Hello,

Lately Immunity Inc. published a new rootkit, called DR rootkit, available from their homepage along with sources.

The only other rootkit of this kind is mood-nt rootkit, developed 2-3 years ago by darkangel, a member of the antifork group (like the guy that made kern_check etc). It's available from darkangels website and it's in packetstorm too.

These rootkits use the Debug Registers of the processor to hook onto system calls and play with the system.

I must say I have not found anywhere a "mood-nt analysis" or a "DR rootkit analysis" document, but have not dived into their code either (it's not the simpliest thing in the world..).


Does anyone have any idea how to detect those rootkits if they are installed on the system? Obviously the tradiotional checks do not work...

Regards,
trv

It seems like you can trust the OS less and less as time goes on. That might mean the best solution is to rely on a different OS. For example, boot to a Live CD and use the find command to look for hidden, out of place, or otherwise suspicious files/directories. You could also monitor network traffic. The NSM Wiki has more information on Network Security Monitoring. If you can't trust the OS, I don't think you should rely on it to report accurate results from commands. These ways don't focus on detecting X type of rootkit, they should work with all rootkits.

Well yes ok, but those things really do not work with these rootkits..

Anyway, I'm looking for specific details or analysis on debug register rootkits, not general tips!

With all due respect but if you haven't searched for analysis docs or looked at the code, how can you know for sure what works and what not?


A few minutes worth of searching showed me a nice discussion on DailyDave, an interesting remark by Brad S. elsewhere, some primary-coloured pills, some recent papers on debug registers and suggestions about SMM and hardware. But just being curious, what would you do with that information? Do you have anything to share yourself on the subject by any chance?

And even though DR kits might be hard to detect right now it isn't something automagical. And one still must find a system, and a route into that system and transition out of userland...

Hello unSpawn. I expected that this thread may draw your attention

Don't get me wrong here. I'm doing a paper for a project in my university about rootkit technology, and after i've covered everything else, I decided to write some info about this special breed of rootkits, that work with the debug registers. Don't think anything too special or some extraodrintary research, it's mostly bibliographical.

I'm following dailydave and i've read some of the generic papers on the subject around debug registers. But that's not what i'm looking for.

Using chkrootkit I was not able to detect those rootkits, haven't tested rkhunter yet. You maintain it dont you? So you may be one of the best person to ask..

How can one detect dr rootkits? Of course you can also hook the registers and then the rootkit hook'em back etc. But is there any other way? From what I understand, there are no published methods or papers about "detecting debug register rootkits" (like there are for almost every other kind of rootkit)

Again, dont get me wrong, I'm looking into these things for completeness in my paper.
For examle i'm going to write "adore-ng and other vfs rootkits can be detected by examining 'this' thing, and there is 'this' program that does it, and there is 'this' paper covering it in detail. Then there are rootkits involing redirection of the whole syscall table, others involing rewriting addrress of the table etc, that can be detect with kern_check and other means etc.

But in the case of dr rootkits, I think there are not many things to write for..

I'd appreciate you posting the URI's for the papers you've got on the subject. 3 methods come to mind right now, each with their own esoteric requirements: dedicated PCI cards, Intel SMM and VMM's. As far as I know no readymade tools are available as of now. That's the answer you're looking for, right? Other than that I emphasise it's still a three stage rocket so without known good tools right now that still leaves auditing the entry phase and gathering evidence from the post-mortem phase.

Hello unSpawn, and sorry for the big delay

You are correct about everything in your last post, and that's the purpose of my original question.
If there exist any papers/tools, that dont have to do with pci cards/virtual machines etc.
Tools like saint jude or something maybe, kernel modules monitoring constantly the state of the system to see somehow if the debug registers are accesses from uncommon processes or for strange purposes.
Maybe monitoring all the do_debug function calls somehow.. i don't know.
That's what i was talking about when I asked if something in this area exists, some research maybe.
Maybe rkhunter could have a module available too, for just the 'extreme' cases when someone wants to be protected for threats like that too. But of course, i don't know if it's even possible detecting using a lkm, so that you dont have to go 'deeper' under the os to monitor the debug registers.

If you don't want to be only spoonfed conclusions I think you should at least read Rodrigo Branco on KIDS (2007) and Nick Petroni's dissertation (2008).

thank you for those. i've alread read Rodrigo's presentation (great), but only knew Petroni as a name from the copilot paper. Time to read his dissertation