Advancing Mac OS X Rootkit Detecron
Total Page:16
File Type:pdf, Size:1020Kb
Advancing Mac OS X Rootkit Detec4on Andrew Case (@attrc) Volatility Foundation Golden G. Richard III (@nolaforensix) University of New Orleans 2 hot research areas State of Affairs more established Live Forensics and Tradional Storage Memory Analysis Forensics Digital Forensics Reverse Engineering Incident Response Increasingly encompasses all the others Copyright 2015 by Andrew Case and Golden G. Richard III 3 Where’s the Evidence? Files and Filesystem Applica4on Windows Deleted Files metadata metadata registry Print spool Hibernaon Temp files Log files files files Browser Network Slack space Swap files caches traces RAM: OS and app data Volale Evidence structures Copyright 2015 by Andrew Case and Golden G. Richard III 4 Volale Evidence 1 011 01 1 0 1 111 0 11 0 1 0 1 0 10 0 1 0 1 1 1 0 0 1 0 1 1 0 0 1 Copyright 2015 by Andrew Case and Golden G. Richard III 5 Awesomeness Progression: File Carving Can carve Chaos: files, but More can't Faster Almost not very accurate Hurray! carve files well Tools Manual File type Fragmentaon, appear, MulDthreading, hex editor aware damned but have beer design stuff carving, et al spinning disks! issues Images: hLps://easiersaidblogdotcom.files.wordpress.com/2013/02/hot_dogger.jpg hLp://cdn.bigbangfish.com/555/Cow/Cow-6.jpg, hLp://f.tqn.com/y/bbq/1/W/U/i/Big_green_egg_large.jpg hLp://i5.walmarDmages.com/dfw/dce07b8c-bb22/k2-_95ea6c25-e9aa-418e-a3a2-8e48e62a9d2e.v1.jpg Copyright 2015 by Andrew Case and Golden G. Richard III 6 Awesomeness Progression: Memory Forensics Pioneering Chaos: More, efforts Beyond run more, show great Windows ?? strings? more promise pt_finder et al More aenDon Manual, Mac, … awesome but to malware, run strings, Linux, BSD liLle context limited filling in the gaps funcDonality Images: hLps://s-media-cache-ak0.pinimg.com/736x/75/5a/37/755a37727586c57a19d42caa650d242e.jpg,, hLp://img.photobucket.com/albums/v136/Hell2Pay77/SS-trucks.jpg hLp://skateandannoy.com/wp-content/uploads/2007/12/sportsbars.jpg, hLp://gainesvillescene.com/wp-content/uploads/2013/03/dog-longboard.jpg Copyright 2015 by Andrew Case and Golden G. Richard III 7 Memory Analysis: 2004 $ grep –i murder /dev/mem I loved Sally, but I murdered her in the park on… Murder Murderer! Blood is on your shoulders! Murderous You murdered my hamster! Murdered Copyright 2015 by Andrew Case and Golden G. Richard III 8 Memory Analysis: Then • strings – essenDally no tools besides this, circa 2004 • pt_finder (~2006) – Windows process and thread enumeraon • FACE (~2008) – Memory analysis framework created at UNO – Correlates evidence in memory, network stack, network traces, filesystem – A bit closer to a framework rather than one-off tools • … Copyright 2015 by Andrew Case and Golden G. Richard III 9 Memory Analysis: Now Capture RAM • physical memory dumping tool from live • VM memory snapshot system • VM introspecDon • strings Analyze • carving Memory Dump • Volality • VM introspecDon Expose OS and • to yield useful Applicaon evidence Data Structures Copyright 2015 by Andrew Case and Golden G. Richard III 10 Memory Analysis: Now Use plugins to analyze: Running processes Hidden processes Hooks that hide malware Network connec4ons Encryp4on keys Private browsing data Clipboard data Volale registry branches Command history Window hierarchy + "easily" develop new plugins Copyright 2015 by Andrew Case and Golden G. Richard III 11 Detec4ng Hidden Resource U4liza4on • Adversary: Direct Kernel Object Manipulaon (DKOM) • Strategy: Deep analysis and cross-correlaon of data kernel data structures to reveal hidden resource uDlizaon PID = 2260 Doubly-linked process list in Windows kernel Processes conDnue to run because Windows C:\> fu –ph 2260 scheduler handles threads, not processes PID = 2260 Copyright 2015 by Andrew Case and Golden G. Richard III 12 Copyright 2015 by Andrew Case and Golden G. Richard III 13 FU on PID 2260 DKOM Hidden Process Detecon in Volality Copyright 2015 by Andrew Case and Golden G. Richard III 14 Windows, Mac, Linux • Windows and Linux memory forensics techniques are fairly mature • Lots of funcDonality • More work to do, but good malware / rootkit detecDon • > 115 Windows plugins for Volality • ~60 Mac plugins for Volality – Some tackle the same thing on the BSD / Mach sides • Mac OS X stuff lags behind and we're trying to fix that • Requires OS internals work, which we both like Copyright 2015 by Andrew Case and Golden G. Richard III 15 Mac OS X • Many APIs similar to those on Windows and Linux are commonly abused by malware on other plaorms • ExisDng Mac plugins do not check these subsystems • In addiDon, many Mac-specific features are vulnerable to abuse by rootkits / malware • These aren't addressed by exisDng memory forensics tools, either Copyright 2015 by Andrew