root out rootkits: an inside look at mcafee deep ... - intel 3 mcafee labs has identified: • more...

12
White Paper Root Out Rootkits An inside look at McAfee ® Deep Defender

Upload: vukhanh

Post on 11-Mar-2018

225 views

Category:

Documents


4 download

TRANSCRIPT

Page 1: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

White Paper

Root Out RootkitsAn inside look at McAfee® Deep Defender

Page 2: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

Root Out Rootkits2

Table of ContentsRootkits: Rotten Code in the Core 3

Rootkits cloak and disable defenses 3

Designed to conceal a payload 4

Meet Koutodoor and TDSS 4

Rootkits Dodge Detection 5

Win at Rootkit Limbo 5

McAfee Deep Defender with McAfee DeepSAFE take out kernel-mode malware 5

Updates the cloud 6

McAfee VirusScan Enterprise can remove related malware 6

Inside the Detection and Scanning Functions 7

Real-time visibility into memory 7

Scenarios 7

Clean installation 7

A phishing attack 9

A rootkit in residence 10

Conclusion 11

Page 3: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

3Root Out Rootkits

McAfee Labs has identified:•More than 2.8 million

unique rootkits•180,000 new rootkits

each quarter•2,000 new rootkits per day

Researchersdiscoveranaverageof2,000rootkitseachday,accordingtoMcAfee®Labs™.Rootkitsareanincreasinglycommonformofmalwarebuiltexplicitlytohidemaliciouscode.Onceinstalled,arootkitconcealsitselfandlooksinnocenttotraditionalfile-basedscans.Thelongeritstayshidden,themoredamagetherootkitcando,especiallywhenrootkitsconcealsecondarymalwarecomponents,acommonlineofattack.

Topreventtherootkitfrominstallingandcloakingitselfandrelatedmalware,McAfeehasinventedendpointdetectionmoresophisticatedthanmalwaresignaturesandoperating-systemlevelheuristics.ThispaperdescribeshowMcAfeeDeepDefendermovesendpointsecuritybeyondtheoperatingsystem.McAfeeDeepDefendergetshardwareassistancefromIntelandusesaprivilegedearlyloadpositiontouncloak,block,andremovethekernel-modeactivitiesofstealthyrootkits.OnceMcAfeeDeepDefenderhasneutralizedtherootkit,anymalicioususer-modepayloadtherootkitwasconcealingliesexposedfordetectionandcleanupbythetraditionalfile-basedscanningofMcAfeeVirusScan®Enterprisesoftware.BothproductsinteractwithMcAfeeGlobalThreatIntelligence™tominimizetimetoprotectionforthesystemandotherpotentialtargets.

Rootkits: Rotten Code in the CoreRootkitsmayseemlikejustanothertypeofmalware—anothervirus,Trojan,orworm—buttheycanbefarmoredangerous.Twocharacteristics—theconcealmentenabledbylow-leveloperationandtheirroleinhidingcomplexthreats—distinguishrootkitsfromthetraditionalmaliciouscodethatweexpectfile-basedantivirusandhostintrusionpreventionsystemstocatch.

Rootkits cloak and disable defenses

Themostdistinctiveattributeofarootkitisitsabilitytoconcealitspresence.Therearetwotypesofrootkits:usermodeandkernelmode.Kernel-moderootkitsarethehardesttodetectandcleanbecausetheyliedeepinsidetheoperatingsystem.Theyloadbeforemostbootorotherdriversandbeforetraditionaluser-modelevelprotections.Kernel-moderootkitsusethisearlyloadpositiontohidetheirpresencebymanipulatingthekernel,memory,andothersystemelements.Theserootkitscancontrolbasiccomputingfunctions,soinadditiontohidingtheirownexistence,theycan

• Disableprotections(includingantivirus)• Reinfectiftheyareremoved• Concealothercode,suchasapayloadwithintherootkitorseparateelementsoftheattack• Denyread/writeaccesstorootkitfilestoblockremoval1

“Rootkits can target any system,

from database servers to point-

of-sale terminals, from mobile

phones to automobile electronics.

