SlideShare a Scribd company logo

ZakiHumphrey-VB2014

A
Ahmed Zaki

This document describes a technique for automatically discovering rootkits by comparing kernel memory snapshots before and after running potentially malicious drivers or executables. The technique was implemented in a system that runs samples in a virtual machine, extracts kernel memory contents, analyzes differences to identify suspicious modifications, and generates signatures of common rootkit behaviors. The system was tested on high-profile rootkits, driver samples, and random executables. It was able to identify kernel modifications in over 80% of malicious samples and detect behaviors of known rootkits without relying on file contents or known signatures. The authors conclude the technique is effective but note areas for future work, such as analyzing additional kernel structures and detecting more advanced techniques like DKOM or usermode rootkits

1 of 34
Download to read offline
Unveilingthekernel:Rootkitdiscovery usingselectiveautomatedkernelmemory differencing Ahmed Zaki and Benjamin Humphrey
Agenda 2 • Objective and method • System design and implementation • Running drivers • Data extraction • Processing the data • Reporting and signatures • And the result is … • Experiment A: High profile rootkits • Experiment B: Driver files • Experiment C: Random set of PE files • Conclusion • Future work
What is the objective? • Automate the process of finding samples that exhibit kernelmode behaviour • List the modifications made to the kernel • Identify the maliciousness of specific modifications • Import that data into other systems 3
How do we automate the process? •Use existing tools •Build our own •Using anti-rootkit tools •Using a custom diff based solution 4
Bird’s eye view 5 HOST Auxiliary module Processing module Django templates GUEST Analysis Packages Auxiliary module Signatures
Running Driver files 6 Guest VM Is Driver file ? Driver Analysis Package Other Analysis package (Servicename | StartType | ServiceType | LoadMode) “Register service using scm If not loadmode then: start service using NTLoadDriver Else: start service using loadmode option If not service is running: report FAIL ! “
Usage of the SophosAV Engine With the SAV engine we get: • Existing software that has a presence in the kernel • The ability to examine/dump areas of kernel memory • The ability to write to a log file NOTE: Due to modular design we don’t need to use the Sophos AV engine. 7
Examining the kernel Drivers Modules SSDT IDT Callbacks Disk Information What areas are we looking at? 8
Processing the data 9 { "mbr" : { }, "drivers" : { "FileSystemluafv" : { "driverstart" : -1869398016, "driversize" : 110592, "driverinit" : -1869319406, "driverstartio" : 0, "driverunload" : 0, "filepath" : "C:WindowsSystem32driver sluafv.sys", "sha" : "befb20d2e32a0107602707d3f 6de84aa483a5b5e", { "mbr" : { }, "drivers" : { "FileSystemMRxDAV" : { "driverstart" : -161308672, "driversize" : 180608, "driverinit" : -161144443, "driverstartio" : 0, "driverunload" : -161263572, "filepath" : "C:WINDOWSsystem32driv ersmrxdav.sys", "sha" : "68dc26e6576ef52bedc7d97ba 44679a0e1cc3d74", "irp" : { Processing module Capture Added – Changed – Deleted data Eliminate noise Tag and organise data Baseline data Job analysis data Diff data
Analysis log Baseline log Processing the data 10
Data flow 11 Data Signatures Reporting {"drivers": {"Driver4C3553F1": {"Added": {"driverinit": "0xf7b97983", "driverunload": "0xf7b9794a", "irp": {"IRP_MJ_CREATE_MAILSLOT ": "0xf7b97965", "IRP_MJ_SET_QUOTA": "0xf7b97965", "IRP_MJ_SET_SECURITY": "0xf7b97965", "IRP_MJ_SET_VOLUME_INFO RMATION": "0xf7b97965", "IRP_MJ_WRITE": "0xf7b97965", …" generic_new_driver generic_modified_driver generic_deleted_driver generic_new_module generic_deleted_module generic_ssdt_hook generic_idt_hook generic_new_callback generic_modifed_callback generic_attached_device …
Drivers New driver objects Modified driver objects Deleted driver objects Signatures 12
Modules New Modules Modified Modules Deleted Modules Signatures 13
Devices New device objects New device objects by newservice Signatures 14
Callbacks New Callbacks Modified Callbacks Signatures 15
Hooks SSDT Hooks IDT Hooks Signatures 16
Disk Modified MBR Modified VBR Modified EOD size Signatures 17
Reports 18
19
Tests • High profile rootkits • TDL Derivatives • GAPZ • Turla • Necurs • Experiment B: Malicious and clean driver set • Experiment C: Random set of known malicious PE files 20
TDLDerivatives 21
22 TDLDerivatives
GAPZ 23
6A08 push byte +0x8 CDC3 int 0xc3 90 nop Turla a.k.a Snake, Uroborus 24
Necurs 25
High profile rootkits • We do not always get enough information to classify specific families • We are getting enough information to warrant further investigation by an researcher 26
Experiment B 27 82% 18% Malicious Drivers With Kernel Data Without Kernel Data 51% 49% Clean Drivers With Kernel Data Without Kernel Data • Total number of malicious drivers 1854. • Total number of clean drivers 1053. • Insufficient time for the log to be generated was a common reason for failure to get back kernel data. Miss the log by a second or two. It’s a trade off.
And the results is 28 0 10 20 30 40 50 60 70 80 90 100 Malicious Clean
ExperimentA 29
Experiment C 30 96% 4% Set of PE files With Kernel memory Without Kernel Data • 319 of known malicious PE files. 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Kernel memory signature hits for PE files Kernel memory signature hits for PE files
Weighting the signatures 31 Suspicious Modified driver Modified module Info New driver objects New module Malicious SSDT Hook IDT Hook New Callback Attached Device Modified MBR Modified VBR Modified EOD size
Conclusion • Malicious activity can be identified via modifications rather than creation • Malicious drivers are unlikely to employ anti-sandboxing techniques • Good enough to identify kernel activity • Not exhaustive analysis 32
Future work • Exploring other areas of the kernel • Object table • DKOM • 64bit drivers • Sample clustering • Usermode rootkits 33
Questions? 34

