20 Сентября, 2012

Anti-Rootkits in the Era of Cyber Wars

Igor Korkin
*This article was published in Hakin9 Magazine, Vol.2 No.7, Issue 07/2012 (11) ISSN: 1733-7186

   This article describes the design of a detection system of hidden objects in modern situation. It touches on trends of virus attacks, mentions the statistics from the US laws and McAfee reports. It analyzes potential virus attacks targets. It gives a concept of information security system design, particularly for stealth detection. The author’s method of stealth detection based on dynamic bit signature is described.

   What is going on in the world of malware today?
  In the last two years information security news has turned into front reports. We have learnt about powerful tools like Stuxnet, Duqu, Flame ... and what can we expect?  (we now know that it is Gauss)
  An article by David E. Sanger titled “Obama Order Sped Up Wave of Cyberattacks Against Iran” was published in “New York Times” on July 1, 2012, describing that Stuxnet worm hit Iran's nuclear facilities was cooperative work of the United States and Israel.
  A few weeks later on July 19, 2012 an article “US, Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say” was published in “The Washington Post”, discovering details about the authors of the new Flame virus.
   Special services of one country remotely disable industrial, civil and military infrastructure of another country. This infrastructure is now managed by SCADA automated systems, security aspects of which will be covered in the article.
   Let’s try to figure out how to develop and implement protection against malicious code in such an environment.

SCADA and CNC systems
   Speaking of cyber wars, we cannot avoid the topic of SCADA.
SCADA (Supervisory Control and Data Acquisition) is the result of evolutionary development of control systems. SCADA - is software that controls various technical processes. SCADA is used in all major control systems from air-conditioning systems in business centers and water treatment systems in cities to oil pipelines, and transportation control systems on a national scale.
   Any software cannot avoid vulnerabilities and SCADA is no exception. According to Microsoft data OS Windows 7 was tested by more than 8 million volunteers around the world, but according to the analytical site itsecdb.com the OS contained more than 200 vulnerabilities, which in one way or another are eliminated by service packs. Due to the specific use and operation complexity SCADA systems cannot be tested so independently and thoroughly, and therefore contain many more vulnerabilities. Another fact of interest: in any software product, which is starting to be widely used, vulnerabilities are discovered quickly. Recent information about trojan Backdoor.OSX.SabPub and BackDoor.Macontrol.2 for Mac OS is an example. In SCADA systems, there are two ways either they will find and fix their vulnerabilities, or such systems are permanently disable.
   To confirm analytics we cite the statistics.
   In the United States Federal law S.773 - Cybersecurity Act of 2009 in part SEC. 2. FINDINGS, in paragraph 4 it is defined that More than 85% of all critical infrastructures are in private hands. Cyber threats for government information systems and critical infrastructures are evolving and growing:
(4) With more than 85 percent of the Nation's critical infrastructure owned and operated by the private sector, it is vital that the public and private sectors cooperate to protect this strategic national asset.
In paragraph 9. Paul Kurtz statement is quoted, that
the United States is unprepared to respond to a 'cyber-Katrina' and that a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector.
According to the 2011 report "In the Dark Crucial Industries Confront Cyberattacks", prepared by Stewart Baker, Natalia Filipiak and Katrina Timlin from McAfee
among 200 heads of mission-critical facilities in 14 countries 80% of them are faced with large-scale cyberattacks, while 25% were even subject to extortion by the attackers. 30% of companies are not ready for such attacks, while 40% think they will be aimed by hackers next year.
The article "SCADA hack talk canceled after US, Siemens request" prepared by Elinor Mills for cnet.com reported that
a report on how to hack SCADA systems was canceled by request of Siemens representative. According to the expert "due to a lack of possibility for Siemens to cope with existing security threats". Two researchers say they canceled a talk at a security conference today on how to attack critical infrastructure systems, after U.S. cybersecurity and Siemens representatives asked them not to discuss their work publicly.
It is important to note mass introduction of engineering tools with computer numerical control (CNC), that have significant advantages over usual engineering tools in accuracy, speed and other characteristics.
In connection with the ability to control CNC machines remotely via Ethernet or Wifi-connections, new information security threats need to be solved.

