23. RootKits – Frightening Demo
Okay, so here we are back at our XP Attacker Machine. And the reason I’m using XP is because the root kit that I want to demonstrate for you, which is one of the very few GUI based rootkits only works with XP Service Pack One and below. And so, naturally, I have this machine set for XP service Pack One. The concepts are exactly the same, but this does a very good job of explaining everything. All right? So the first thing I’m going to do is I’m going to open up my computer and there will be a lab on this. So you could do this yourself. You could do it either with your manual lab or with the online lab, whichever you prefer. I’m going to go into Lab folders and I’m going to open up the directory called Windows XP Rootkit.
Now, when I do this, I’m going to just make this a little bit small over here so I can kind of see everything is going on. And I’m also going to right click on this and open up Task Manager. All right? And I’m going to kind of put them a little bit side by side. Now, it’s very important that I do the next step because if the next step is not done, unfortunately, we would actually have to reinstall our virtual machines. And let me kind of explain what’s going on. What I’m going to do right here is I’m going to say take snapshot and I’m going to call this one Bfrk. Okay? Before Rootkit. Now let me kind of explain what’s going on. A rootkit, as we talked about before, by definition, is changes to an operating system file that do your bidding as opposed to what the original manufacturer intended for them to do.
A rootkit is also not additive, so I would not be able to, let’s say, hide these files, try that on the root kit and then add another one on top of that. It would blue screen the machine. So what you have to do is you have to take a pristine snapshot of the machine before we get started. And as a matter of fact, this is the reason we’re using VMware workstation professional as opposed to VMware Player, which doesn’t allow you to do snapshots. So this is absolutely essential. So what I’m going to do right here just kind of, kind of scoop this over just a little bit and put this in here and I’ll double click. Okay? So like I said, I’m going to do just a little bit of sizing right here and I’m going to open up this file called Rootkit.
Just double click on it. It’s going to execute and it’s going to give me a menu of things that I would like to hide. All right? I can hide processes, I can hide files, I can hide registry entries, and I can even hide connections that are being made to your machine right now. So when you think about it, it’s possible you could have a rootkit in your machine right now with somebody exfiltrating your data and you not even know it. This is what makes the rootkit so scary. So when I do this in my classes, what I ask the students to do is pick any one of these processes where it says image name here. And I also mentioned don’t be a smart, elegant, and pick system idle process and don’t be a smart, elegant, and pick service host. But anything else is perfectly fine.
And I’m going to show you how the magician’s finger is quicker than the eye because it’s going to simply disappear right in front of you. Because I’m such a poor speller, I’m just going to pick something that’s short. But we could pick anything we want. I’m going to right click on this and click Add. And the image name or the process must be the correct case. For example, this would have to be typed in all upper case. This would have to be typed in mixed case. This would have to be typed in mixed case, lower case, you get the idea? Otherwise it will not work. I’m going to do Alg exe. Okay? Alg exe. And I’m going to just press OK.
I could also make a connection to my machine and hide that connection as well. Let me pause for just a moment to set that up. Okay. So what I’m going to do is I’m going to go out to my computer. I’m just going to kind of get this out of the way a little bit, and I’m going to go down to the folder called Netcat. Now netcat is our Swiss Army knife for hacking tools. It does a number of things, but it’s typically referred to as a port listener. I can start a listener at a particular port and attach to that. So what I’m going to do here is I’m going to just right click on this wrong one, right click on this and do a command prompt here. I’m going to type in Ncspace capital L to tell that I want to start listening p 1234, which is the port I’d like to execute on ECMD exe.
Now when I press Enter on that, it seems like this kind of hung. What is really happening right here is that this listener is waiting for someone to attach to that port. So I’m going to do another command prompt here and I’m going to prove to you that port is indeed listening. So I’m going to just simply type in Stat. I want to show you if I do this right here, you’re going to see this one right here. 1234 is indeed listening. Okay, great. The next thing I’m going to do is I’m going to go over to another machine that you won’t be able to see because it’s off of the screen share. And I’m going to basically do the same thing in reality. I’m going to create a command prompt and I’ll just drag this in front of this so you can kind of see what I’m doing right here.