Recommended

Azure - Bronagh Sorota - ManageIQ Design Summit 2016
Azure - Bronagh Sorota - ManageIQ Design Summit 2016Azure - Bronagh Sorota - ManageIQ Design Summit 2016
Azure - Bronagh Sorota - ManageIQ Design Summit 2016ManageIQ
 
3 v zsajnitb
3 v zsajnitb3 v zsajnitb
3 v zsajnitbReal Time Lead Gen
 
MISION UDL
MISION UDLMISION UDL
MISION UDLastriDSANZ112
 
Slides Global Warming
Slides Global WarmingSlides Global Warming
Slides Global Warmingdiannemarie420
 
นางสาว ฐิติ สุวรรณสุทธิ
นางสาว ฐิติ สุวรรณสุทธินางสาว ฐิติ สุวรรณสุทธิ
นางสาว ฐิติ สุวรรณสุทธิZeeratithi
 
Ministry teams minutes Oct. 2015
Ministry teams minutes Oct. 2015Ministry teams minutes Oct. 2015
Ministry teams minutes Oct. 2015Church of the Nativity
 
Social media 101 pres
Social media 101 presSocial media 101 pres
Social media 101 presAlexandra Kulas
 
Scams that go after your Money
Scams that go after your Money Scams that go after your Money
Scams that go after your Money 321Financial
 

Recommended

Azure - Bronagh Sorota - ManageIQ Design Summit 2016
Azure - Bronagh Sorota - ManageIQ Design Summit 2016Azure - Bronagh Sorota - ManageIQ Design Summit 2016
Azure - Bronagh Sorota - ManageIQ Design Summit 2016ManageIQ
 
3 v zsajnitb
3 v zsajnitb3 v zsajnitb
3 v zsajnitbReal Time Lead Gen
 
MISION UDL
MISION UDLMISION UDL
MISION UDLastriDSANZ112
 
Slides Global Warming
Slides Global WarmingSlides Global Warming
Slides Global Warmingdiannemarie420
 
นางสาว ฐิติ สุวรรณสุทธิ
นางสาว ฐิติ สุวรรณสุทธินางสาว ฐิติ สุวรรณสุทธิ
นางสาว ฐิติ สุวรรณสุทธิZeeratithi
 
Ministry teams minutes Oct. 2015
Ministry teams minutes Oct. 2015Ministry teams minutes Oct. 2015
Ministry teams minutes Oct. 2015Church of the Nativity
 
