Predicting the Future of Stealth Attacks Kapoor & Mathur

This paper takes an in-depth look into the attack strategies of recent rootkits and analyses what has worked for them. In doing so it highlights some of the profi table attack methodologies from the perspective of kernel rootkits. The discussion in this paper about prediction of the future of stealth attacks is derived from our analysis of multiple rootkits over many years and also based on current trends and some specifi c techniques. The main aim of this discussion is to help reanalyse rootkit defences and decide what technological improvements (if any) are needed in current and future products to better combat the ever changing stealth threat landscape. ROOTKITS, STILL A PROBLEM? It takes time for an attack vector to become mainstream and even more time to be used on a large scale. Rootkits started showing up in the wild in the mainstream in 2004–2005 and were constantly adopted by malware authors. In the same time period most AV products were working on overhauling their defences. So assuming everyone can detect rootkits, if a new one comes out, one can just write a new ‘signature’ for it and close the case? Right? No, not really; the problem is that a new rootkit with a new technique has the ability to force AV/anti-rootkit tools to update their core technology of detection and remediation over and again, unlike any other malware class. So it is a good idea to have a reality check once in a while to see the current technology changes as well as quantify the problem. We will look at the rootkit technology changes in later sections; for now let’s just look at the statistics for quantifi cation purposes. Statistics around malware are usually a moving target and dependent on the individuals who are doing the research. Another problem in collecting reliable statistics in the case of rootkits (as well as malware in general) is that it is hard to account for what you don’t know. So we cannot really calculate the number of rootkits we don’t know about. However, when we queried our consumer data for a month (for the rootkits we knew about) we found approximately 10% of the detections were rootkit related. We backed this number up by querying the internal database that tracks the total number of submissions to McAfee in a year; we then calculated how many of the submissions were rootkit related and the number came out to be close to 8%. In the past few years other vendors such as Microsoft [1] and Symantec have also published their stats and the numbers were in the range of 7–10%. For the sake of this discussion we believe that the average 8–10% rootkit count is close to realistic as a number that represents the infected machines. These statistics demonstrate that the rootkit problem is still a relevant one. However, it is comparatively rare that we ‘hear’ about a rootkit causing problems for our support team or customers. Usually the infection is taken care of by existing technologies for detecting rootkits. Although every once in a while when a cleverly crafted piece of code comes around we ‘hear’ about it. Once a solution is provided for a new rootkit the next question in our minds is ‘what is going to be the next step for this family?’ Analysing these trends has usually helped us in understanding the bigger picture and in keeping the technology prepared to reduce our response times. In the next few sections we look at the trends of the major changes in rootkit techniques over the last decade. We also present case studies of some of the most interesting rootkits that are prevalent in 2011. We discuss what has worked for these rootkits and what inference we can derive from their analysis for future trends. Figure 1: New rootkit techniques introduced over the last decade. PREDICTING THE FUTURE OF STEALTH ATTACKS KAPOOR & MATHUR 2 VIRUS BULLETIN CONFERENCE OCTOBER 2011 ROOTKIT ATTACKS IN THE LAST DECADE Many kernel–mode techniques have been released in the last decade which continue to fuel the growth of rootkits. This section presents some of the major changes in the techniques to give a sense of the pace and type of change. Furthermore, taking a holistic view of trends might give us some idea of the stealth techniques that may become popular in the future. Figure 1 shows the timeline of major new techniques as they were released. The rootkits on this timeline were the fi rst to release the specifi c techniques that we found in the wild. These techniques were then followed by many more rootkit families. The concept of manipulating the Windows kernel for stealth started with NTRootkit-A which hooked SSDT. HE4Hook [2] extended the idea by hooking the dispatch table of NTFS which became extremely popular among rootkits and is still being used by the likes of TDSS and Cutwail. Fu rootkit [3] came up with an entirely new attack for process hiding in 2004, which became almost a standard. Most of the process hiding rootkits to date use the technique of EPROCESS doubly linked list modifi cation. 2005 saw exponential growth in adware and to protect its fi les, the CommonName family came up with the simple yet effective NTFS fi lter driver, which created a lot of problems for AV vendors who themselves use fi lter drivers for detection and repair. The rootkit Apropos [4] came out towards the end of 2005 and used a clever combination of inline hooks and interrupt table hooking. To gain control it would create an exception in the kernel code of NtQueryDirectoryFile and the exception was handled by an interrupt routine in IDT that was also hooked by the rootkit. The main challenge here was that the interrupt-driven hook disassociated the kernel inline hook from the memory of the owning module, thus fi nding the malicious module and removing it became a challenge. We will further discuss memory disassociation challenges later on in this paper. Following a brief lull in new techniques, the Rustock (spam-mailbot.c) family implemented a rootkit that used SysEnter/int2E hooks in addition to hiding its fi les using alternate data streams. Another trick that Rustock delivered was to hook SSDT by using KTHREAD [5] object manipulation. This allowed the rootkit to selectively hook SSDT on a per thread basis. This technique is currently being used by the BlackEnergy rootkit. In addition, Rustock also searched the lowest device objects and sent IRPs directly to it to bypass fi lter drivers. In the same year (2006), rootkit components of the prevalent Mytob family started using call gates to hide their process by writing to ring 0 using \device\physicalmemory, without the need to install a kernel-mode module. By this time most of the AV tools had started to include multiple range check and cross diff approaches in their products to fi nd the discrepancies in kernel memory or disk. Almanahe [6] fought back in 2007 by improving the kernel inline technique, such that the hooks would lead the tools within the Windows kernel module range and thus fail to raise suspicion. Nuwar’s rootkit released in 2007 made an effort to minimize its footprint by removing dependency on registry keys to load its device driver during reboot. It rather parasitically infected tcpip.sys and wrote its loader code in the fi le; during machine boot the infected tcpip.sys would load the malicious device driver in its context. The rootkit authors soon realized that modifying an existing kernel driver would benefi t them further in stealth. In 2008 Rustock quickly took advantage of this technique by overwriting less critical drivers like beep.sys [7]. Similarly, the TDSS family of rootkits further improved the Nuwar strategy by parasitically infecting random boot drivers to write their loader code and storing the actual driver in RAW sectors so that there is no fi le association on disk. Moving to the right on the timeline, various other rootkit techniques covered the breadth and depth of the kernel. In the last few years rootkits have moved in many directions to evade detection. They have manipulated various kernel objects like ‘OBJECT_TYPE’, ‘DEVICE_OBJECT’, ‘DRIVER_OBJECT’ and ‘KTHREAD’, in addition to coming up with direct attacks on anti-rootkit tools and evasion tactics. From this, one can observe that the profi table area of the kernel has been a moving target. For a known technique, there can always be some solution to counter it. So, as expected, once a technique is known about and becomes popular, most anti-rootkit tools detect it and the malware needs to fi nd other techniques and places to achieve stealth. Even though the myriad of techniques present a grim outlook in terms of predicting what will come next, there are certainly some areas which we believe could become more popular than others. We describe them in some of the following sections. CURRENT STATE OF ROOTKIT ATTACKS We analysed lots of prevalent rootkits in order to discuss the fi ve rootkits which we found useful for this discussion.