I’m going to bring this over right here, which is actually a window from another machine. And I’m going to type in NC space the IP address of my XP Attacker machine. So I need to find out what that is. It should be 1010 1226. All right, so let’s see if I can make that work here. NC 1010 1226. And I want to attach to it with the port 1234. When I pressed enter right here, I want you to notice if I were to type in host name, it tells me the name of my XP Attacker machine. I pull the chair up in front of that XP Attacker. If I type in IP config, it’s going to give me the IP address of my XP machine. I can do anything from the command line that I want to.
Now I’m going to just simply put this off to the side for just a moment because I’ve already proven to you that I could type Dir and I could do whatever I want to. And it seems to be working just fine being attached to that listener. Now, if I come back out here and execute that command again, you’ll see that I do now have an attachment to that 1234 at this IP address and it’s been established. Okay, great. Okay, so let’s kind of move this out of the way just a little bit. You’ll notice right here I put in Alg. Okay? I’m also going to put in another file. And that file is guess what? NC exe. That’s the netcat I’m going to hide as well. If you recall what I said, the rootkit is not additive. That means that we can do whatever we want to, but we must do it all at once.
I couldn’t put in netcat and then come back and put in Alg, and then come back and hide the connection. That simply would not work. So I’m going to pull out my little trusty notepad here real quick and I’m going to write down that syntax, which is this one right here to hide that connection. And it’s going to be star, TCP, star, colon 1234, star colon, star. And that’s this line right here. It would hide all the traffic to local port 80. Now I’m wanting to hide all the traffic to port 1234. Fair enough. Okay, I’m going to do that. I’m just going to double check my syntax, make sure I don’t have anything wrong. We definitely don’t want these showstoppers here. The next thing I’m going to do is I’m going to take what I put in notepad right there. I’m going to grab it.
I’m going to come over here underneath connections, I’m going to right click Add, and I’m going to put that in there as well. Now the next thing I’m going to do is generate this rootkit. I’m just going to call it Arcade Rootkit. How about that? You’ll notice it’s going to appear right here. This is the file that you’re going to somehow coerce somebody to run, somebody to click on, somebody to execute, whatever the case may be, to infect them with this root kit. So I’m just going to kind of move these a little bit out of the way here so we can see all the stuff that we’re going to see. And what I want you to do is I want you to keep your eyes on two things. I want you to keep your eyes on the file called Infeat Exe and keep your eyes on the file called Alg Exe.
Now watch what the magician is pointing at, not what he’s pointing to. And boom, they’re both gone. Wow. In reality they’re not gone, they’re still there. But let’s take a look at our network as well. And I’m going to draw back over that same connection that I had on my listener out here and let’s just see if it still works. It’s working like a charm, proving that netcat is still listening and working just fine. But when the Windows API decided they were going to paint all of these items, it was going to skip over in C Exe and skip over Alg Exe. Now here’s the feast to resistance. Let’s see what happens if I do something like this. Let’s come up and do this and I’m going to pipe this to make it easier. I’m going to pipe this out to find and I’m going to look for 1234.
And basically what that’s doing is it’s only going to return a line if 1234 is in it. Where are my ports that are open? Let’s take that off just to prove there’s no smoke and mirrors here, folks. We have indeed hidden that 1234 and it is no longer there. I’m sorry to tell you this, folks, but rootkits are very dangerous. Let me explain one last thing and we’ll end this up. I told you earlier that the rootkit is going to affect something that is manipulated by the Windows API. One way of detecting if a rootkit is there is to do something using the Windows API and do the same thing writing all the code yourself. In other words, don’t use the Windows API. Let’s say, for example, we’re going to add up all the files in a particular directory using the Windows API.