Because rootkits can operate

within and below the operating

system, they can disguise or

conceal the files, processes, and

registry keys touched by other

malware. These traits make

rootkits a vital component of

multistage threat operations.”

—Dave Marcus and Thom Sawicki

The New Reality of Stealth Crimeware

Page 4: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

4 Root Out Rootkits

“Modern rootkits do not elevate

access, but instead are used to

make another typically malicious

software payload undetectable

by adding stealth capabilities.

The payload might covertly

steal user passwords, credit

card information, or computing

resources, or conduct other

unauthorized activities. Due

to the stealthy nature of this

malicious activity, the attack may

go unnoticed for an extended

length of time, perhaps years.”

—Jason Brown

McAfee Deep Defender Best

Practices Guide3

Designed to conceal a payload

Arootkitcanmakesystemchangesorcreatesystempoliciesthatcompromisesecurity.Usingthesetactics,therootkit’sprimaryjobistoconcealothermalware,maliciouspayloadsintheformofviruses,Trojans,orwormsuntilthetimeisrightforattack.That’swhyrootkitsareapreferredtoolinstealthythreatslikeStuxnetorNecurs.2Thelow-levelcontroloftherootkitallowsittocloakthepresenceofthatsecondarymalware,hidingitfromtraditionaloperatingsystem(OS)andapplication-levelsecurityproducts.Often,theattackerappliescreativitytobuildingtherootkitandthenleveragesoff-the-shelfmalwarepayloadsfortherestofthecrime:datatheft,keylogging,andreconnaissance.Bothpartsoftheattacker’staskhavebecomeeasierwithmalwaretoolkitsthatrivalcommercialdevelopmenttools.Whenuser-modeandkernel-moderootkitsareusedtogether,anattackerleverageskernel-levelaccesstodisguisetheattackanduser-levelfunctionalitytomanipulatethesystem,resultinginasophisticatedandessentiallyinvisibleattack.

Meet Koutodoor and TDSS

Whileafewattacks—likeStuxnetanditsderivative,DuQu—receivedwidespreadnewsattention,otherrootkitfamilieslikeKoutodoorandTDSShavehadgreaterimpactwithlessfanfare.TheKoutodoorprogenyrepresent21 percentoftherootkitzoo.4InthecaseofKoutodoor,cybercodershavebeenperfectingthisbrainchildsince 2007.5

Koutodooroperatesinseveralstages:

• InstallsTrojan(asrootkit)• Installssecondarymalwarefromitsdownloadsites• SecondarymalwaresendstraffictospecificURLs,generating“clicks”onbanneradsandwebcounters

Thissequencedrivesrevenuebasedonthepay-per-clickInternetbusinessmodel.Byinstallingtherootkitoninfectedsystems,thecriminalsboostclick-throughincomewithouthavingtoomanyclicksoriginatefromthe same address.6

Koutodoorhasmanycleverattributes.Itusespolymorphicdropperstoavoidrecognitionandchangesafunctionvalueandread-writeprivilegestodenyfileaccessandpersistoninfectedsystems.Also,itchangesitsfilenameateveryboot.Likemanyrootkits,itcanpreventthelaunchoflegitimateprograms,includingantivirus.Itsingenuitiesseemendless:itadds11filestothesystem,changesthetimestamp,addsandremovessixfiles(onemysteriouslylabeleddogkiller.exe),andcreatesorchangesseveraldozenregistryelements.7,8

Alloftheseactionsaredesignedtoconcealthepresenceorensurethesurvivaloftherootkitonthehost.AslongastherootkitcanconcealthevariousKoutodoorfiles,theattackremainsactive.

Modern Cyberwarfare

“Someoftoday’stoolsworkagainstsomeoftoday’srootkits.Toolslikevirusscannersandhostintrusionpreventionsystemsoperateattheoperatingsystemandabove.Theycanexaminememoryandmonitoruser-modeprivilegestodetectandremediatetherelativelyhigh-level,user-moderootkits.However,stealthtechniquesthatoperateatthekernel-levelandbelowflyunderneaththeradaroftraditionaloperatingsystem,vulnerability,andvirusscanningtools.Kernel-moderootkitshavesystem-levelprivileges,sotheyarehardertodetectandrepair.

