Kernel MalwareZhuoqun ChengFeb 2013
Kernel Mode vs. User Mode x86 provides 4 privilege levelsRing 0 – kernel mode for kernel (highest)Ring 1,2 - not usedRing 3 - user mode for applications (lowest) Higher level can control lower levels and access morehardware resources
Kernel Malware vs. User Malware Kernel malware is more destructive Can control the whole system including both hardware and software Kernel malware is more difficult to detect or remove Many antivirus software runs in user mode lower privilege than malware cannot scan or modify malware in kernel mode
Kernel Malware vs. User Malware Kernel malware is more difficult to develop Kernel is complex Kernel mode malware are more likely to have bugs Even a minor bug in kernel mode can cause kernel crash That’s why kernel mode malware is rare
An Example SpamTool.Win32.Mailbot.az Found in December 2005 on Windows XPA kernel-mode driverTook control of the System Service Dispatcher (SSD)Applications requesting system service could be redirected toother system functions (including functions in malware) So all applications are actually under its control
How to exploit kernel? Stack overflow? Kernel has only one stackFixed size, 8KB, quite smallVery likely to overwrite some important kernel dataCause kernel crash Loadable driver! Drivers run in kernel mode Windows allows drivers to be loaded at runtime Develop malware as drivers and ask kernel to load it
Mitigation Drivers must be signed since Windows Vista Check before driver is loaded Unsigned driver cannot be loaded into kernel
One possible bypass Loaded driver (signed and checked) will beswapped out from memory to Pagefile in diskwhen short of memory Modify Pagefile and insert our shellcode Call that driver Swapped in and get executed
First how to force the specificdriver to be swapped out? Allocate huge amount of memory for a processto use up physical memory Some rarely used drivers are always swappedinto disk
Second how to locate andmodify that driver? Take a sufficiently long binary string (one of itsfunctions) of that driver Do a pattern search in the disk region wherePagefile probably resides Replace it with our shellcode (extremelydifficult to create useful shellcode)
Final step Call that driver Driver gets swapped in and malware injected! Or kernel dies
Wait Why operating system doesn’t stop us fromscanning and modifying Pagefile Windows has documented API to allow raw accessto disk from user mode We can read and write disk sectors which areoccupied by the Pagefile While kernel has no idea what file we are modifyingsince we don’t go through file system
Possible mitigations Forbid raw disk access from user mode probably break lots of programs Encrypt Pagefile Big performance impact Disable kernel memory swapping Possible. But users lose this useful feature
Thank you!Questions?Reference Kernel Malware: The Attack from Within Kimmo Kasslin, Kuala Lumpur Subverting Vista Kernel for Fun and Profit Joanna Rutkowska Wiki: Rootkit http://en.wikipedia.org/wiki/Rootkit
Kernel Malware vs. User Malware Kernel malware is more destructive Can control the whole system including both hardware and software Kernel malware is more difficult to detect or remove Many antivirus software runs in user mode lower privilege than malware cannot scan or modify malware in kernel mode
Trojan / Backdoor. Rootkit Malware 101. Malware 101 The famous “Love Bug” aka ”I love you” worm. Not a virus but a worm. (Filipino-made) Worms. Malware 101 Theories for self- . Rustock Rootkits Mobile Brief History of Malware. Malware 101 A malware installs itself
Anatomy of a linux kernel development Questions : – How to work kernel code? – How to write C code on the kernel? – How to building and install the kernel on old version linux? – How to release the linux kernel? – How to fixes bugs (patch) on kernel trees? Goal : –
What if Linux Kernel Panics Kexec: system call to load and boot into another kernel from the currently running kernel (4.9.74). crashkernel 128M [normal kernel cmdline] irqpoll, nosmp, reset_devices [crash kernel cmdline] --load-panic option Kdump: Linux mechanism to dump machine memory content on kernel panic.
Kernel Boot Command-Line Parameter Reference The majority of this chapter is based on the in-kernel documentation for the ichwerewrittenbythe kernel developers and released under the GPL. There are three ways to pass options to the kernel and thus control its behavior: When building the kernel.
n Linux is a modular, UNIX -like monolithic kernel. n Kernel is the heart of the OS that executes with special hardware permission (kernel mode). n "Core kernel" provides framework, data structures, support for drivers, modules, subsystems. n Architecture dependent source sub -trees live in /arch. CS591 (Spring 2001) Booting and Kernel .
Today, machine learning boosts malware detection using various kinds of data on host, network and cloud-based anti-malware components. An efficient, robust and scalable malware recognition module is the key component of every cybersecurity product. Malware recognition modules decide if an
2.the malware download ratio (percentage of all downloads of the collected apps belonging to apps that are detected as malware); 3.the survival period of malware (how long apps de-tected as malicious remain in the app store). 3.1 Data Collection F-Secure’s 2014 Theat Report covers the trends in An-droid malware over the second half of 2013 .
Ability Commerce P.O. Box 519 Spicer, MN 56288 Abinette, Jennifer A 1 Innovation Way Merrimack, NH 03054 Abir Yono 4514 Northridge Ct West Bloomfield, MI 48323 Ablajan, Uighur 1 Innovation Way Merrimack, NH 03054 Able Planet Incorporated 10601 W.I-70 Frontage Rd Wheat Ridge, CO 80033 Ables, Amanda 1 Innovation Way Merrimack, NH 03054 Abm Engineering/ Linc Facility Services Los Angeles, CA .