HBGary Proprietary HBGary Rootkit Keylogger Platform

Summary of Features

· 100% kernel mode · Logs keyboard · Communicates over HTTP/PHP · Compression/Encryption of the logged data · Configuration via txt file · Can be attached to any .exe for installation via included toolchain · No detection by anti-rootkit tools [1]. · No detection by all tested personal firewalls [2] · None of the products stop communications with the remote server. [2] · Easily extensible

[1] Rootkit Detection Testing

The following detection tools were tested in April 2007. A subset were retested in August 2008. The rootkit was installed prior to the detection tool.

· AVG AntiRootkit 1.0.0.13 · RAIDE Beta 1.0 · Bit Defender v8 · Red Pill · BlackLight 2.2.1055 · RootKit Unhooker 3.01 · DarkSpy 1.05 · RootkitBuster 1.6-1049 · GMER 1.0.12.12011 · RootKitDetector 0.62 · Helios 1.1a · RootkitRevealer 1.71 · Hook Annalyzer 2.00 · Sana Security SafeConnect 2.1.0 · IceSword 1.20 · Anti-Rootkit 1.2.2 · Kproc Check .2beta2 · Spybot S&D 1.4 · McAfee Virus Scanner 2007 · SunBelt CounterSpy 1.5.82 · McAfee Stinger 2.60 · System Virginity Verifier 2.3 · Norton AntiVirus 2007 · Trend Micro 2007 15s1329 · 2007 · VICE 2.0 · Process Hunter 1.0 · Zone Alarm Pro · Process Walker 1.04 · Kaspersky Internet Security

[2] Firewall Communication Testing

The rootkit was tested against major products in April 2007 and retested in August 2008. The firewall detection tool was installed first, followed by the rootkit.

· McAfee Virus Scanner (includes firewall) · Norton Internet Security · Trend Micro Internet Security * · Zone Alarm Pro · Kaspersky Internet Security

Tested in April 2007 only:

· Comodo Firewall Pro · Jetico Personal Firewall · Outpost Firewall PRO · Panda Antivirus + Firewall

* Only Trend Micro reported an alert during installation of the rootkit and only after the detection tool was installed prior to the rootkit. This was a low level alert. TrendMicro assaults the user with so many of these alerts in every day use, therefore most users will quickly learn to ignore or even turn off such alerts.

Architecture

Rootkit is a kernel mode driver. It has no user mode components except (of course) the installer.

The software consists of 2 components:

· Component to sniff keyboard · Component to detect browser usage

The rootkit exfiltrates keystrokes to a remote server only when the user surfs the web with default browser.

The rootkit is designed to “hide in plain sight”. It uses no “undocumented” hooking techniques: · No direct dispatch table hooking · No SDT hooking · No (add any common dirty trick here)

Using hooks is not necessary and can leads to incompatibilities. The HBGary rootkit methods are fully supported and documented. Stealth tricks are exactly why rootkits are detectable today. Anti-rootkit scanners check for discrepancies between user mode calls and kernel mode calls, and report differences. Registry hooking and file hiding is detected by most anti- rootkits. The HBGary rootkit is not susceptible to these forms of detection. Furthermore, by avoiding these stealth techniques, the HBGary rootkit does not run the risk of machine and configuration incompatibilities.

The HBGary rootkit is cutting edge because it can exfiltrate information past personal firewalls without detection. Most experts in the field who have given presentations at conferences have reported that there is no way to bypass desktop firewalls without using complicate TDI hooking, private TCP stacks, or rewriting components of NDIS. The HBGary rootkit demonstrates full working firewall bypass at the TDI level (this means full kernel sockets interface) without using any of the abovementioned complicated modifications to the OS. The elegance of the design means more reliability, less detection footprint, and inexpensive extensibility of communications using the already existing and supported OS kernel sockets interface.

Although some so-called experts have reported that using OS kernel sockets is fully detectable and known, the HBGary rootkit proves this is completely false as our tests have shown. The HBGary rootkit utilizes specific injection and hijack technology to use the browsers thread(s) for communication, thus bypassing all the above tested firewalls. When bypass is not obtained in this manner, communications can be placed at a different location in the stack, and if this does not work, a specific patch can be placed in the offending firewall so that bypass is possible. In short, nothing will stop the HBGary rootkit from working. The benefit is a much lower cost to develop additional communication features.

Communication Features

· Uses outbound connections only · Easy to use kernel sockets interface for extensibility · No popup dialogs complaining about outbound connections · No listening sockets that can be detected · Uses HTTP because it is always allowed to egress the network · Using HTTP allows storing of exfiltrated data in a third party location such as free web-space or chatsite

The ability to exfiltrate to a 3rd party dead-drop for pickup means the rootkit controller and the infected machine never have to communicate directly.

Installation and Development

To change the name of the rootkit only requires a change to a single .h header file. The rootkit comes with a build utility. The rootkit driver must be given a name that will not stand out – something that appears as a normal system driver. This is easy to do. And, even if the rootkit driver is suspected, it will need to be reverse engineered in order to determine that it is a backdoor program.

The rootkit delivery package is a single executable file. This is produced by the build utility. The delivery package can install the rootkit driver and bypass windows file protection on XP SP2. The user is not alerted that a driver is being installed, and the driver is not required to be signed. The installation of the rootkit in this manner requires one reboot of the system before it becomes “live”.