StuxnetandZeusdemonstratehowmuchmoresophisticatedcybercrimeistodaycomparedtojustafewyearsago.

TheStuxnetattackappearstohavebeendesignedtodisruptindustrialcontrolsystemswithinIraniannuclearprograms.Stuxnetusedbothuser-andkernel-moderootkits,plusarootkitwithintheprogrammablelogiccontroller(PLC),ausagenotpreviouslyseeninthewild.Theuserandkernel-moderootkitshidfilesanddecryptedandinjectedcodeinrunningprocesses.Thespring2010versionofthekernel-moderootkitincludedstolensigneddevicedrivers,sothattherootkitlookedlikelegitimatecode.”

—The New Reality of Stealth Crimewarewww.mcafee.com/stealthcrimeware

Page 5: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

5Root Out Rootkits

Rootkits Dodge DetectionManyuser-moderootkitsandtheincreasingnumberofkernel-moderootkitsgoundetectedbytraditionalfile-basedtoolslikeantivirusandintrusionpreventionsystems(IPS).Detectionrequireslow-levelinstrumentationandactivesystemmonitoringactionsbelowandwithinthekernelleveloftheoperatingsystemthatarenotpartofstandardandIPS.

Ifandwhenrootkitsaredetected,cleanupismessy.Sincetherootkitlikelyactedtoreplicateitselfandhideothermaliciouscomponents,systemadministratorsmustbecomeorbringinforensicinvestigatorstounderstandthecompleteattacksequenceandfindandremoveanyotherattackcomponents,particularlydata-stealingmalware.Formany,theeasiestandsafestremediationisacompletere-imagewithaproductivitytaxofanaverageof10hourspersystem.9Withoutareimage,therootkitmayjustreinstallitselffromanotherpartofthesystemandrepeatthecloakingeffortonthemalware,orcontactitscommandandcontrolcentertoreinitiatetheattacksequence.

Anotherrootkit,TDSS,representsmorethan37percentoftherootkitzooandshowshowadeptlyrootkitfamiliesevolvetostayaheadofantivirustools.Forexample,arecentincarnationinfectedtheMasterBootRecordtoloadaheadofotherdriversandallantivirussolutions,allowingittodisableantivirusandoperatingsystemprotections,debuggers,andothertools.TDSSalsoinfectsexistingfilesasaparasite.Itcreatesandmaintainsanencryptedfilesystemwhereitwillstoreitspayload.Passwordstealersandotherthreatsstoredintherootkit’svaultareundetectablebyon-accessscanners;theyareoffthegrid.10

Inaddition,somerootkitswillhook,orintercept,functiontablestodisguisethemselves.Forexample,thesystemservicedispatchtable(SSDT)isaninternaldispatchtablewithinMicrosoftWindowsthathousescoreOSfunctions.Whenarootkithooksthistable,itcanconcealitselfandrelatedcomponentsbyprovidingfakememoryvaluestoanycodeinsearchofapointer.Hookingofthistableallowsarootkitto“stealth”anything,fromfilesandfolderstoprocessestopartsoftheregistry.

Win at Rootkit Limbo11

ThroughadevelopmentpartnershipwithIntel,McAfeehascreatedanewtierofsecurityproductsthatactsbeyondtheoperatingsystem.Thefirstofthese,McAfee®DeepDefender,canmonitorandcontrolfunctionslowinthesystemstack,revealingandthendisablingrootkitsinthekernel.Unlikestaticscanningtoolsthatneedtobetoldtorun,McAfeeDeepDefendersitsinline,monitoringandevaluatingkerneleventsinrealtime.Whenitseessuspiciousormaliciousevents,itcanblockthemand,ifyouchoose,remediatemaliciouscodewithinthekernel.

