Leaderboard
Popular Content
Showing content with the highest reputation on 12/08/11 in all areas
-
Ghost in the Wires - Kevin Mitnick So, here it is: http://www.mediafire.com/?9nydgq3r2a8eegt File: Ghost in the Wires - Kevin Mitnick.pdf (2.75 MB)1 point
-
Introduction Possible scenarios Case 1. Reading and writing to memory Case 2. Loading unsigned drivers Case 3. Classic anti-rootkits Case 4. Hidden MBR From theory to practice Comodo Time Machine Norton GoBack PC Back Pro and Rollback Rx RestoreIT Hide and seek Conclusion Introduction It is no secret that some legitimate products use rootkit technologies. Various proactive antivirus protection tools are capable of hooking system functions in one way or another. Malicious code also uses algorithms of this type. However, antivirus software differs from malicious code in that it does not attempt to hide the modifications it introduces into the system. Many are aware of data encryption software, such as TrueCrypt. Such programs can encrypt entire partitions or disks. To be able to encrypt a system partition, the creators of this type of software need to implement a proprietary loading routine and modify the master boot record (MBR). Similar technologies are also used in modern bootkits; however, security software, unlike bootkits, does not attempt to conceal its proprietary loader. Like encryption software, some third-party boot loaders (LILO, GRUB) also use MBR modification technology. Rootkit technologies based on system function hooks are also used in various commercial copy protections, especially in games, and many of these copy protections can be particularly aggressive. Using rootkit technologies in legitimate products can cause just as much harm as good. It’s a fine line between secure and dangerous implementation of a technology, and a poorly-implemented product can easily be exploited by cybercriminals. As a result, extreme caution is required. The Sony scandal back in 2005, when the company produced new technology to try to prevent its audio CDs being copied, highlighted the risk. Sony’s protection used rootkit technologies which malware could have used to mask malicious components. In other words, the key software component had been written so poorly it could be used in a way unforeseen by its developers. Is there sufficient justification for using rootkit technologies in legitimate software? When they are used in legitimate programs, how great is the risk that the OS and user data might be compromised? Just how fine is the line between legal and criminal methods? Possible scenarios Before getting down to specifics, I will broadly outline several cases when legitimate rootkits or poorly written drivers could compromise the security system. These cases have been selected to encourage further discussion. When speaking about potential threats, I will use the concepts of legitimate signatures and signed drivers. Obviously, most companies prefer to sign their own software; in 64-bit operating systems, a kernel-mode driver must be signed in order to run. In antivirus products, checking against a whitelist is one of the factors used when assigning a program to a specific software category. Let us assume a legitimate, digitally-signed driver is being abused by cybercriminals. Such a driver would pass a scan as it is listed as software with a trusted signature, even if it is being used for malicious purposes. Therefore, a legitimate, digitally-signed driver is potentially dangerous if it uses rootkit technologies with inadequate authentication mechanisms. Case 1. Reading and writing to memory. Imagine a complex protector or crypter with algorithms which call for reading and writing to memory. These functions are executed in kernel mode. For the software to operate, a kernel-mode driver is required. Under Windows x64 this driver must have an officially purchased signature – it must be legal. This driver will almost certainly pass the scan test as it is on the whitelist of software with trusted signatures and won’t flag up any problems. Let us assume the driver is poorly written and contains no checks that would minimize or eliminate the risk of abuse. Malware writers can then use this driver to unhook the system functions of an antivirus product by using the reading and writing functions provided by the driver. Cybercriminals can disable proactive protection or disrupt the antivirus program’s critical processes from the kernel. Case 2. Loading unsigned drivers Imagine an application containing a signed driver that allows unsigned drivers to be loaded into memory. The unsigned drivers will be loaded manually: the signed driver has to reproduce the actions of the system loader, create a primary thread etc. Such a driver could completely compromise the Windows x64 signature check mechanism. Case 3. Classic anti-rootkits As well as searching for anomalies, classic anti-rootkits such as GMER, RKU, RootRepeal etc., can also provide the capability outlined above for reading/writing kernel memory. They also often have functionality for killing processes or threads, unloading dynamic modules, etc. Even though the driver controlling this may have a legitimate signature, if it is poorly written, cybercriminals can easily use it for malicious ends. Case 4. Hidden MBR Imagine security software that creates file system snapshots, either on demand or according to a schedule. The main aim of such a product is to facilitate a rollback of the system to a point in the past before data was damaged or a malware infection occurred. However, system files can be damaged in such a way that the operating system cannot be loaded. To restore to a specified point, the system can be loaded from an external media, or an MBR modification mechanism can be used. By implementing a customized loader, data can be restored before the operating system is loaded. To protect against damage to an MBR and/or loader, a kernel-mode driver may be used that hides traces of modifications to the master boot record, returning false contents when reading, and writing new records to a different sector. If this kind of driver is poorly implemented, several