Potential targets of virus exposure
  Before proposing an action plan, let us analyze potential targets of viruses' impact.
  The virus can affect the following components of the automated system:
  • User data;
  • Software;
  • Hardware;
  • Telecommunication infrastructure;
  • User.
As a result of impact on user data user working documents and multimedia data can be damaged or deleted.
  As a result of impact on software operating system and applications operation can be disrupted: both popular software packages like Microsoft Office, and specialized software such as Mathcad and Matlab.
  As a result of impact on hardware both primary equipment, such as motherboard and hard drive and peripheral equipment, such as a printer, lathe with CNC, etc. can be put out of action. For example, the virus Stuxnet affected PLC-controllers of SCADA-systems made by Siemens.
  As a result of impact on telecommunication infrastructure interaction between network nodes can be disrupted, and network equipment can be disabled.
  As a result of impact on a user, for example, well-being and health can be harmed by using low-frequency waves from internal loudspeaker of system unit. In the book "General hygiene" by Bolshakova A.M., Novikova I.M. results of investigations are cited, according to which "infrasound reduces sensitivity, vestibular stability, causing anxiety, pain in ears and spine; a long-term exposure to infrasound causes peripheral circulation disorder, which leads to the degeneration of organs, focal necrosis, and micromegaly."

Why cannot viruses be stopped?
   There are three main reasons:
  • Vulnerability of perimeter protection;
  • Lack of appropriate pre-emptive work in business companies;
  • Complexity of advanced viruses' analysis.
Let's briefly comment on each of them.
   Firstly it is important to note vulnerability of perimeter defenses themselves. Nobody can prevent virus writers from buying corporate versions of popular protection systems, and running them in off-line mode. Repeated testing of the virus and changing its operation algorithm or obfuscations code can ensure that the protection system will not detect the virus, so it is ready to use.Virus writers use both steganography and technical stealth techniques, which do not allow to detect a malicious object heuristically. For example, hackers bypassed validation of digital signatures of drivers this way: Stuxnet used certificates of Realtek and JMicron, and Flame uses certificates of Microsoft itself (2718704). The result was that "Microsoft Driver Signing" system does not fully meet new challenges.
   Secondly it is often not profitable for business companies to invest substantial funds in projects that may never pay off. A striking example is the technology of hardware virtualization, on the basis of which both protection systems, and malware, having advantages can be implemented. Unfortunately, only a few companies have taken this into account. In Symantec Endpoint Protection 12.1 hypervisors a detection module has been embedded, and McAfee DeepDefender is based on a hypervisor. Only selected units of the Ministry of Defence can be proactive and can actively engage in research of advanced technologies, for example, DSTL (UK), DRDC (Canada), DARPA (USA), COSTIND (China) or Foundation for Advanced Research Projects (Russia). It is worth noting that experimental samples obtained by these units do not have industrial maturity and are far from widespread implementation.
   Thirdly, experts of antivirus companies even on receiving virus samples cannot always study them promptly and stop infection. Thus, studies of the Stuxnet virus took several months, and it is difficult to assume how long it will take to study Flame virus, which is considerably more complicated. And how many more viruses similar to Flame are uncontrolled in wild? And so what we have is sophisticated viruses that cannot be stopped, and vulnerable systems that are impossible to defend. Is it all hopeless?

The proposed approach for detection
  Nevertheless what shall we do? Be strong! It is proposed to use three main steps to deal with new viruses:
  1. Pursue a preemptive tactic.
  2. Use as unique and varied approaches to virus detection as possible.
  3. Continuous development and improvement.
Work in advance
   Any weapons become obsolete, but in the world of information security, it happens faster than anywhere else. At present, we see that virus technologies are improving faster than antivirus vendors can respond.
It is necessary to create a rootkit in laboratories, to make it non-detectable by popular antiviruses, and then develop a detection system for a new rootkit. As an example, I can cite my projects and my students' projects: despite the fact that the main subject of the paper is creation of detection system of objects either inside the OS or outside it, the work on creation of hidden sample of software is always led in parallel.

Use of unique approaches
    Creation of viruses is usually associated with issues of their hiding in the OS. To ensure detection of hidden objects it is necessary to develop new and unique ways of detection, which allow you to take a decision on the presence of a virus, regardless of concealment method used. In this paper we present a method of detection of concealment by giving an example of processes in Windows OS. After starting a process a number of structures corresponding to this process are created in memory: structures EPROCESS, ETHREAD, structures of handles, and many others. For work with structures they are joined in a list. Drivers structures and processes are in kernel memory, while service structures are in user mode memory of the SERVICES.EXE process.
Process, threads, drivers and services structures in OS Windows
Fig 1 - Process, threads, drivers and services structures in OS Windows