McAfeeDeepDefenderworksinconjunctionwithMcAfeeVirusScanEnterprisesoftware.WhileMcAfeeDeepDefenderdriveseffective,real-timeprotectionintothekernelitselftofightrootkits,McAfeeVirusScanEnterprisedetectsandremediatesotherkindsofmalwareattheuserlevelusingbothsignature-basedandreal-time,cloud-basedmalwaresystems.Thetwoproductsshouldbeusedtogethertodetectandcleanuprootkitsandtheircompanionfilesthroughoutthesoftwarestack,aswellasunstealthymalwareintheuserandapplicationlevels.

McAfee Deep Defender with McAfee DeepSAFE take out kernel-mode malware

McAfeeDeepDefenderisthefirstproductbuiltwithMcAfeeDeepSAFE™technology,anadvancedintegrationofIntelhardwareandMcAfeesecurityexpertise.McAfeeDeepSAFEtechnologyprovidesreal-timememorymonitoringviahardwarefeaturesintheIntelCorei3,i5,andi7processors.Specifically,McAfeeDeepSAFEusestheIntelVirtualizationTechnologyorVT-xtogetanunfetteredviewofsystemmemory.LeveragingMcAfeeDeepSAFE,McAfeeDeepDefenderhasagreat,unprecedentedvantagepointtowitnessandselectivelyinterveneintheflowofeventsinthelowestlevelsoftheoperating system.

Page 6: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

Root Out Rootkits6

Ifarootkitorotherstealthmalwareisactive,McAfeeDeepSAFEwillcatchitsattempttoloadintomemoryandalerttheMcAfeeDeepDefenderagent.McAfeeDeepDefenderidentifiespeculiaractionsatkernelmemorylocationsandmakestheconnectionbetweenthesesuspiciousmemoryI/Oeventsandotherthreatsonthedisk.McAfeeDeepDefendercanthenunloadorblacklistthesemaliciousorinfecteddriverstorenderthemuseless.

Applications

Operating System

CPU

McAfee DeepSAFE

Intel® Core™ i3, i5, i7

AV HIPSMcAfee

DeepDefender

OtherProtection

Figure 1. McAfee DeepSAFE technology provides low-level monitoring to enable rootkit detection and removal.

Updates the cloud

Sinceitismonitoringmemoryactivityandtriggeringonsuspiciousbehavior,McAfeeDeepDefenderwilldetectzero-daymalware.Toalertothersystemstoazero-dayrootkit,McAfeeDeepDefenderwilltransmittelemetrydatatotheMcAfeeGlobalThreatIntelligence™(McAfeeGTI™)cloud.Thedataitcommunicates—ahashoftheblacklisteddriverthatattemptstoloadanditsmetadata,suchasfilesize,pathname,servicename,digitalsignatureinformation,andfilefingerprint—informsMcAfeeresearchandanalysis.Thetelemetrydatawillbeconvertedintocloud-basedprotection,aswellasa.DATsignature.The.DATsignaturecanbeusedbyMcAfeeVirusScanEnterprisesoftwareonanysystem—eventhosewithoutMcAfeeDeepSAFEorMcAfeeDeepDefender—toprotectagainstinstallationofthatrootkitonthosesystems.McAfeeGTI-enabledproductsbenefitsecond-handfromthishardware-assistedsecurity,gainingmoreaccuratedetection.12

McAfee VirusScan Enterprise can remove related malware

Oncethekernel-moderootkitisexposedandremoved,anyuser-modemalwareithasbeenhidingbecomesvisible.McAfeeVirusScanEnterprisesoftwaremaydetectituponthenextscanifitisaknownvirus,Trojan,worm,orothermalware.Iftherevealedmalwareisnotyetknown(doesnotyethavea.DATsignature),McAfeeVirusScanEnterprisesoftwaremayconsulttheMcAfeeGTIfilereputationserviceforariskassessmentofthesuspiciousfile.IfMcAfeeGTIconfirmsthefileasathreat,McAfeeVirusScanEnterprisewillblockandcleanthemalware.