unpleasant scenarios are possible. Firstly, a cybercriminal may figure out the algorithm of the driver’s operation and use it as a rootkit component in a malicious program. Secondly, if the MBR has been infected by bypassing the hook, the cybercriminal does not need to hide it from security software installed on the computer. Unfortunately, in this case, theory has more or less been put into practice. From theory to practice Kaspersky Lab products implement a powerful anti-rootkit tool that detects hidden objects such as disk sectors, files, registry keys etc., bypassing the hooks implemented in malicious programs. We collect statistics about various anomalies detected on users’ computers via the Kaspersky Security Network (KSN) cloud service. While analyzing the obtained data we have identified several legitimate programs that use rootkit technologies. Summary table: legitimate software using rootkit technologies Program Name Vendor Object Concealment Method Presence of signature COMODO Time Machine Comodo MBR Filter driver + Norton GoBack Symantec MBR Filter driver - PC Back Pro Digicore Technologies MBR Filter driver + Rollback Rx Horizon DataSys MBR Filter driver + RestoreIT Farstone MBR Filter driver + Comodo Time Machine Norton GoBack PC Back Pro and Rollback Rx RestoreIT Hide and seek I was surprised to see MBRs being hidden and investigated how the products reviewed in the previous section would behave if the MBR was modified while bypassing the filter driver. I installed one of the above products on a computer and modified the MBR using the following algorithm: Write a 512-byte 0xAA sequence to the MBR while bypassing the filter; Make a dump of the MBR on the hard drive using the anti-rootkit tool RootRepeal; Check that the recorded sequence is in the MBR; Read the disk using Hiew (“hiew32 \\.\physicaldrive0”); Check that when reading the MBR it still yields false contents. After the MBR is re-written, all the above products keep returning false contents when the MBR is read, thus deceiving the user. Unsurprisingly, the computer didn’t boot after a restart, because I added junk data to the MBR – so there is no way to call up the restoration console which is supposed to protect the user. Secondly, if any bootkit (e.g. Winlocker) infects the MBR, bypassing the filter driver on a system where any of the reviewed products is installed, then it would have a free rootkit driver at its disposal: when reading the MBR, the legal kernel-mode driver with a legitimate signature will still return false contents. The restoration console may also stop working. Thirdly, there is the potential risk of killing the system if partition editing tools are used simultaneously with any of the above products: these tools may receive misleading data as they operate. The best case scenario is that the tools will simply no longer function as required. As a result, users of this software may find themselves in a situation where: They are unable to find out that the MBR has been infected; Malware on the computer is hidden with the help of a legitimate utility; The system restoration software does not work when serious problems occur; Using partition editing tools renders the system inoperable. Conclusion Although some of the products reviewed above may have been updated or are no longer being maintained by their vendors, it is very likely that other similar products exist, using similar questionable methods. It is also possible that the kernel-mode drivers reviewed above may be used for illegal purposes, such as hiding an MBR infection; the availability of a digital signature will only exacerbate the situation. Where the required expertise and tools are available, it will not be too difficult to figure out the drivers’ operation algorithm. All modern security products include a self-protection module for the sole purpose of defending its own critical parts – files, registry keys, processes etc. – from threats posed by malicious programs. Imagine that this self-protection module starts to conceal files, sectors and keys rather than guaranteeing security. Would you feel comfortable using such a product? How do you know it’s not hiding other things? Would any user feel comfortable knowing that certain things could be going on without them being aware of it? I would like to offer some recommendations to the manufacturers of the products reviewed above, as well as their counterparts: It is perfectly legal to modify MBR, but rootkit technologies should not be used in your products. There are other technologies available; there is no need to hide anything from the users. The restoration console can be implemented as a startup disk or removable drive. If there isn’t one already, there should be a caller authentication algorithm in drivers. The fine line between legitimate and illegal use of rootkit technologies is easily crossed. What’s more difficult is building a good quality product. In the world of security software, simple solutions are not necessarily the best. Articol complet1 point
-
Advanced Persistent Threat attack (APT-attack) http://www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814 + un link util SANS Information Security Reading Room:SANS: Information Security Reading Room - Computer Security White Papers1 point
-
1 point
-
Title: Security Project Manager Category: Planning Job type: Permanent Job status: Full Time Salary: £92,400.00 - £95,040.00 Salary per: annum Location: England, South East, Hampshire, GOSPORT ------------------------------- Security Project Manager Gosport £350 - £360 a day Must be SC Cleared Job title: Trainee IT Security Consultant (Entry Level Opportunity) Position type: Full-time Job location: Cambridgeshire CB1 Compensation: £30000 - 30000 Annually, Up to 30,000 DOE Company name: Web-recruit Job category: Information Technology and Services Junior Penetration Tester - Ethical Hacking / Digital Forensics Location:Kidderminster Salary: £20000 - £25000 per annum Job type: Permanent Company: Hewett Recruitment Contact: Ben Mannion Ref: Totaljobs/BMLH/JPAT Job ID: 51534275 Quick Facts About Ethical Hacking Work @ cosminel check THIS-1 points