Security

Defend against kernel malware


Kernel malware, commonly known as rootkits, are malicious applications that run in the kernel of the OS with absolute rights to system resources.  End user devices infected with this type of application are open to undetectable processes that can steal data, collect PII, and otherwise control the system regardless of the presence of any anti-virus or personal firewall software.

How kernel malware works
According to Kimmo Kasslin at F-Secure, there are two types of kernel malware infections in Microsoft Windows environments: full-kernel and semi-kernel (“Kernel Malware: The Attack from Within”, 2006).  Before jumping into a description of each, it’s important to review how Windows memory is managed from a system protection perspective.  See Figure 1.

 

 

Figure 1

Windows applications run in one of two modes: kernel mode or user mode.  Kernel mode applications perform tasks such as accessing hardware resources on behalf of a user application.  These applications typically have privileged access to system resources.  Because of this, user applications are run in user mode to protect the integrity of the operating system.  User mode applications, like word processors and Internet browsers, are unable to directly access hardware or protected OS services.  Rather, they must make calls to kernel libraries or drivers that ensure resource requests are executed on behalf of the user applications.  This separation of processing tasks is enforced at the hardware level.  Kernel malware circumvents this abstraction of privileges by running in kernel mode with direct access to all system services.  In other words, it has complete control of the infected system.  One attack vector is the installation of a malicious driver.

Malware running in full-kernel mode performs all tasks within the kernel layer.  Although it might need a little help from the user to get installed, once operational it performs its assigned tasks without further user intervention. 

Semi-kernel mode malware runs in both user mode and kernel mode.  One method of deployment consists of placing a .dll or .exe in user mode with access to a kernel mode driver.

According to Kasslin, there is a rise in popularity of kernel malware that coincides with the move of cyber criminals to a hacking-for-profit model.  The advantage to criminals is that kernel malware is usually undetectable when using standard antivirus and antispyware applications.

Mounting a defense
The first line of defense is denying local administrator access to PC users.  If an attacker can’t take advantage of user privileges to install kernel-based software, the level of effort required to compromise the PC might be high enough to encourage him to find a softer target.  In addition, management should ensure user awareness of the dangers of clicking on unknown links and consenting to the installation of unauthorized software.

Another important control is the implementation of a personal firewall on all workstations.  This can help prevent self-propagating infections from spreading.  It should be coupled with a strong patch management process.  Patching helps eliminate software flaws that can be used to inject malicious kernel code.

Also, consider prohibiting the installation of any unsigned drivers.  Installation of malicious drivers is a favorite method of placing kernel malware on target systems.

Please see “Mount a Rootkit Defense” for more information on this growing threat.

 

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

13 comments
aaron
aaron

Isn't it time to put an end to viruses, rootkits, worms, and spyware? All this Anti-virus, Anti-Rootkit, Anti-spyware doesn't work. It's all a step behind. It is all reactive. Removing Admin rights helps, but doesn't eliminate these problems. And educating users to not click on things and hoping they follow insruction is like leaving the keys to your brand new Ferrari in front of your 16 yr old and asking him not to drive it. Put an end to it all...check out www.bit9.com A simple effective solution to prevent any malware from executing. It will eliminate all malware, reduce the management time of removing admin rights, and give you control over all software on all your PCs

sukind1
sukind1

Sometimes, I need to install a driver and if it's not available from regular sources, I need to find it from the web. If the driver contains this kind of malware, is there any way to identify and remove? - Sukhen

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I have installed a great number of vendor drivers that are unsigned. The device which may be mission critical will not work because there is no "generic" driver written by MS. I don't think disallowing unsigned drivers is an option just yet for most companies.

BALTHOR
BALTHOR

We have all of these deep intellectual studies on a particular kind of virus--the manpower time must be staggering.This,to me,does not fit with the normal human thought process.Get to the heart of the matter and end virus.

myg33ks
myg33ks

As this is my first day here I am surfing a bit and have not come across any discussion on the software available. I have tried pretty much every anti-virus available on the market. Nod32 seems to do the job where others have failed. Has anyone had any experience with Nod32?