Social media 101 pres
Social media 101 presSocial media 101 pres
Social media 101 presAlexandra Kulas
 
Scams that go after your Money
Scams that go after your Money Scams that go after your Money
Scams that go after your Money 321Financial
 
0908 chapter5
0908 chapter50908 chapter5
0908 chapter5Nicholas Schiller
 
Ryan Jennings Resume 092116
Ryan Jennings Resume 092116Ryan Jennings Resume 092116
Ryan Jennings Resume 092116Ryan Jennings
 
Hope express vol 8 no 3
Hope express vol 8 no 3Hope express vol 8 no 3
Hope express vol 8 no 3rcpagasa1
 
Lifestyle workbook
Lifestyle workbookLifestyle workbook
Lifestyle workbookKjnO8484
 
Wireless cellular technologies
Wireless cellular technologiesWireless cellular technologies
Wireless cellular technologiesganeshmaali
 
Business Plan
Business PlanBusiness Plan
Business PlanAmit Kumar
 
Closed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsClosed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsLiz Warner
 
Closed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsClosed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsLiz Warner
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
Gpu digital lab english version
Gpu digital lab english versionGpu digital lab english version
Gpu digital lab english versionoleg gubanov
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Valeriy Kravchuk
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Guglielmo Iozzia
 
Apache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise CompanyApache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise CompanyDatabricks
 
Device Identification & Driver Management (DIDM)
Device Identification & Driver Management (DIDM)Device Identification & Driver Management (DIDM)
Device Identification & Driver Management (DIDM)Gunjan Patel
 
XPages on Bluemix - the Do's and Dont's
XPages on Bluemix - the Do's and Dont'sXPages on Bluemix - the Do's and Dont's
XPages on Bluemix - the Do's and Dont'sOliver Busse
 
Cypress.pptx
Cypress.pptxCypress.pptx
Cypress.pptxArshad QA
 
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...DroidConTLV
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me ER Swapnil Raut
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Opersys inc.
 
pio_present
pio_presentpio_present
pio_presentGladson Manuel
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam
 

More Related Content

Viewers also liked

Ryan Jennings Resume 092116
Ryan Jennings Resume 092116Ryan Jennings Resume 092116
Ryan Jennings Resume 092116Ryan Jennings
 
Hope express vol 8 no 3
Hope express vol 8 no 3Hope express vol 8 no 3
Hope express vol 8 no 3rcpagasa1
 
Lifestyle workbook
Lifestyle workbookLifestyle workbook
Lifestyle workbookKjnO8484
 
Wireless cellular technologies
Wireless cellular technologiesWireless cellular technologies
Wireless cellular technologiesganeshmaali
 

Viewers also liked (6)

0908 chapter5
0908 chapter50908 chapter5
0908 chapter5
 
Ryan Jennings Resume 092116
Ryan Jennings Resume 092116Ryan Jennings Resume 092116
Ryan Jennings Resume 092116
 
Hope express vol 8 no 3
Hope express vol 8 no 3Hope express vol 8 no 3
Hope express vol 8 no 3
 
Lifestyle workbook
Lifestyle workbookLifestyle workbook
Lifestyle workbook
 
Wireless cellular technologies
Wireless cellular technologiesWireless cellular technologies
Wireless cellular technologies
 
Business Plan
Business PlanBusiness Plan
Business Plan
 

Similar to ZakiHumphrey-VB2014

Closed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsClosed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsLiz Warner
 
Closed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsClosed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsLiz Warner
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍jeffz
 
Gpu digital lab english version
Gpu digital lab english versionGpu digital lab english version
Gpu digital lab english versionoleg gubanov
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Valeriy Kravchuk
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Guglielmo Iozzia
 
Apache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise CompanyApache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise CompanyDatabricks
 
Device Identification & Driver Management (DIDM)
Device Identification & Driver Management (DIDM)Device Identification & Driver Management (DIDM)
Device Identification & Driver Management (DIDM)Gunjan Patel
 
XPages on Bluemix - the Do's and Dont's
XPages on Bluemix - the Do's and Dont'sXPages on Bluemix - the Do's and Dont's
XPages on Bluemix - the Do's and Dont'sOliver Busse
 
Cypress.pptx
Cypress.pptxCypress.pptx
Cypress.pptxArshad QA
 
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...DroidConTLV
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me ER Swapnil Raut
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Opersys inc.
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisAbdulrahman Bassam
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Saltstack - Orchestration & Application Deployment
Saltstack - Orchestration & Application DeploymentSaltstack - Orchestration & Application Deployment
Saltstack - Orchestration & Application Deploymentinovex GmbH
 
Unified Data Access with Gimel
Unified Data Access with GimelUnified Data Access with Gimel
Unified Data Access with GimelAlluxio, Inc.
 