Page 7: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

7Root Out Rootkits

Inside the Detection and Scanning FunctionsMcAfeeDeepSAFE,McAfeeDeepDefender,andMcAfeeVirusScanEnterprisecomponentsallperformscanning,buteachscanisabitdifferent.Theresources,access,andcharacteristicsofthelevelinwhichtheyoperatedeterminethetypesofscansandremediationstheyperform.Forexample,thelowestlevelMcAfeeDeepSAFEcomponentlivesinthelimitedworldofkerneloperations.Ithaslightweightlogicfocusedentirelyonmemoryaccess—what’snormalandwhat’sanomalous.Ithasthepowertoblockdriversfromloadingandsuspendkernelthreats.Fortheactualremovalofthecode,itpassestheinformationithasgleanedaboutthedriver’smisbehaviorupthestacktotheMcAfeeDeepDefender agent.

TheMcAfeeDeepDefenderagenthasmoreresources(bothtimeandcompute)toperformmorerobustanalysis.ItreceivestheinformationfromMcAfeeDeepSAFEandconsidersitsimplications.TheMcAfeeDeepDefenderagenthasafocusedsetofantiviruscontentthatlooksatfile,registry,stealthmemory,andprocessscanningtechniques.Ifitsanalysisidentifiesarootkitfamily,itcaninitiateadditionalscanningandremediation.

Real-time visibility into memory

Throughreal-timeinsightintobothmemoryaccessesandtheinteractionsofmaliciouscode,McAfeeDeepDefendercanperformrich,subtledetectionandremediationthatisunlikethefile-orientedscanningoftraditionalantivirus.Thevisibilityintomemoryandkernel-leveleventsalsogivesMcAfeeDeepDefendermoreinformationthanthatavailabletointrusionpreventionsystems.

AfewotherthingsdifferentiateMcAfeeDeepDefenderfromtraditionaluser-modesecuritytools.

• Anon-demandscanwillonlydetectwhenitisrun,eithermanuallyoraspartofascheduledtask.Ifamaliciousrootkithasalreadybeeninstalled,therootkithashadtimetocloakitselfandreplicateoractivateitsself-healingregimesbeforethescangetsachancetofindit.

• Traditionaltoolsarevisibletorootkits.Theycanbemanipulatedbyrootkits,forexample,bydeactivatingtheantivirusdriver.

• Thefirstdrivertoloadwins.ViaMcAfeeDeepSAFE,theMcAfeeDeepDefenderdriveralwaysloads first

ScenariosTohighlightthetechnicalmagicinMcAfeeDeepDefender,let’swalkthroughafewusecases:acleanlaptopandaninfectedsystem.First,youwillinstallMcAfeeDeepDefenderonalaptopwithanInteli3/i5/i7CPUwithVT-xenabled.ThesystemisalreadyrunningMcAfeeVirusScanEnterprise(VSE)andaMcAfeeePolicyOrchestrator®(McAfeeePO™)agent.

Clean installation

McAfeeDeepDefenderusesthesameMcAfeeePOpolicyandagentinfrastructureasMcAfeeVirusScanEnterprise.Todeploy,youjustcheckinanewMcAfeeePOpackage,andtheMcAfeeagentwillpullitdowntotheendpoints.McAfeeDeepSAFEtechnologyisincludedinthesameMcAfeeePOpackage.McAfeeDeepDefendergainslow-levelvisibilitythroughtwoMcAfeeDeepSAFEcomponents:theMcAfeeDeepSAFEmemorylayerandtheMcAfeeDeepSAFEloader/in-bandagent.OnceyouhaveinstalledtheMcAfeeDeepDefenderpackage,eitherlocallyoroverthenetwork,yourebootthesystem.

Page 8: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

8 Root Out Rootkits

Figure 2. McAfee Deep Defender installation and initial execution after first boot.

