Spyware and Rootkits - The Future Convergence
Spyware and Rootkits - The Future Convergence
JA M E S B U T L E R A N D S H E R R I S PA R K S
spyware and
rootkits
THE FUTURE CONVERGENCE
Jamie Butler is the director of engineering at HBGary,
Inc. and is co-author of the upcoming book Rootkits:
The Day After. He is also a frequent speaker at computer security conferences, presenting his research on
kernel reverse engineering, host-based intrusion prevention, and rootkits.
[email protected]
Sherri Sparks is a Ph.D. student of Computer Science
at the University of Central Florida. Her current
research interests are in software security, reverse
engineering, and intrusion detection.
W H AT I S S P Y WA R E ?
S E C U R I T Y: S P Y WA R E A N D R O OT K I TS
developments.
U S E R M O D E T E C H N I Q U E S ( I M P O RT H O O K I N G A N D B R O WS E R H E L P E R O B J E C TS )
Figure 1. Normal execution path vs. hooked execution path for an IAT hook
10
In our discussion of user mode we noted that user applications coexist with
some portions of the operating system. We now extend that statement to
kernel mode. At this highest of privilege levels, drivers coexist with the
Windows kernel itself. This means that a malicious driver has the power to
usurp complete control of the operating system environment. Indeed, modern rootkits have reached an alarming degree of sophistication in their
employment of kernel mode hooking techniques. Fortunately, writing a kernel driver is something of a black art, so that, with the exception of a very
few advanced key loggers, most spyware developers havent caught up to the
rootkit developers yet. Nevertheless, as spyware continues to evolve in complexity and stealth, these techniques may become a very real threat to information security. In the following discussion we cover three of the most common kernel hooking techniques: system call table hooking, filter drivers,
and IRP table hooking.
The system call table (SCT) is one of the simplest, most effective places to
hook in the kernel. It provides the gateway into the kernel through which
all user mode API calls must pass. In most operating systems the SCT is
implemented as a table of pointers to the functions the kernel exports to
user mode applications. The Windows system call mechanism is also based
on this concept. Calls to the Kernel32.dll and Ntdll.dll API functions pass
through the kernel function called KiSystemService, which does some sanity
checking on the function parameters and then calls the referenced SCT
function. By modifying the function pointer in the table to point to attack
code, an attacker has total control over the operation of the function (see
Figure 2). Spyware and rootkits can use this trick to filter information they
do not want the user or system administrator to see. For example, by hooking NtQuerySystemInformation in the SCT and filtering its response, the
attacker can hide any file or directory in Windows. Although the idea of
modifying a table of function pointers is reminiscent of userland IAT hooking, kernel SCT hooking is a much more powerful technique. Where IAT
; LO G I N : D E C E M B E R 2 0 0 4
S E C U R I T Y: S P Y WA R E A N D R O OT K I TS
11
Figure 2. Normal execution path vs. hooked execution path for an SCT hook
hooking is local to the application process being hooked, an SCT hook will
globally intercept functions across all processes, including the operating
system itself.
In Windows, the drivers for a systems hardware devices are layered into a
hierarchal device stack. Furthermore, a given hardware device may have
one or more drivers associated with it, which we can visualize as a vertical
stack of layered components (see Figure 3). These drivers communicate
with each other and the operating system by means of I/O request packets
(IRPs). Filter drivers and IRP hooking techniques exploit the layered nature
of Windows driver architecture. Unlike normal drivers, filter drivers are
transparently inserted on top of or in between existing drivers in the stack,
using the kernel API, IoAttachDevice. Although they are sometimes legitimately used to add functionality to an existing lower-level driver, an
attacker will typically use them to either modify or intercept data. Key loggers and network sniffers typically use them to capture user passwords and
other sensitive information.
By design, layered filter drivers require a lot of code to implement. Furthermore, they may be more easily detected than a driver that does direct IRP
hooking. Instead of installing a filter, an attacker can directly hook the functions exported by a target device driver in its IRP major function table. The
IRP major function table is simply an array of 28 function pointers to handler functions in response to notifications and requests which the driver
receives from either a client application or the operating system. An application typically sends an IRP to a driver to request a specific service. For
example, IRP_MJ_DIRECTORY_CONTROL is sent to file system drivers to
12
request the list of directories and files. By intercepting and altering different
I/O requests, spyware can easily hide on the file system or eavesdrop on network communications. Some commercial software such as ZoneAlarm4
even uses this technique to intercept and regulate network traffic. It is not
difficult for an attacker to find a particular driver object in memory. Windows kernel provides the function called IoGetDeviceObjectPointer which
spyware or a rootkit can call to get a pointer to the named device object.
This device object contains a pointer to its corresponding driver object
which the attacker can use to reference the targets IRP function table. Figure 4 shows the relationship among these objects in memory.
S E C U R I T Y: S P Y WA R E A N D R O OT K I TS
13
S P Y WA R E D E T E C T I O N C H A L L E N G E S
Current spyware detection tools are primarily based upon signature scanning techniques. Signature scans have been used heavily by antivirus (AV)
engines and are quite reliable for detecting known strains of spyware. Unfortunately, they are ineffective against unknown strains, which must first be
caught, analyzed, and sampled for a usable signature. With new spyware
variants emerging almost daily, it is difficult for detection engines to keep
pace. Indeed, there are even a handful of spyware applications which utilize
a rudimentary form of polymorphism to randomize their file names and registry keys, so that every infected machine contains a slightly different version of the program. This makes it more difficult for a detection program to
obtain a consistent signature for the application. Some detectors have
turned to heuristics to deal with these issues. A further problem with current detections lies in the fact that many of them run in user mode right
alongside the spyware applications they are attempting to apprehend. Using
the aforementioned hooking techniques, a malicious spyware application is
capable of intercepting the function calls of a user mode detection engine as
easily as it hijacks the users Internet browser. In this manner, clever spyware
may trick the detector into believing the machine is uninfected. A detection
engine implemented in kernel mode will provide defense against this attack
as long as spyware remains a mostly user mode phenomenon.
VICE
Conclusion
We hope to advance VICE as rootkit and spyware techniques continue to
evolve. The sophistication of the disassembly engine logic can be improved
14
; LO G I N : D E C E M B E R 2 0 0 4
S E C U R I T Y: S P Y WA R E A N D R O OT K I TS
15