We should have some total not using the Windows API, which could be kind of a long situation, but we still should have the same total if we have differing totals. Things that make you go like what color is a smurf turn when you choke them? Why do they have locks on 711s when they’re open 24 hours? Naturally something’s wrong. I’m going to next show you a utility that does not use the Windows API can open up a command prompt here. And I’m going to type in F port. And looky there 1234 with. Netcat. This is a technique known as cross site comparison. So I should be getting the same thing on both ends, but one showed it, the other didn’t. And you can also see here’s the Al G, as well, the NC. You know, everything that I hid. Okay, I hope you enjoyed that. That’s also one of my really popular demos.
24. Root Kit Countermeasures, Tokens and Smart Cards
Well, I tell you what, you guys have been such an excellent class. We only have just about two or three more slides left in this section and then we can sit back and take a well deserved break. I know I need one. Let’s start off talking about Windows rootkit countermeasures. We saw how evil, evil, evil rootkits can be, but the problem is how do we know if we even had one? It’s very possible we could have a rootkit right now that’s hiding the connection. Someone has to it’s hiding various files or registry entries and we just simply don’t know it. You’ve heard the old saying well, ignorance is bliss. Well, unfortunately, that’s exactly what the rootkit authors want you to do. There are easy ways to detect the installation of a root kit.
You can use antirotkit tools like rootkit revealer from markers. Onovit. Now, Rootkit Revealer does the technique that I was talking about earlier. It does something called cross site comparison. What it does is it takes your entire Cdrop and uses the Windows API and adds up the total number of files and sizes that you have. It then adds up the files but it doesn’t use the Windows API, it calculates it itself. Obviously you would sure think we would have the same tolling if we don’t. Things that make you go the biggest problem that we have with rootkits is it’s very difficult to detect a rootkit when we are trying to run the rootkit eradication or Rootkit Revealer software on the same machine we’re trying to remove it from.
Because the rootkit can be programmed to protect itself and skip over certain things and so on. There are some tools that do a pretty good job. Some antispyware products may detect rootkits. Blacklight is a really good even older versions of antivirus like pest control was able to find some rootkit. The best and absolutely hard and fast 100% way that you know you don’t have a rootkit is and you know what I’m going to say, burn it down. So what you have to do is you have to take your data center and scorch the whole thing basically on a known clean system. Use a hashing and file monitoring solution to alert if critical files have been changed using like tripwire make sure that you use the original CDs to install everything or if you restore from a backup, you very well could be getting the rootkit again.
You just simply don’t know. Document services and install procedures one trick that sometimes reveals them if the system is suspect, boot into safe mode. This very well could make a rootkit files visible. If the rootkit uses some kind of drivers, it should be noted that it’s not going to help if the actual kernel file is changed. Once a rootkit has been detected, erase everything. This is what I was talking about scorch. Burn the whole thing down and reinstall the operating system. Without internet connectivity, patch with all service packs and hot fixes and then if it were me I would take an image of that particular machine so you could save a pristine version of it for later. Now this is not a virtualization course and I teach a lot of virtualization and there’s some really neat tricks that you could do with that.
As a matter of fact, they have certain desktop virtualization mechanisms where they actually boot up fresh every single night. So the perpetrator would have to infect you every single day for him to actually get something in there. Backups naturally should also be scanned because they could have malicious content. Keep in mind it’s fine to scan the backup as long as we’re not doing it on the machine running the backup. The best way to do this is booting from a live CD or another trusted operating system and this could allow visibility of the rootkit file. However, removing the malware is no guarantee the system is going to be back to normal. You just don’t know. The best thing to do is I’m sorry guys, burn it down.