1. Thesystem’sOSloaderbeginsinitializationoftheMicrosoftWindowsoperatingsystem.Bootdriversbegintoload.ThefirstoftheseistheMcAfeeDeepSAFEloader/in-bandagent.Thisagentcontainslightweightdetectionlogicthatanalyzesactivity,noteswhenadriverisbehavingsuspiciously,andexposesanyrootkits.WeusemultiplemethodstoensurethattheMcAfeedriveralwaysloadsfirst.Forexample,rootkitsoftenalterregistrykeys.McAfeelocksthespecificregistrykeysusedtochangeloadorder,soouragentwillalwaysloadaheadofothercode.ThisguaranteedearlyloadprocessensuresthatMcAfeeDeepSAFEcanmonitorandinspecteachdriverloadedafteritandpreventsotherdriversfromcompromisingtheMcAfeeDeepSAFEagent.NOTE: Withthisloadpositionandmemorymonitoring,wecanseeakernel-modedriverattemptingtomakeamemorychangeandactbeforeanythingbadhappens.Othersecuritysystemsthatloadlater,afterthedriverorhigherinthestack,wouldonlyseewhatthemaliciousdriverwantedthemtosee—thealteredrealitycreatedbytherootkit’smanipulationofmemory.Instead,weseetheattempttoaltermemoryandcanactbeforeanychangeismade.McAfeedoesnotneedtohavepriorknowledge(asignatureorpattern)oftherootkit.Wecatchittryingtodoitsjob.Thisgivesyoutruezero-daydetection.

2. Next,otherstandarddrivers,includingtheMcAfeeVirusScandriver,load.OtherMcAfeeproducts,suchasMcAfeeSiteAdvisor®andMcAfeeHostIntrusionPrevention,havedriversloadinginthisspaceaswell.

3. User-levelservicesandapplicationsstarttoload,includingtheMcAfeeDeepDefenderagent.Thisagentcontainsthehigher-end,heavier-weightlogicofremediationandremoval.Wherethelightweightlogicinthekernel-modeMcAfeeDeepSAFEloader/agentwilldetectamaliciousdriver,theheavyweightrulesinMcAfeeDeepDefenderpinpointothercomponentsinvolvedintheattack.

Page 9: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

9Root Out Rootkits

A phishing attack

That’stheoverviewofwheretheMcAfeecomponentsliveinthesystemandwhattheydo.Now,let’sputthemtoworkdetectingunknownrootkitsonthefly.Today,theuserofthismachinegetsaphishingemailwithacompellingoffertoattendanindustryseminarforfreeiftheysignupthroughaspecialwebsite.Thevalue-conscioususerclicksthroughtothelink,andarootkitTrojandownloadsinthebackgroundastheuserisfillingouttheform.

Normally,therootkitwouldattempttohideinthekernelasabootdriver.However,thistime,McAfeeDeepSAFEcatchestherootkit’sattempttoloadintomemory.TheMcAfeeDeepSAFEcomponentalertstheMcAfeeDeepDefenderagent,whichblocksandremediatestherootkit.Here’showitworks:

Figure 3. McAfee Deep Defender operation during malicious attack.

1. Anewkerneldriver(mal.sys)loads.Atthispoint,thedriverhasnotbeenclassifiedasgood(andthereforenotwhitelisted)orbad(andalsonotblacklisted)andsoisclassifiedasunknownbytheMcAfeeDeepSAFEloader/agent.

2. Mal.sysbehavessuspiciouslybyattemptingtoloadtheinterruptdescriptortable(IDT)atanewaddress.ThisoperationisnormallysomethingonlytheOSwouldattempttoperform.Alternatively,thedrivermaytrytopatchtheSSDT,aconstructwedescribedearlier.

3. Sincethemal.sysdriverisclassifiedasunknown,McAfeeDeepDefenderblockstheattemptedloadoftheIDT,blackliststhedriver,andgeneratesaneventasaresultoftheattemptedaction.