Data orchestration | 2020 | Alluxio | Gimel
Data orchestration | 2020 | Alluxio | GimelData orchestration | 2020 | Alluxio | Gimel
Data orchestration | 2020 | Alluxio | GimelDeepak Chandramouli
 

Similar to ZakiHumphrey-VB2014 (20)

Closed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma CollinsClosed-Loop Platform Automation by Tong Zhong and Emma Collins
Closed-Loop Platform Automation by Tong Zhong and Emma Collins
 
Closed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma CollinsClosed Loop Platform Automation - Tong Zhong & Emma Collins
Closed Loop Platform Automation - Tong Zhong & Emma Collins
 
Windows内核技术介绍
Windows内核技术介绍Windows内核技术介绍
Windows内核技术介绍
 
Gpu digital lab english version
Gpu digital lab english versionGpu digital lab english version
Gpu digital lab english version
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)Applying profilers to my sql (fosdem 2017)
Applying profilers to my sql (fosdem 2017)
 
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
Building a data pipeline to ingest data into Hadoop in minutes using Streamse...
 
Apache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise CompanyApache Spark for Cyber Security in an Enterprise Company
Apache Spark for Cyber Security in an Enterprise Company
 
Device Identification & Driver Management (DIDM)
Device Identification & Driver Management (DIDM)Device Identification & Driver Management (DIDM)
Device Identification & Driver Management (DIDM)
 
XPages on Bluemix - the Do's and Dont's
XPages on Bluemix - the Do's and Dont'sXPages on Bluemix - the Do's and Dont's
XPages on Bluemix - the Do's and Dont's
 
Cypress.pptx
Cypress.pptxCypress.pptx
Cypress.pptx
 
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
Backend, Simplified - A sane look on the mobile backend world, Nir Orpaz, Mob...
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me
 
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...Using and Customizing the Android Framework / part 4 of Embedded Android Work...
Using and Customizing the Android Framework / part 4 of Embedded Android Work...
 
pio_present
pio_presentpio_present
pio_present
 
Reversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysisReversing & malware analysis training part 12 rootkit analysis
Reversing & malware analysis training part 12 rootkit analysis
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Saltstack - Orchestration & Application Deployment
Saltstack - Orchestration & Application DeploymentSaltstack - Orchestration & Application Deployment
Saltstack - Orchestration & Application Deployment
 
Unified Data Access with Gimel
Unified Data Access with GimelUnified Data Access with Gimel
Unified Data Access with Gimel
 
Data orchestration | 2020 | Alluxio | Gimel
Data orchestration | 2020 | Alluxio | GimelData orchestration | 2020 | Alluxio | Gimel
Data orchestration | 2020 | Alluxio | Gimel
 

