A Hybrid Root-kit for Linux Operating System

Hacking has been around almost since the first computers were connected together. Every day many new vulnerabilities/exploits are released and many computers become compromised. This is good for an attacker because there is a constant stream of new vulnerabilities/exploits that can be leveraged to break into computers. However, with newly published exploits comes a newly released patch for those exploits (usually). This is the reason that attackers have developed „back-doors‟ commonly referred to as root-kits. A root-kit is a post-compromise tool that an attacker uses to maintain access and often collects information from users such as passwords, credit card information, social security numbers, and other sensitive information. The importance of a root-kit is that once the vulnerability which was used to exploit the system is patched, the attacker can still get back in through a „backdoor‟. The purpose of this paper was to explore the area of root-kits by taking the role of an attacker and actually developing a root-kit that targets the Linux 2.6 kernel. By doing this we were are able to gain a great amount of insight into the internal workings of the kernel as well as its shortcomings with regards to security by developing a Linux Kernel Module (LKM) key-logger. We also look into some common techniques used by root-kits for providing a backdoor to the attacker. Then we investigate some come and simple techniques that root-kits utilize for stealth (it is imperative that the users/administrators do not know the system is compromised). Finally, we look at a simple and elegant solution for infecting a compromised computer with the root-kit we developed

Intelligent Malware Detection System

Malicious programs spy on users’ behavior and compromise their privacy. Unfortunately, existing techniques for detecting malware and analyzing unknown code samples are insufficient and have significant shortcomings. We observe that malicious information access and processing behavior is the fundamental trait of numerous malware categories breaching users’ privacy (including key loggers, password thieves, network sniffers, stealth backdoors, spyware and root kits), which separates these malicious applications from benign software. Commercial anti-virus software is unable to provide protection against newly launched (“zero-day”) malware. In this dissertation work, we propose a novel malware detection technique which is based on the analysis of byte-level file content. The proposed dissertation work will demonstrate the implementation of system for detection of various types of malware

Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features

An operating system is an essential piece of software that manages hardware and software resources. Thus, attacks on an operating system kernel using kernel rootkits pose a particularly serious threat. Detecting an attack is difficult when the operating system kernel is infected with a kernel rootkit. For this reason, handling an attack will be delayed causing an increase in the amount of damage done to a computer system. In this paper, we propose Kernel Rootkits Guard (KRGuard), which is a new method to detect kernel rootkits that monitors branch records in the kernel space. Since many kernel rootkits make branches that differ from the usual branches in the kernel space, KRGuard can detect these differences by using the hardware features of commodity processors. Our evaluation shows that KRGuard can detect kernel rootkits that involve new branches in the system call handler processing with small overhead

Why We Cannot (Yet) Ensure the Cybersecurity of Safety-Critical Systems

There is a growing threat to the cyber-security of safety-critical systems. The introduction of Commercial Off The Shelf (COTS) software, including Linux, specialist VOIP applications and Satellite Based Augmentation Systems across the aviation, maritime, rail and power-generation infrastructures has created common, vulnerabilities. In consequence, more people now possess the technical skills required to identify and exploit vulnerabilities in safety-critical systems. Arguably for the first time there is the potential for cross-modal attacks leading to future ‘cyber storms’. This situation is compounded by the failure of public-private partnerships to establish the cyber-security of safety critical applications. The fiscal crisis has prevented governments from attracting and retaining competent regulators at the intersection of safety and cyber-security. In particular, we argue that superficial similarities between safety and security have led to security policies that cannot be implemented in safety-critical systems. Existing office-based security standards, such as the ISO27k series, cannot easily be integrated with standards such as IEC61508 or ISO26262. Hybrid standards such as IEC 62443 lack credible validation. There is an urgent need to move beyond high-level policies and address the more detailed engineering challenges that threaten the cyber-security of safety-critical systems. In particular, we consider the ways in which cyber-security concerns undermine traditional forms of safety engineering, for example by invalidating conventional forms of risk assessment. We also summarise the ways in which safety concerns frustrate the deployment of conventional mechanisms for cyber-security, including intrusion detection systems