    It is known that standard OS tools collect information on running processes by passing through the list of EPROCESS structures, while using links between the structures.
As a way of hiding a classical method DKOM will be used, described in the book "Rootkits: Subverting the Windows Kernel" by Greg Hoglund, Jamie Butler and it involves changing pointers of neighboring ERPROCESS structures.
Sample of hiding objects
Fig 2 - Sample of hiding objects

  For detection of concealment it is necessary to obtain a list of processes on the basis of other list, because ERPROCESS is already broken. Popular anti-rootkits use multiple lists pass and if anomalies are detected they conclude that there is concealment. However, for the purpose of resistance to anti-rootkit virus writers may remove corresponding structures from other lists. The essence of the proposed method of detection is to search memory structures "similar" to EPROCESS structures without taking into account links between them.

Fig 3 - A list of objects structures and a sample of dynamic bit signature.

   To detect hidden process, we need to perform the following operations:
  1. Create a dynamic bit signature (DBS) of the process structure as a template, which "fits" to all EPROCESS structures loaded into memory.
  2. Search for match of some part of memory with the received by the DBS with the help of probabilistic test. The search is conducted through analyzed memory; and as a result a list of processes (author's list) is received.
  3. Compare the author's list with a list of processes obtained by standard means of the OS. If you find that in the author list there are processes that are not in the list obtained by regular means, it is concluded that these processes are hidden.
It is necessary to perform the following steps to create the DBS:
  1. To pass through the list of existing structures of EPROCESS and compare them bitwise.
  2. When a match of a specific bit in all structures is found, it is necessary to save the value of this bit and the offset.
  3. Perform steps 1 and 2 in a loop for all bits of EPROCESS structures. As a result to get DBS process structure.
When searching for "similar" fragments of memory 80-90% of the template structure match is enough.
  This method of hidden processes detection on basis of DBS has several advantages:
  1. Due to the fact that EPROCESS structure template contains about 300 significant bits, practical probability of false operation is equal to zero, while probabilistic verification can detect even deliberately altered structures;
  2. The DBS does not use any Windows functions to get the final list of objects and, therefore, it is much more difficult to resist it. The result of the method cannot be changed by interception or modification of kernel structures;
  3. DBS provides portability of the method, because structures of EPROCESS have changed in different OS and service packs.
The idea of signatures is not new. Andreas Schuster from Deutsche Telekom AG Group Security suggested an approach of static signatures for process detection in the paper "Searching for Processess and Threads in Microsoft Windows Memory Dumps". His signatures depend on version of OS Windows while with DBS we do not need to be aware of this.
  Counteraction to detection is possible only by resetting all of the fields of chosen structure, which leads to disruption of the system - BSOD.
  DBS provides a portable way on all 32-bit OS Windows, and to detect hidden objects in 64-bit OS Windows you only need minimal changes in the source code.
  The method of detection is prompt, since it does not require viral activity, for example, working with file system, registry, or network.
  This method certainly does not solve all problems of hidden software, but its regular use provides control of hidden processes absence, which is a lot.

Continue improving
  It is necessary to carefully monitor publications about new and advanced computer technologies, operating systems and their protection. It is necessary to hire best experts, to provide their training, and actively participate in professional conferences, including foreign ones.
  For this specialists are required. But what should countries do if they do not have such expertise? After all, will any state allow foreign experts to work on their strategic facilities? It is essential to train own experts abroad or by inviting foreigners. But, unfortunately, time is almost gone. Currently we are preparing such a course, which should be deeper than the existing ones.
  Combined use of these three steps will help to build a detection system, which is technically very difficult to resist.

  Today, people are using information technology to control virtually all infrastructures. Issues of information security of these systems are of paramount importance.
  At present hackers leave protective equipment far behind. To turn the tide in our favor it is necessary to improve protection means faster than hackers have come up with ways to circumvent them. In our opinion, it is necessary to pay great attention to the protection of the internal perimeter. Despite the fact that on the dark side there are too intelligent guys, and too much money, it seems possible to win in this confrontation.

Information about the author
   Igor Korkin – Ph.D., a specialist in information security. He works at Moscow Engineering Physics Institute, training post-graduate students and supervising students. Has been engaged in rootkit technologies for over 5 years, the author of more than 10 scientific papers, winner of the “Hackers vs. Forensics“ on Forum “Positive Hack Days 2012” in Moscow, Russia. Author's publications can be followed on his website at sites.google.com/site/igorkorkin .