ZakiHumphrey-VB2014

  • 2. Agenda 2 • Objective and method • System design and implementation • Running drivers • Data extraction • Processing the data • Reporting and signatures • And the result is … • Experiment A: High profile rootkits • Experiment B: Driver files • Experiment C: Random set of PE files • Conclusion • Future work
  • 3. What is the objective? • Automate the process of finding samples that exhibit kernelmode behaviour • List the modifications made to the kernel • Identify the maliciousness of specific modifications • Import that data into other systems 3
  • 4. How do we automate the process? •Use existing tools •Build our own •Using anti-rootkit tools •Using a custom diff based solution 4
  • 5. Bird’s eye view 5 HOST Auxiliary module Processing module Django templates GUEST Analysis Packages Auxiliary module Signatures
  • 6. Running Driver files 6 Guest VM Is Driver file ? Driver Analysis Package Other Analysis package (Servicename | StartType | ServiceType | LoadMode) “Register service using scm If not loadmode then: start service using NTLoadDriver Else: start service using loadmode option If not service is running: report FAIL ! “
  • 7. Usage of the SophosAV Engine With the SAV engine we get: • Existing software that has a presence in the kernel • The ability to examine/dump areas of kernel memory • The ability to write to a log file NOTE: Due to modular design we don’t need to use the Sophos AV engine. 7
  • 8. Examining the kernel Drivers Modules SSDT IDT Callbacks Disk Information What areas are we looking at? 8
  • 9. Processing the data 9 { "mbr" : { }, "drivers" : { "FileSystemluafv" : { "driverstart" : -1869398016, "driversize" : 110592, "driverinit" : -1869319406, "driverstartio" : 0, "driverunload" : 0, "filepath" : "C:WindowsSystem32driver sluafv.sys", "sha" : "befb20d2e32a0107602707d3f 6de84aa483a5b5e", { "mbr" : { }, "drivers" : { "FileSystemMRxDAV" : { "driverstart" : -161308672, "driversize" : 180608, "driverinit" : -161144443, "driverstartio" : 0, "driverunload" : -161263572, "filepath" : "C:WINDOWSsystem32driv ersmrxdav.sys", "sha" : "68dc26e6576ef52bedc7d97ba 44679a0e1cc3d74", "irp" : { Processing module Capture Added – Changed – Deleted data Eliminate noise Tag and organise data Baseline data Job analysis data Diff data
  • 11. Data flow 11 Data Signatures Reporting {"drivers": {"Driver4C3553F1": {"Added": {"driverinit": "0xf7b97983", "driverunload": "0xf7b9794a", "irp": {"IRP_MJ_CREATE_MAILSLOT ": "0xf7b97965", "IRP_MJ_SET_QUOTA": "0xf7b97965", "IRP_MJ_SET_SECURITY": "0xf7b97965", "IRP_MJ_SET_VOLUME_INFO RMATION": "0xf7b97965", "IRP_MJ_WRITE": "0xf7b97965", …" generic_new_driver generic_modified_driver generic_deleted_driver generic_new_module generic_deleted_module generic_ssdt_hook generic_idt_hook generic_new_callback generic_modifed_callback generic_attached_device …
  • 12. Drivers New driver objects Modified driver objects Deleted driver objects Signatures 12
  • 14. Devices New device objects New device objects by newservice Signatures 14
  • 17. Disk Modified MBR Modified VBR Modified EOD size Signatures 17
  • 19. 19
  • 20. Tests • High profile rootkits • TDL Derivatives • GAPZ • Turla • Necurs • Experiment B: Malicious and clean driver set • Experiment C: Random set of known malicious PE files 20
  • 24. 6A08 push byte +0x8 CDC3 int 0xc3 90 nop Turla a.k.a Snake, Uroborus 24
  • 26. High profile rootkits • We do not always get enough information to classify specific families • We are getting enough information to warrant further investigation by an researcher 26
  • 27. Experiment B 27 82% 18% Malicious Drivers With Kernel Data Without Kernel Data 51% 49% Clean Drivers With Kernel Data Without Kernel Data • Total number of malicious drivers 1854. • Total number of clean drivers 1053. • Insufficient time for the log to be generated was a common reason for failure to get back kernel data. Miss the log by a second or two. It’s a trade off.
  • 28. And the results is 28 0 10 20 30 40 50 60 70 80 90 100 Malicious Clean
  • 30. Experiment C 30 96% 4% Set of PE files With Kernel memory Without Kernel Data • 319 of known malicious PE files. 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Kernel memory signature hits for PE files Kernel memory signature hits for PE files
  • 31. Weighting the signatures 31 Suspicious Modified driver Modified module Info New driver objects New module Malicious SSDT Hook IDT Hook New Callback Attached Device Modified MBR Modified VBR Modified EOD size
  • 32. Conclusion • Malicious activity can be identified via modifications rather than creation • Malicious drivers are unlikely to employ anti-sandboxing techniques • Good enough to identify kernel activity • Not exhaustive analysis 32
  • 33. Future work • Exploring other areas of the kernel • Object table • DKOM • 64bit drivers • Sample clustering • Usermode rootkits 33