Case and Golden G. Richard III 16 Facility: Kernel Event Callbacks • Use: Allows registraon of callbacks to be executed before specific events occur, e.g., process execuDon, system shutdown, hibernaon, et al • Abuse: Prevent security tools from loading, inject code into process before it can start, maintain persistence during reboot or shutdown • Windows API: PsSetCreateProcessNotifyRoutine • Windows detecDon plugin: callbacks Copyright 2015 by Andrew Case and Golden G. Richard III 17 Mac OS X Power Related Events • On Mac OS X, IOKit provides an API to register interest in power-related events • Callback is triggered for noDficaon – kIOMessageSystemWillPowerOff – kIOMessageSystemWillRestart – kIOMessageSystemWillSleep – kIOMessageDeviceHasPoweredOn – … • Defined in iokit/IOKit/IOMessage.h Copyright 2015 by Andrew Case and Golden G. Richard III 18 mac_interest_handlers Plugin • Find root of IOKit device tree • Walk tree and check for power-related interests, stored in IORegistryEntry structures • Enumerate handlers in associated IOCommand structure and verify that handlers are: – in code sec4on of running kernel --or-- – in address space of a loaded kernel extension • Marked suspicious if not • Importantly: locaon of handler also hints at malware locaon • Can then target specific regions of memory and examine Copyright 2015 by Andrew Case and Golden G. Richard III 19 Facility: Driver ßà Userland Communicaon • Use: Provide an interface for userland processes to request services from a kernel driver (read, write, change configuraon, etc.) • Abuse: Provides a mechanism for a userland component to hide data, protect files, communicate with kernel-level malware • Linux API: devfs, ioctl • Linux detecDon plugin: linux_check_fop Copyright 2015 by Andrew Case and Golden G. Richard III 20 Mac OS X Driver Communica4on • Mac OS X provides several mechanisms for drivers to communicate with user space – IOKit APIs that allow userspace to search for interesDng devices – devfs • For this talk, look only at devfs • TradiDonal filesystem interface • Device registers handlers for open(), close(), read(), write(), ioctl(), etc. Copyright 2015 by Andrew Case and Golden G. Richard III 21 Crisis: Notorious Mac OS X Malware • Patches AcDvity Monitor to hide • Takes screenshots • Captures audio • Captures video • Connects to WiFi hotspots to transmit collected data • Basically, all the stuff you're scared malware will do to you Copyright 2015 by Andrew Case and Golden G. Richard III 22 Crisis • LegiDmate device: /dev/pmCPU • "Evil" Crisis device: /dev/pfCPU • Kernel components live behind this device • Userspace components of Crisis use ioctl() calls to communicate with kernel components • Lots of complex hiding mechanisms in Crisis • Quickly locang handlers for kernel module can help direct stac analysis Copyright 2015 by Andrew Case and Golden G. Richard III 23 mac_devfs plugin "Good" mdworker is associated with Spotlight search indexing. This "evil" one can now be dumped and analyzed. Copyright 2015 by Andrew Case and Golden G. Richard III 24 Facility: Kernel Timers • Use: Register callback to be executed aer a certain amount of Dme • Abuse: Allow malicious code to run periodically without needing to hook funcDons, check persistence, check C&C server status, periodically exfiltrate data • Windows API: KeSetTimer • Windows detecDon plugin: timers Copyright 2015 by Andrew Case and Golden G. Richard III 25 mac_timers Plugin • Timer data is stored in per-CPU variables • Plugin analyzes cpu_data structure for each processor • cpu_data->rtclock_timer maintains queue of mers • For each Dmer, output: – Registering module – Time to elapse – Address of each parameter – Address of handler func4on – Suspicious? Copyright 2015 by Andrew Case and Golden G. Richard III 26 Facility: Userland Event Monitoring • Use: Allows userland processes to monitor events on files, processes, signals, etc. • Abuse: Stop processes from execuDng, determine when security tools are installed, detect when persistence mechanisms are removed • Windows API: FindFirstChangeNotification, RegNotifyChangeKeyValue – FILE_NOTIFY_CHANGE_FILE_NAME – FILE_NOTIFY_CHANGE_SIZE • Windows/Linux detecDon plugins: None (hint) Copyright 2015 by Andrew Case and Golden G. Richard III 27 KQueue Monitoring • Mac OS X facility that dates back to FreeBSD 4.1 • Use: Monitor file events, process creaon, signals, etc. • Abuse: Prevent processes from loading, react to process terminaon, etc. • Interfaced from userland through kqueue and kevent • man kqueue / man kevent Copyright 2015 by Andrew Case and Golden G. Richard III 28 mac_kevents Plugin • Enumerates all kevent structures… • …(data structures kung fu in the paper)… • …in the kernel and reports: – Which processes are being monitored (by PID) and which events are being monitored (fork, exec,