Restore Getting Started Guide

Data Sheet: Storage Management Veritas Virtual Infrastructure Bringing enterprise-class storage management to virtual server environments

Symantec Enterprise Vault for Lotus Domino

Small and Midsize Business Protection Guide

The Value of Physical Memory for Incident Response

Endpoint Security More secure. Less complex. Less costs... More control.

Symantec Critical System Protection Agent Event Viewer Guide

Enterprise Vault 11 Feature Briefing

WHITE PAPER: DATA PROTECTION. Veritas NetBackup for Microsoft Exchange Server Solution Guide. Bill Roth January 2008

Symantec Enterprise Security Manager Baseline Policy Manual for NERC Standard 1200

Symantec Endpoint Protection

Symantec Enterprise Vault E-Discovery Connectors

WHITE PAPER: customize. Best Practice for NDMP Backup Veritas NetBackup. Paul Cummings. January Confidence in a connected world.

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Optimized data protection through one console for physical and virtual systems, including VMware and Hyper-V virtual systems

Host-based Protection for ATM's

What next? Trojan.Linkoptimizer

Data Sheet: Archiving Symantec Enterprise Vault for Microsoft Exchange Store, Manage, and Discover Critical Business Information

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Symantec Indepth for. Technical Note

Symantec Event Collector for Kiwi Syslog Daemon version 3.7 Quick Reference

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

W H I T E P A P E R : T E C H N I C A L. Understanding and Configuring Symantec Endpoint Protection Group Update Providers

Consulting Services for Veritas Storage Foundation

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Data Sheet: IT Compliance Payment Card Industry Data Security Standard

Symantec Event Collector 4.3 for Microsoft Windows Quick Reference

Payment Card Industry Standard - Symantec Services

Patch Assessment Content Update Release Notes for CCS Version: Update

Symantec Critical System Protection Agent Event Viewer Guide

Symantec Enterprise Vault

Defeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses

IBM Internet Security Systems Supports Microsoft Vista s Kernel-Locking for Improved Customer Security

Symantec AntiVirus Corporate Edition Patch Update

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

PST Migration with Enterprise Vault 8.0: Part 1 - Solution Overview. Author: Andy Joyce, EV Technical Product Management Date: April, 2009

WHITE PAPER. Symantec Enterprise Vault and Exchange Alex Brown Product Manager

GFI White Paper PCI-DSS compliance and GFI Software products

Full System Emulation:

VICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund

ESET CYBER SECURITY PRO for Mac Quick Start Guide. Click here to download the most recent version of this document

WHITE PAPER: TECHNICAL OVERVIEW. NetBackup Desktop Laptop Option Technical Product Overview

Windows Vista: Is it secure enough for business?

Virtual Machine Security

WHITE PAPER: ENTERPRISE SOLUTIONS. Quick Recovery of Microsoft Active Directory Using Symantec Backup Exec 11d Agent for Active Directory

INSIDE. Mitigating Online Fraud: Customer Confidence, Brand Protection, and Loss Minimization. Symantec Online Fraud Management

Data Sheet: Backup & Recovery Symantec Backup Exec 12.5 for Windows Servers The gold standard in Windows data protection

Data Sheet: Storage Management Veritas CommandCentral Storage 5.1 Centralized visibility and control across heterogeneous storage environments

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

Inside Windows Rootkits

Reducing the Cost and Complexity of Web Vulnerability Management

INSIDE. Securing Network-Attached Storage Protecting NAS from viruses, intrusions, and blended threats

Veritas NetBackup 6.0 Database and Application Protection

Symantec Workspace Virtualization 7.6

White Paper. PCI Guidance: Microsoft Windows Logging

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

Privilege Gone Wild: The State of Privileged Account Management in 2015

SYMANTEC ADVANCED THREAT RESEARCH. The Impact of Malicious Code on Windows Vista. Orlando Padilla Symantec Advanced Threat Research

WHITE PAPER: ENTERPRISE SECURITY. Symantec Backup Exec Quick Recovery and Off-Host Backup Solutions

Patch Assessment Content Update Release Notes for CCS Version: Update

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

2012 Endpoint Security Best Practices Survey

Best Practices for Using Symantec Online Storage for Backup Exec

Symantec Enterprise Vault Technical Note. Administering the Monitoring database. Windows

8 Key Requirements of an IT Governance, Risk and Compliance Solution

Understanding Virus Behavior in 32-bit Operating Environments

Quest InTrust for Active Directory. Product Overview Version 2.5

Symantec LiveUpdate Administrator. Getting Started Guide

Symantec Desktop and Laptop Option 7.6

Symantec Backup Exec System Recovery Exchange Retrieve Option User's Guide

Oracle Java Micro Edition Software Development Kit

Privilege Gone Wild: The State of Privileged Account Management in 2015

Transcription:

WHITE PAPER: SYMANTEC SECURITY RESPONSE Windows Rootkit Overview

White Paper: Symantec Security Response Windows Rootkit Overview Contents Introduction...4 User Mode Rootkits...4 Kernel Mode Rootkits...5 Conclusion... 5 3