The standard method of remove your rootkit in a corporate environment is to wipe the drive completely and reinstall the operating system from the original CDs. Let’s shift gears here in just a second and let’s talk about tokens and smart cards. There are two different types of multifactor authentication. Now, first off, let’s go through this. There are three factors of authentication and I’m hoping somebody can think of what those are. And I know that I’m just talking to the wall here so I’m going to have to say it. The three factors of authentication are something, you know, like a password, something you have maybe like an ATM card and something you are like a fingerprint or a retina scan. It is said that if you have two of the three factors you are very secure.
Three of the three factors is even more secure. It is important to note using multifactor authentication can have an Achilles heel. I can guarantee you a number of you receive a Pin code from your bank on your cell phone and you utilize that to log on to your bank along with your password. So this is something we know and something we have our cell phone. I think you are going to be floored when I ask you to watch a 20 minutes video and you will never use the out of band signaling again over your cell phone. Out of band signaling on our cell phone has a huge flaw that well, unfortunately the NSA and a lot of government entities have been using it for years and it’s called system signaling.
Seven the way that telephone long distance carriers the lattice if you recall that term and the rbox when Bell broke up were able to exchange information between each other pay for toll call. Now, on a land based line this was perfectly fine. We just made sure we used a separate channel. Unfortunately, on cell phones, we only have one channel that’s the air, and someone could easily pick that out of the air because it is not encrypted. You’re probably saying at this point, what idiot thought that a very good question. As a matter of fact, they’re trying to fix this problem. But there are about 800 different cell phone companies, and in reality, if you call from at and T to at and T, you are perfectly safe. If you call from at and T to T Mobile, I can use system signaling seven and grab whatever I want.
It’s from carrier to carrier where the problem is located. So with that said, it’s very important for you not to use your cell phone using what’s called out of band signaling so that you’re able to determine what that Pin is. All right? So if we understand what the out of band signaling is, let’s see if we can understand what a synchronous crystal is. Now, you’ve probably seen some of these before with the RSA’S Secure ID and Smart card. That is what’s referred to as a synchronous crystal. There’s a crystal that’s built into the RSA Secure ID that oscillates at a particular frequency. The server knows exactly what that frequency is. You’ve probably seen these cards where they will slowly turn over a new number, and you use that, along with your Pin, as your password to log in.
Those are perfectly safe so long as no one has gotten the serial number off of your RSA Secure ID, which unfortunately happened in the past. But out of band signaling, I can just grab it right out of the air. And I encourage you to watch the video that I’m going to attach to this particular lecture. You will never treat your smartphone the same way again. To wrap this up, multifactor authentication relies on combining different ways of confirming your identity from different categories. The categories are normally something you know, such as a password, something you have, like a smart card or token, and something you are, such as a fingerprint or an iris scan. Combining two or more of these factors dramatically increases the difficulty involved in an impersonation.
Tokens often function as a onetime pad in that a password has been used, or once a short time limit has passed, it’s no longer valid. Smart cards function by computing a simple cryptographic function and returning the result to the reader. Both count under the quote unquote, something you have category we spoke about. Now, smart cards, oftentimes you’ll see these referred to as smart cards or key cards, a Cat card that’s used in the military. I was teaching this class back in 2003. The US. Government came out with a mandate that said, in 2004, you must provide multiple factors of authentication to get into your bank account. And I was telling my classes, you know what, guys? They’re going to be sending you one of these things over here and a card with a chip on it.
That’s the only way you’re going to be able to get into your bank. That was, like, in November, december in January rolled around. They didn’t send any cards. What is going on with this? There there’s a law that says you have to do that. Well, unfortunately, certain individuals didn’t read the law real quick correctly. Basically what they said is they said you needed to have two factors of authentication. Not two different factors, but two factors. This is the reason that your bank account asks you, what’s your best friend in high school? What’s your mother’s maiden name? That is two of something. You know, if you’re saying to yourself, that’s kind of cheating, well, welcome to my world. Again, I encourage you, watch the video that I attach to this, and I promise you, you will never use your cell phone the same way again.