Hypervisor Integrity Measurement Assistant

An attacker who has gained access to a computer may want to upload or modify configuration files, etc., and run arbitrary programs of his choice. We can severely restrict the power of the attacker by having a white-list of approved file checksums and preventing the kernel from loading loading any file with a bad checksum. The check may be placed in the kernel, but that requires a kernel that is prepared for it. The check may also be placed in a hypervisor which intercepts and prevents the kernel from loading a bad file. We describe the implementation of and give performance results for two systems. In one the checksumming, or integrity measurement, and decision is performed by the hypervisor instead of the OS. In the other only the final integrity decision is done in the hypervisor. By moving the integrity check out from the VM kernel it becomes harder for the intruder to bypass the check. We conclude that it is technically possible to put file integrity control into the hypervisor, both for kernels without and with pre-compiled support for integrity measurement

Classifying malicious windows executables using anomaly based detection

A malicious executable is broadly defined as any program or piece of code designed to cause damage to a system or the information it contains, or to prevent the system from being used in a normal manner. A generic term used to describe any kind of malicious software is Maiware, which includes Viruses, Worms, Trojans, Backdoors, Root-kits, Spyware and Exploits. Anomaly detection is technique which builds a statistical profile of the normal and malicious data and classifies unseen data based on these two profiles. A detection system is presented here which is anomaly based and focuses on the Windows® platform. Several file infection techniques were studied to understand what particular features in the executable binary are more susceptible to being used for the malicious code propagation. A framework is presented for collecting data for both static (non-execution based) as well as dynamic (execution based) analysis of the malicious executables. Two specific features are extracted using static analysis, Windows API (from the Import Address Table of the Portable Executable Header) and the hex byte frequency count (collected using Hexdump utility) which have been explained in detail. Dynamic analysis features which were extracted are briefly mentioned and the major challenges faced using this data is explained. Classification results using Support Vector Machines for anomaly detection is shown for the two static analysis features. Experimental results have provided classification results with up to 94% accuracy for new, previously unseen executables

Malware Forensics: Discovery of the Intent of Deception

Malicious software (malware) has a wide variety of analysis avoidance techniques that it can employ to hinder forensic analysis. Although legitimate software can incorporate the same analysis avoidance techniques to provide a measure of protection against reverse engineering and to protect intellectual property, malware invariably makes much greater use of such techniques to make detailed analysis labour intensive and very time consuming. Analysis avoidance techniques are so heavily used by malware that the detection of the use of analysis avoidance techniques could be a very good indicator of the presence of malicious intent. However, there is a tendency for analysis tools to focus on hiding the presence of the tool itself from being detected by the malware, and not on recording the detection and recording of analysis avoidance techniques. In addition, the coverage of anti-anti-analysis techniques in common tools and plugins is much less than the number of analysis avoidance techniques that exist. The purpose of this paper is to suggest that the discovery of the intent of deception may be a very good indicator of an underlying malicious objective of the software under investigation

Malware Forensics: Discovery of the Intent of Deception

Malicious software (malware) has a wide variety of analysis avoidance techniques that it can employ to hinder forensic analysis. Although legitimate software can incorporate the same analysis avoidance techniques to provide a measure of protection against reverse engineering and to protect intellectual property, malware invariably makes much greater use of such techniques to make detailed analysis labour intensive and very time consuming. Analysis avoidance techniques are so heavily used by malware that the detection of the use of analysis avoidance techniques could be a very good indicator of the presence of malicious intent. However, there is a tendency for analysis tools to focus on hiding the presence of the tool itself from being detected by the malware, and not on recording the detection and recording of analysis avoidance techniques. In addition, the coverage of anti-anti-analysis techniques in common tools and plugins is much less than the number of analysis avoidance techniques that exist. The purpose of this paper is to suggest that the discovery of the intent of deception may be a very good indicator of an underlying malicious objective of the software under investigation