Windows Rootkit Overview Introduction The term rootkit originally referred to a collection of tools used to gain administrative access on UNIX operating systems. The collection of tools often included well-known system monitoring tools that were modified to hide the actions of an unauthorized user. An unauthorized user would replace the existing tools on the system with the modified versions preventing authorized users from discovering the security breach. However, under Microsoft Windows, the term rootkits has taken on a more narrow definition. Rootkits in Windows refers to programs that use system hooking or modification to hide files, processes, registry keys, and other objects in order to hide programs and behaviors. In particular, Windows rootkits do not necessarily include any functionality to gain administrative privileges. In fact, many Windows rootkits require administrative privileges to even function. Two basic classes of Windows rootkits exist kernel mode rootkits and user mode rootkits. User Mode Rootkits User mode rootkits involve system hooking in the user or application space. Whenever an application makes a system call, the execution of that system call follows a predetermined path and a Windows rootkit can hijack the system call at many points along that path. One of the most common user mode techniques is the in memory modification of system DLLs. Windows programs utilize common code found in Microsoft provided DLLs. At runtime, these DLLs are loaded into the application s memory space allowing the application to call and execute code in the DLL. For example, an application may wish to enumerate all the registry keys on the system. In order to do so, the application calls a Windows API (RegEnumKey) whose code resides in ADVAPI32.DLL. A user mode rootkit would find the location of the API in ADVAPI32.DLL and modify the API so when the API is called, execution is redirected to the rootkit s code instead. The rootkit code would generally call the API itself and then modify the return results (e.g., removing itself from the list of returned registry keys) before returning the results to the application. However, since user mode applications all run in their own memory space, the rootkit needs to perform this patching in the memory space of every running application. In addition, the rootkit needs to monitor the system for any new applications that execute and patch those programs memory space before they fully execute. While trivial, other system hook techniques do not require such active monitoring and continual patching. In particular, one can simply hook the system call further down the path where all paths converge in the kernel. 4

Windows Rootkit Overview Kernel Mode Rootkits Kernel mode rootkits involve system hooking or modification in kernel space. Kernel space is generally off-limits to standard authorized (or unauthorized) users. One must have the appropriate rights in order to view or modify kernel memory. The kernel is an ideal place for system hooking because it is at the lowest level and thus, is the most reliable and robust method of system hooking. The system call s path through the kernel passes through a variety of hook points. A few of these points will be described below. As a system call s execution path leaves user mode and enters kernel mode, it must pass through a gate. The purpose of the gate is to ensure user mode code does not have general access to kernel mode space protecting the kernel space. This gate must be able to recognize the purpose of the incoming system call and initiate the execution of code inside the kernel space and then return results back to the incoming user mode system call. The gate is effectively a proxy between user mode and kernel mode. In older versions of Windows, this proxy is invoked via interrupts and in newer versions of Windows via model specific registers (MSRs). Both mechanisms can be hooked causing the gate to direct execution to the rootkit rather than the original kernel mode code. Another popular hook point is to modify the System Service Descriptor Table (SSDT). The SSDT is a function pointer table in kernel memory that holds all the addresses of the system call functions in kernel memory. By simply modifying this table, the rootkit can redirect execution to its code instead of the original system call. Similarly to the previously mentioned techniques, the rootkit would likely call the original system call and then remove itself from the results before passing back the results. Finally, another kernel mode rootkit technique is to simply modify the data structures in kernel memory. For example, kernel memory must keep a list of all running processes and a rootkit can simply remove themselves and other malicious processes they wish to hide from this list. This technique is known as direct kernel object modification (DKOM). Conclusion Many of these techniques are actually well documented and utilized by a variety of applications. However, what differentiates general system hooking from a rootkit is the action of hiding programs and behaviors such that their actions are hidden from the user. For example, a desktop firewall program may utilize similar system hooking mechanisms to watch and alert the user to any outgoing network connections whereas a rootkit will use the system hooking mechanism to hide their malicious backdoor communication channel. Rootkit code has the ability to potentially bypass security applications and tools used to discover the 5

Windows Rootkit Overview existence of an intruder and malicious programs and thus, the use of rootkits in malicious code is clearly on the rise. In addition, open source and ready-to-use rootkit applications are now widely available on the Internet and thus, malicious code writers who may not even understand how a rootkit works can now easily integrate this technology into their own code. 6

About Symantec Symantec is the global leader in information security, providing a broad range of software, appliances, and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec s Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, California, Symantec has operations in 35 countries. More information is available at www.symantec.com. Symantec has worldwide operations in 35 countries. For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free 1 800 745 6054. Symantec Corporation World Headquarters 20330 Stevens Creek Boulevard Cupertino, CA 95014 USA 408 517 8000 800 721 3934 www.symantec.com Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other brand andproduct names are trademarks of their respective holder(s). Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as-is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Copyright 2005 Symantec Corporation. All rights reserved. 04/05 10406630

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information