4. Theeventisescalatedtoheavyweightrules(HWRs)forprocessingbytheMcAfeeDeepDefenderagentwhenthesystementersusermode.TheHWRsusemorecomplexdetectionandremovallogictocleanmal.sys;thispartofMcAfeeDeepDefenderhasthecapabilityofquarantiningthefile,forexample.Inthiscase,theHWRspromptthesystemtorebootinordertoejectthemalwaredriver.Afterreboot,themalwaredriverattemptstoload,butitisdeniedbytheblacklist.Thisdenialtriggersarescanofthekerneldriver.

Page 10: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

10 Root Out Rootkits

A rootkit in residence

Alternatively,youmightinstallMcAfeeDeepDefenderonasystemalreadyinfectedwithoneormorerootkits.Intheexamplebelow,youhavetwoclassesofrootkits,“bootdriverrootkits”androotkitsthatarejuststandardkernel-modedrivers.Thelattercategoryisthemostcommon.

Withrootkitsalreadyinresidence,weinstallMcAfeeDeepDefenderusingMcAfeeePOsoftwareasbefore.Whenwereboot,ourbootsequencestartsoutthesame,butMcAfeeDeepDefenderprotectionkicksinduringthestartupprocess,andMcAfeeVirusScanEnterprisehelpswithremediation:

Figure 4. McAfee Deep Defender detecting and cleaning an existing rootkit.

1. Asthesysteminitializes,thefirstcomponentofMcAfeeDeepSAFEbecomesactiveinthememory layer.

2. Thesystems’OSloaderbeginsinitializationoftheWindowsoperatingsystem.

3. Bootdriversbegintoload,startingwiththeMcAfeeDeepSAFEloader/agent.

4. Theremainingbootdriversload.Adriverattemptstomodifythekernel,andtheMcAfeeDeepSAFEmemorycomponent(fromstep1)seestheactionandrelaystheattempttotheMcAfeeDeepSAFEloader/agent(fromstep3).TheMcAfeeDeepSAFEagentwillprocessitsactivityagainstitslightweightdetectionlogic.Ifweidentifythememoryaccessasmalware,theMcAfeeDeepSAFEloader/agentwillblockthemaliciousbootdriver’sactivities.Therootkitwillbeneutralized,butitwon’tyetbegonefromthesystem.

5. Windowsloadstheotherstandarddrivers,includingtheMcAfeeVirusScandriver.McAfeeDeepSAFEdetectsanotherattempttomodifythekerneland,asbefore,tellstheMcAfeeDeepSAFEloader/agenttostepinandblockthatmaliciouscode.Note:Theantivirusdriver—orothersecuritydriversinthislevelsuchastheIPSorSiteAdvisordriver—couldloadbeforethemaliciousdriver,buttheywouldn’tseeanythingwrongunlessthedriverhappenedtoexhibitknownbadbehavior(somethingdetectedbytheproduct’sheuristicfileorbehavioridentification).Anynew,orzero-day,behaviorwouldgounnoticed.OnlyMcAfeeDeepSAFEtechnologyprovidesthereal-timevisibilityintorootkitkernelmemoryaccesses.

Page 11: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

11Root Out Rootkits

6. Asbefore,theuser-levelservicesandapplicationsstarttoload,includingtheMcAfeeDeepDefender agent.

7. TheMcAfeeDeepDefenderagentremovesbothmaliciousdriverrootkits.

8. Oncethekernelmodecodethatprovidedcamouflageisgone,themalwareitwashidingbecomesvisible.Thenexttimethemaliciousfileisaccessedorexecuted,ifthemalwareisknown,aMcAfeeVirusScanEnterpriseon-accessscanwilldetectandcleanit,oritwillbedetectedatthenextscheduledscan.Ifthemalwareisunknownbutsuspicious,McAfeeVirusScanEnterprisewilluseMcAfeeGTIlookupsandpotentiallyidentifyandcleanthisnon-rootkitmalware.

ConclusionRootkitsrepresentjustthelatestescalationinthedecades-longbattlebetweenmalwaredevelopersandsecurityresearchers.Byinsertingpreviouslyunavailablemonitoringandcontroloperationswithinthekernel,McAfeeDeepDefenderoffersenterprisesawaytofightbackagainstthesestealthyattacks.McAfeeDeepDefenderworksalongsideotherhostprotectionsandwithinthefamiliarMcAfeeePOmanagementtomakeiteasytolayerinanewbaselineofprotection.