bart001fr
bart001fr

The above-mentioned bit9 corp is for enterprise-level protection. They are a commercial concern. They are very secretive about their work. Don't even let you have a tryout of their software. This screams to me that they will charge you an arm and a leg for their solution. On the other hand, I tried the link in post 8 "Plenty of software" and there _is_ plenty of software for the home user. I only deplore that there doesn't seem to be any explanatory file on which processes do what and which are legitimate and which are actually being exploited, or even illegal for the OS. Such a file would greatly help the average user who knows a little and wants to learn more. I did visit the Rootkit Unhooker site. This individual is so good that apparently he has already had an attack specifically against his program, now thwarted by the author and a new build of his program. It's too bad a lot of his site is in Russian, because I'm sure there is a lot of information which is important but which I can't read. And translation bots are not quite up to snuff, yet! Of course, if you can read Russian, go have a look. You could be amazed. This guy cares!!! about his users and about those who write to his forums. (BTW, go read those, to get an insight into him. You'll be pleasantly surprised!) Bye for now. Bart.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

How much money does a company spend on physical security or does a city spend fighting Graffiti, and theft? If you want to get rid of viruses then you are going to have to change the attitudes of the people creating them. Bill

mistryhc
mistryhc

I agree the org/people who apply this tech. thoughts are evil minded. The ancient myians also were used highly sophisticated technology, thru mind, which eventually destroyed itself...is this what we want in this world.

aaron
aaron

Let's clear a few things up... You're right Bit9 is for corporate protection. When you read Tom's defense strategies, he is talking about corporations. When you use terms like "management should ensure user awareness" and "removing admin rights for users"...that is a corporation. Bit9 isn't secretive, and we will let you try he software. I have many corporations trying our software right now. We just ask that you let us guide you through the software. If you wanted to try it I could have you up in less than an hour. And we will cost less than all the Anti-Virus, Anti-spyware etc solutions that you pay for now that aren't effective against these threat or any other new ones that come out. Like I said, it is time to close the door on these security issues, and focus ont something else

techcafe
techcafe

what does 'fighting graffiti' have to do with anything??? are you saying that computer malware and graffiti are somehow related? malware coders (today) do their dirty work for $PROFIT$, they're no better than common theives graffiti artists (not taggers) have an entirely different motivation for their craft, and often an opposing set of philosophies & ambitions to those of greed-motivated hackers profiteering and greed, on the part of cyber-criminals, and often, the legit companies that hire them, are what's keeping the malware coders in business like anything, take the almighty $$$ out of the equation and people learn to play fair and nice again, civilized even graffiti and malware have absolutely nothing in common, one has important cultural & historical significance dating back hundreds of years; the other, modern day malware, a cyber-criminal's tool used to profit or steal from and/or gain some unfair advantage over others, and it's always about the $$$... not to convey messages, provoke thought, or merely entertain, through graffiti, which i and many others see as just another form of art. cheers / f

apotheon
apotheon

"[i]what does 'fighting graffiti' have to do with anything??? are you saying that computer malware and graffiti are somehow related?[/i]" It's called an "analogy". Look it up. "[i]graffiti artists (not taggers) have an entirely different motivation for their craft, and often an opposing set of philosophies & ambitions to those of greed-motivated hackers[/i]" 1. There's good graffiti and bad graffiti. Clearly, wdewey was referring to bad graffiti. Don't assume that just because there are creators of good graffiti that the word is only applicable to good graffiti. If you do that, I promise I won't assume the opposite -- that just because there's bad graffiti, all graffiti must be bad. 2. Not all security crackers and computer vandals are motivated by money. Many are motivated in much the same way as criminal taggers. Some, however, certainly [i]are[/i] motivated by money. 3. The word is not "hacker". Don't misuse a term with a long, positive history just because the mass news media outlets misuse it all the time. [url=http://wiki.ursine.ca/Hacker][b]Read about it[/b][/i], and educate yourself. "[i]like anything, take the almighty $$$ out of the equation and people learn to play fair and nice again, civilized even[/i]" Money is not the root of all evil. All it takes to recognize that is a quick survey of communist regimes in the 20th century. Money's just a way to keep track of resources in a market economy that makes market economies scalable. It's morally neutral. In fact, without money, it's arguable that large-scale civilization wouldn't even have happened. "[i]graffiti, which i and many others see as just another form of art.[/i]" Graffiti on others' property without their permission is vandalism, no different in principle than cracking security on someone else's website, wiping out all of the data on that site, and replacing it with a digital illustration -- no matter how pretty the graffiti or digital illustration may be. Like I said, there's good graffiti and bad graffiti.