Technology Blueprint

Fighting RootkitsProtecting against stealthy malware by flying under the operating system

2 Fighting Rootkits

Protecting against stealthy malware by flying under the operating system

The Situation

You have deployed every security solution imaginable. You leverage defense in depth. You update and patch regularly. You have built a fortress with a moat. But deep below all your tools is a rootkit saying “everything is ok” while secretly monitoring everything the system is doing and silently extracting data. How can this happen?

Driving ConcernsAntivirus? Check. Antimalware? Check. Antispyware? Check. Host-based firewall? Check. Host-based IPS? Check. Anti-rootkit? Not sure.

In 2011, McAfee saw over 75 million individual pieces of malware. Fortunately, most organizations were not compromised by the majority of those viruses, Trojans, and spyware. These typical threats were caught by a combination of antivirus (AV), Host Intrusion Prevention Systems (HIPS), and Desktop Firewalls (DFW). While we should not take these threats lightly, these established methods fight against most of these types of threats.

What should really concern us is the growing presence of rootkits, and the zero-day exploits used to deploy them. Traditional security solutions work at the application layer, using hooks into the underlying OS. Rootkits are playing unfair, going below the operating system for their nefarious deeds.

A rootkit is a specific type of malware that gains privileged access to a system while actively hiding its presence from users and security tools. Rootkits typically provide a remote user access to all resources on the system on which the rootkit is installed. They often join the compromised system to other “rooted” systems as part of a larger botnet.

Three factors are driving the rise of rootkits:

• Ease of creation. It used to be that it took a significant level of technical knowledge to create a rootkit that would give the desired access and remain undetected. There was a certain art to tapping in to the arcane knowledge of injecting malware into the operating system. Now, however, there are a number of rootkit crafting tools that let someone with zero coding skill create a custom rootkit tailored to their specific needs.

•Target-rich environment. When is the last time you used a computer (or printer, TV, or phone) that wasn’t connected to the Internet? This added connectivity brings added onramps for rootkits. While organizations work to provide a solid perimeter, that perimeter is eroded by users taking their work laptops outside the corporate firewall or logging into work systems from home. Recent incidents have also shown that the remote access tools that administrators use for troubleshooting and updating can be compromised and used as backdoors for malicious behavior.

• Organized cybercrime. Now that more intellectual property, financial information, and critical infrastructure are available on systems connected to the Internet, organized crime syndicates have taken notice. The reasons for these attacks can range from purely financial to political to international espionage. Regardless of the reason, the point remains the same: there are highly motivated groups regarding your data with envious eyes.

LEVEL 1 3 4 5

SECURITY CONNECTEDREFERENCE ARCHITECTURE

2

LEVEL 1 2 4 5

SECURITY CONNECTEDREFERENCE ARCHITECTURE

3

LEVEL 2 3 4 5

SECURITY CONNECTEDREFERENCE ARCHITECTURE

1

LEVEL 1 2 3 5

SECURITY CONNECTEDREFERENCE ARCHITECTURE

4

LEVEL 1 2 3 4

SECURITY CONNECTEDREFERENCE ARCHITECTURE

5

Security Connected

The Security Connected framework from McAfee enables integration of multiple products, services, and partnerships for centralized, efficient, and effective risk mitigation. Built on more than two decades of proven security practices, the Security Connected approach helps organizations of all sizes and segments—across all geographies—improve security postures, optimize security for greater cost effectiveness, and align security strategically with business initiatives. The Security Connected Reference Architecture provides a concrete path from ideas to implementation. Use it to adapt the Security Connected concepts to your unique risks, infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to keep our customers safe.

3Fighting Rootkits

Why are rootkits so difficult to stop? Rootkits typically operate in kernel mode, where typical deployments of security software focus on user-mode space. AV works within the file system, examining accessed files and components of memory. A desktop firewall controls access to network resources at the network stack. HIPS generally work to control an application’s access to processes, services, and databases. Everything they touch resides in the operating system itself, and most of that in user-mode space.

Rootkits are also hard to defeat because they are well disguised. Building a piece of code that can inject itself into the kernel space and maintain a low profile while sending out sensitive information takes a strong understanding of the operating system and how it deals with device drivers and memory. When a developer has this level of understanding, the developer can also find ways around current security tools, evading or disabling them.

Here are three explicit examples of why rootkits stand out from the other 75 million pieces of malware and merit incremental defenses:

• Memory injection. Rootkits typically make their way into the operating system by modifying processes running in memory. The nature of AV products is that they will look at memory on read/write to the file system (on access), or do a scheduled (on demand) scan of active memory. Most security software does not perform on access scans within memory, say from one active process writing to another active process, because this operation can be problematic (due to how operating systems handle memory and open processes) and add unacceptable system overhead.

• Kernel-mode space. Low level rootkits run in kernel mode, which affords them protection and camouflage. In kernel mode, rootkits have an excellent view of the operating system and in many cases pose as part of the OS itself or use their access to low-level resources to help remain hidden. From this level, it’s a simple matter for a rootkit to override the data fed to diagnostics and forensics tools to make it appear as if nothing is wrong. They also typically run with the same permissions (if not greater) than AV solutions, giving the rootkit the ability to protect itself from the security software. They can hide at this low level because antimalware products such as AV and HIPS may hook into the kernel level space, but often find their ability to act against another process in the kernel space hampered by the permission system of the OS. For example, the OS may not allow antivirus to prevent write attempts to the system’s interrupt descriptor table, a typical rootkit insertion method.

• Own the OS. Rootkits modify key OS resources to get fully entrenched in a system, for example changing the import address table (IAT) and the kernel export address table (EAT). They mingle so deeply in the OS that it is difficult for something running inside the OS to detect or clean them out. If the OS becomes compromised, no security scan that originates from within the OS can be trusted.

Decision ElementsThese factors could influence your architecture:

•Are you using Intel V-Pro enabled systems in your environment?

•Does the security team influence the purchase of employee laptops?

•Do you have a centralized security management infrastructure?

•Are you using McAfee VirusScan® Enterprise today?

4 Fighting Rootkits

Solution DescriptionMcAfee recommends getting the upper hand on rootkit intruders by taking a dramatically different approach to protection:

• Use real-time memory and CPU protection. The primary method of intrusion by rootkits is through subverting memory in real time. As mentioned above, memory is a great infection vector due to the difficulties associated with accurately protecting it. In order to prevent memory injections, you must have a way to actively monitor memory and CPU operations from a trusted platform that cannot be compromised. If memory injection is attempted, the solution should detect and block these actions.

• Protect against known and unknown attacks. The solution should detect known rootkits and flag and block suspected malware based on behavior and reputation. Signature-based protection is a valuable tool for protecting against known attacks. When you have a signature in place, you can block an attack while also providing a high degree of forensic data. However, we cannot rely on signatures to protect against unknown attacks. Adding in behavioral rules gives protection against zero-day attacks. Reputation-based protection should add an extra level of defense to reduce infections through up to the minute assessments of evolving risk.

• Get beneath the operating system. To provide real-time protection of kernel-mode rootkits, you can’t rely on something running within the OS. Rootkits typically modify and redirect key components of the OS, making them extremely difficult to remove or even detect. Think of it in terms of analysis and point of view. Even the most brilliant neurosurgeon still requires an MRI to get a look into the patient’s brain. You need something looking at the operating system and applications from the outside in to provide the insight needed for protection.

These capabilities should be an enhancement to (not a replacement of) user- and application mode protections so that malicious operations can be identified and blocked at every level of endpoint operation. For administrative convenience, the detections and actions of anti-rootkit systems should be reported alongside other endpoint security events to support an integrated and comprehensive view of your changing security posture.

5Fighting Rootkits

Technologies Used in the McAfee SolutionTo fulfill these requirements, the McAfee solution relies on McAfee® Deep Defender, built using McAfee DeepSAFE technology, McAfee Global Threat Intelligence™, and McAfee ePolicy Orchestrator® (McAfee ePO™), our centralized policy management platform. The solution leverages the Intel V-Pro technology.

McAfeeGTI Cloud

Device Reputation

McAfee ePolicy Orchestrator

Enterprise or Consumer Endpoint

File Reputation

Web/IP Reputation Blacklists/Whitelists

Application Reputation Firmware Reputation

Guest OS

McAfee DeepSAFE CPU-Enabled Security Layer

ApplicationsMcAfee DeepSAFEEnabled Security

Products

• Security Events• System Control

• Security Management• Updates

• Telemetry

• Querie

s

• Reporti

ng

• Cloud In

tellig

ence

• Update

s

• Polic

ies

Deployment

Management

Remediation

Response

Reliability

Reporting

Recovery

Applications McAfee DeepSAFESecurity Agent

OS Kernel

System Memory Chipset

Intel® Core™ i3, i5, or i7 Processor with VTx/VTi

McAfee Deep Defender uses McAfee DeepSAFE, McAfee Global Threat Intelligence (GTI), and McAfee ePolicy Orchestrator to provide protection from beneath the operating system.

6 Fighting Rootkits

McAfee DeepSAFEDeepSAFE is a platform built to take advantage of the Intel Virtualization Technology (VT) available on Intel Core i3, i5, and i7 processors. DeepSAFE provides a hook between the physical hardware and the OS. From this trusted location outside the OS, DeepSAFE can monitor and protect system resources. Think of DeepSAFE as a new security layer that other security technologies can use to gain an accurate and uncompromised view of the operating system as well as everything running on the system.

McAfee Deep Defender McAfee Deep Defender integrates with the DeepSAFE technology to get beneath the operating system and do some unique things. First, by tapping into DeepSAFE, Deep Defender gains access to a trusted view of the operating system. This low-level vantage point allows Deep Defender to spot the evasive techniques used by rootkits and enables configurable block or deny actions.

When you’re sitting at the low level provided by DeepSAFE, there are a number of very clear indicators that a rootkit is attempting to worm its way into a system. Deep Defender will use signatures for known rootkits and their variants to provide quick forensics on what is attacking a system and also use behavior to detect unusual activities. This trusted view allows Deep Defender to provide real-time kernel memory and CPU event protection with very little impact to the system. Deep Defender can stop a rootkit before it has a chance to embed itself in the OS, kernel, or memory by:

• Stopping malicious modification to the import address table (IAT) and the kernel export address table (EAT) that rootkits frequently target

• Preventing changes to the processor system transitioning table• Eliminating malicious attachments to kernel-mode drivers• Preventing malicious inline hooking of kernel code sections along with key device drivers

McAfee Deep Defender takes advantage of McAfee Global Threat Intelligence™ (GTI) for true zero-day protection. McAfee GTI is a cloud-based threat intelligence service that enables McAfee products to benefit from an extensive database of file, IP, domain, and sender reputation. McAfee Deep Defender uses GTI feeds for real time assessment of suspicious code, reinforcing signature based detections in the case of a new attack or if Deep Defender has not recently updated its protection signatures. When it detects suspected malware, Deep Defender will take a fingerprint of the code and run it through the McAfee GTI network to determine if it is a piece of malware that hasn’t made its way into a definition update yet.

McAfee Deep Defender can report, block, quarantine, and remove known and unknown malware in the kernel. It can work with McAfee VirusScan Enterprise antimalware to cleanse the affected user-mode components completely.

McAfee Applications

Operating System

CPU

Intel® Core™ i3, i5, i7

McAfee DeepSAFE

McAfee DeepSAFE technology sits close to the silicon, providing McAfee products an additional vantage point in the computing stack to better protect systems.

7Fighting Rootkits

McAfee ePolicy Orchestrator (McAfee ePO)McAfee ePO is the centralized policy and management environment used by McAfee products as well as many McAfee partner solutions. PCs and laptops running McAfee endpoint software today can deploy McAfee Deep Defender enterprise-wide on supported systems using existing McAfee ePO agents and management infrastructure. Communicating via the McAfee Agent, McAfee Deep Defender receives updates to definitions and policies from McAfee ePO. Deep Defender sends any events as well as system status back to ePO to be used in enterprise-wide metrics and reporting.

Optional IntegrationsIf you have laptops with the Intel Core i3, i5, and i7 processors, you may also want to take advantage of the Intel vPro AMT provided by McAfee ePO Deep Command. This option gives you access to power management and remote access through McAfee ePO.

Impact of the SolutionWhat keeps security professionals up at night is not knowing when the next successful zero day will be. Defense in depth is great, but most technologies are reactive, operating after the fact. A new way to combat zero days is absolutely required. Leveraging hardware-assisted security offers a new approach that provides peace of mind during this new generation of zero day attacks.

McAfee Deep Defender addresses the major issues we face in the fight against rootkits and other types of stealthy malware that bypass standard security software. It provides a solid solution for dealing with sophisticated threats that inject themselves into memory and run in kernel-mode space, effectively hijacking your system.

With Deep Defender you can step outside of the operating system and take advantage of a security platform built at the chip level, McAfee DeepSAFE. This will let you stay ahead of the increase in targeted malware looking to root its way into your system. Deep Defender gives you the memory and kernel-mode protection necessary to stop rootkits. It provides a complete view of the operating system without the memory overhead and limited perspective you get from within the operating system.

Q&A

Which processors are supported by Deep Defender?McAfee Deep Defender supports Intel Core i3, i5, and i7 processors.

Do I still need AV and HIPS if I have Deep Defender?Yes. Deep Defender is targeted directly at protecting against stealthy malware like rootkits. It will report, block, quarantine, and remove known and unknown malware in the kernel. It does not provide protection for the user-mode types of threats covered by AV and HIPS. Your existing McAfee VirusScan Enterprise antimalware is required to cleanse the affected user-mode components completely.

2821 Mission College BoulevardSanta Clara, CA 95054 888 847 8766 www.mcafee.com

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The information contained herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance.

McAfee, McAfee Deep Defender, McAfee DeepSAFE, McAfee ePO, McAfee ePO Deep Command, McAfee ePolicy Orchestrator, McAfee Global Threat Intelligence, and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee, Inc. 41602bp_rootkits-L3_0112_fnl_ETMG

Additional Resourceswww.mcafee.com/deepdefenderwww.mcafee.com/deepsafewww.mcafee.com/deepcommandwww.mcafee.com/epowww.mcafee.com/producttrials

For more information about the Security Connected Reference Architecture, visit: www.mcafee.com/securityconnected

About the AuthorBruce Snell is director of technical marketing at McAfee. In this role he uses face-to-face discussions and webcasts to help customers understand the latest security threats and how McAfee can help them address their concerns and priorities. He also serves as an expert guest for NBC News and PBS Newshour, discussing how Trojans and rootkits spread and what everyday computer users can do to protect themselves.

Bruce has been involved in security for nearly 20 years. Prior to McAfee, he worked as an SE for Entercept Security, the first company to provide Host Intrusion Prevention through system and API call interception. His prior work includes security and network administration at organizations ranging from Fortune 100 to independent design firms and advertising agencies.