ThissolutionleveragesIntelhardwarecapabilitiestoprovidethestrongestMcAfeesoftwareprotectionforthesystem—protectionthatgoesbeyondtheoperatingsystem.Unlikestaticscansanduser-modeprotections,McAfeeDeepDefendermonitorsmemoryoperationsinrealtime,stoppingunknown,zero-dayinfectionsbeforetheyhaveachancetododamage.Iftherootkithasbeenconcealingsecondarymalware,thatmalwarewillberevealedforcleanupbyuser-levelprotectionslikeMcAfeeVirusScan Enterprise.

McAfeeDeepDefender,builtonMcAfeeDeepSAFEtechnology,providesmust-haveprotectionforendpointsonthefrontline.Itcanfreeyoursystemofrootkitsandrelatedpayloadssomultistageattacksnevergetpastthefirstcontact.Learnmoreatwww.mcafee.com/deepdefenderandwww.mcafee.com/deepsafe.

About McAfeeMcAfee,awhollyownedsubsidiaryofIntelCorporation(NASDAQ:INTC),istheworld’slargestdedicatedsecuritytechnologycompany.McAfeedeliversproactiveandprovensolutionsandservicesthathelpsecuresystems,networks,andmobiledevicesaroundtheworld,allowinguserstosafelyconnecttotheInternet,browse,andshopthewebmoresecurely.Backedbyitsunrivaledglobalthreatintelligence,McAfeecreatesinnovativeproductsthatempowerhomeusers,businesses,thepublicsector,andserviceprovidersbyenablingthemtoprovecompliancewithregulations,protectdata,preventdisruptions,identifyvulnerabilities,andcontinuouslymonitorandimprovetheirsecurity.McAfeeisrelentlesslyfocusedonconstantlyfindingnewwaystokeepourcustomerssafe.http://www.mcafee.com

Page 12: Root Out Rootkits: An Inside Look at McAfee Deep ... - Intel 3 McAfee Labs has identified: • More than 2.8 million unique rootkits • 180,000 new rootkits each quarter • 2,000

2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com

1 “PredictingtheFutureofStealthAttacks,”October 2011 Virus Bulletin,KapoorandMathur2 http://blogs.mcafee.com/mcafee-labs/signed-malware-you-can-runbut-you-cant-hide3 Contactyoursalesrepresentativeforaccesstothisresource.4 McAfeeLabs5 “PredictingtheFutureofStealthAttacks,”October 2011 Virus Bulletin,KapoorandMathur6 http://www.eset.eu/encyclopaedia/win32-koutodoor-hm-trojan-e-backdoor-cep-gen-cq?lng=en7 “PredictingtheFutureofStealthAttacks,”October 2011 Virus Bulletin,KapoorandMathur8 http://home.mcafee.com/virusinfo/virusprofile.aspx?key=568093#none9 CostsaveragefivehoursforeachITadministratoranduserpersystemreimaged(10hourstotal),foranapproximatecostperendpointof$585;ata

5,000nodecompany,a1percentinfectionratewouldequateto$30,000incleanupcosts.10 “PredictingtheFutureofStealthAttacks,”October 2011 Virus Bulletin,KapoorandMathur11 Thetraditionalpartygamewherethewinneristhepersonthatgetslowesttotheground:http://www.partycity.com/product/

inflatable+cactus+limbo+game.do.12 FindouthowtoactivateMcAfeeGTIinyourMcAfeeproductathttps://kc.mcafee.com/corporate/index?page=content&id=KB70130

McAfee, the McAfee logo, McAfee DeepSAFE, McAfee Global Threat Intelligence, McAfee GTI, McAfee Labs, ePolicy Orchestrator, McAfee ePO, SiteAdvisor, and VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee, Inc. 45703wp_rootkits_0512_fnl_ETMG