Archive for June, 2007

Rootkits in the mist

June 26th, 2007 7 comments

During the last 7 months we've been able to gather some really interesting statistics thanks to Panda Anti-Rootkit on which rootkits are most actively infecting users as well as new emerging rootkit techniques being used in the wild.

Out of the tens of thousands of machines cleaned so far, the most prevalent rootkits in-the-wild are by far Beagle.FU and Adware/NaviPromo. Together they account for almost 64% of all rootkit detections. The different variants of Rustock come in third place with 16% of the infections, followed by Flush.K, Zlob.A and Peacomm.B.

The simplest technique used by rootkits to hide files, processes and registry entries are based on hooking the IAT/EAT functions of the processes. Rootkits can then intercept and hide the information sent from the system to the querying process. These hooks are done in user-mode and only affect the processes whose IAT/EAT has been hooked.

Kernel-mode rootkits on the other hand use a driver that normally modifies the Service Description Table (SDT) or the Interrupt Description Table (IDT) as well as more advanced techniques which modify the kernel data structure (DKOM), the registry MSR_SYSENTER and the IRP, effectively filtering calls to the drivers. In the following table we can see which technique each of the Top5 rootkits use.

Advanced rootkit techniques
Lately rootkits are using news techniques to evade detection by anti-rootkit utilities. To achieve this they install themselves into an NTFS ADS, which makes detection, and specially disinfection, much more difficult. Some good examples of these are Oddysee.B which installs itself in an ADS of NTOSKRNL.EXE, Rustock.A which installs in an ADS of the C:\Windows\System32 directory and the atypical Unreal which installs in an ADS of the system drive.

One of the most common strategies for detecting objects hidden by rootkits are based on cross-view comparison algorithms. To detect that a file is hidden the anti-rootkit first parses the files using system API functions that have been hooked by the rootkit. The hidden file will not show on the results of this search. The anti-rootkit then performs a second search using more advanced low level access which is not intercepted by the rootkit and then compares both results. Thanks to this cross-view anti-rootkits can enumerate files which are hidden. However many of these cross-view techniques do not enumerate in low level the different system ADS and therefore these advanced rootkits go undetected.

Rustock is worth mentioning again when we're talking about ADS rootkits. It is probably the most dangerous rootkit in the wild, not only because it's the third most prevalent rootkit but also because of the advanced techniques it uses and malicious actions it performs:

  • Hides in an ADS of the C:\Windows\System32 directory.
  • Hides its execution by injecting itself in kernel threads and avoids being detected as a hidden process.
  • Gets rid of its own kernel structure entries typically searched for by anti-rootkits to detect hidden drivers.
  • Searches for certain security products to further evade detection.
  • Installs a hidden proxy to send spam.

Because of this Rustock is definately the most difficult rootkit to detect and specially to disinfect. Therefore it receives our "Most Interesting Rootkit" award.

Categories: Rootkits, Stats Tags:

How TruPrevent Works (II)

June 13th, 2007 Comments off

This is the second part of the "How TruPrevent Works" article series. Apologies in advance if it seems a bit like shameless self promotion.

Code-named KRE (Kernel Rules Engine) this is TruPrevent’s second component, a Behavior Blocking module which complements TruPrevent's Behavioral Analysis. If we were to map these two modules within the HIPS framework used by Gartner to categorize the different technology styles used by integrated endpoint security suites, they would fit into the "Application Control, Resource Shielding and Behavioral Containment" styles. Such technology styles are not however as compartmentalized in commercial products as they may seem in Gartner's framework.

Hackers and malware mafias abuse the privileges of legitimate applications to attack systems by injecting code. To prevent these types of attacks generically a very cost-effective approach is to use rule-based blocking technology which can restrict the actions that authorized applications can perform in the system.

KRE is composed of a set of policies which are defined by a set of rules describing allowed and denied actions for a particular application of group thereof. Rules can be set to control an application’s access to files, user accounts, registry, COM objects, Windows services and network resources.

Despite offering a high degree of granularity to administrators for creating custom policies for deployment within a corporate network, KRE is shipped with a set of default configuration rules which are managed and updated regularly by PandaLabs. A limited list of the most relevant and queried rules can be viewed at These provide protection against attacks exploiting common weaknesses found in out-of-the-box as well as fully-patched installations of Windows operating systems, such as modifications of the HOST file, loading Browser Helper Objects (BHO) in a certain way, exploitation of browser and email vulnerabilities, downloading and running executable code from within the iexplorer.exe process, launching commands from service applications, and many more such policies.

In summary, KRE provides a true security lock-down of a typical Microsoft Windows installation, regardless if it's patched or not. This technology has allowed us to tighten the security of a box which is normally left open by newly discovered vulnerabilities and techniques commonly used by malware mafias.

A recent example of the effectiveness of KRE is the never-ending wave of Microsoft Office format vulnerabilities. These vulnerabilities have been used recently by targeted attacks on certain companies. According to a study of known (patched) and zero-day (un-patched) Microsoft Office vulnerability exploits, an average AV signature detection rate of 50% was achieved by all tested antivirus engines. That’s a one-in-two chance of being infected by simply opening an exploited Microsoft Word, PowerPoint or Excel document.

Instead of relying on signatures and heuristics for these type of attacks, Behavior Blocking technologies such as KRE proactively prevents Microsoft Word, PowerPoint, Excel, Access, Acrobat Reader, Windows Media Player and other applications from dropping and running any type of executable code on the system. Unlike any AV signatures tested, TruPrevent provides real zero-day protection against any of these Microsoft Office exploit, known or unknown.

For example, rules 1039 & 1042: Recent MS Office, Acrobat and Windows Multimedia vulnerabilities have been discovered (PowerPoint, Excel, Word, Wmplayer, Acrobat Reader and others are vulnerable). In a normal behaviour these applications shouldn't create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited, as shown on the blocking notification when trying to open an infected Microsoft Word document.

In this case KRE is preventing these applications from creating and executing code in the system and thereby stopping malware without having to rely on signatures or heuristics for protecting users. Of course there are many more examples of how to block a multitude of malicious behaviour, but I think if you've read this far you get the picture.

Categories: behavior analysis Tags: