Defend against kernel malware
抵御内核恶意软件
《endurer注:1。Defend against:抵御(为...申辩)》
- Date: March 1st, 2007
日期:2007年3月1日 - Blogger: Tom Olzak
博客:Tom Olzak
翻译:endurer - Category: Security, Computer Crime, Antivirus Research, Microsoft, Cybercrime, Threats, Windows, Spyware, It Management, Tom Olzak, PatchGuard, Rootkit
安全,计算机犯罪, 抗病毒研究, 微软, 网络犯罪, 威胁, 视窗, 间谍软件, It 管理, Tom Olzak, PatchGuard, Rootkit
Kernel malware, commonly known as rootkits, are malicious applications that run in the kernel of the OS with absolute rights to system resources. End user devices infected with this type of application are open to undetectable processes that can steal data, collect PII, and otherwise control the system regardless of the presence of any anti-virus or personal firewall software.
内核恶意软件,通常称为rootkits,是在操作系统的内核中运行,对系统资源有绝对权力的恶意应用程序。感染这类应用程序的最终用户设备打开不能检测的进程,可以偷窃数据,收集PII(personally identifiable information,个人可标识信息),及不为存在着的一些抗病毒或个人防火墙软件察觉地控制系统。
《endurer注:1。and otherwise:pron. 及其他(等等)
2。regardless of: 不顾,不惜》
How kernel malware works
内核恶意软件如何工作
According to Kimmo Kasslin at F-Secure, there are two types of kernel malware infections in Microsoft Windows environments: full-kernel and semi-kernel (“Kernel Malware: The Attack from Within”, 2006). Before jumping into a description of each, it’s important to review how Windows memory is managed from a system protection perspective. See Figure 1.
在F-Secure的Kimmo Kasslin看来,有两类内核恶意软件影响微软视窗环境:完全内核和不完全内核(“内核恶意软件: 内部攻击”, 2006)。在开始描述它们每一个之前,从系统保护的观点来研究Windows内存是如何管理的是很重要的。看图1:
《endurer注:1。semi:a.一半的,部分的,不完全的;n.二轮半拖车(挂车,双轮拖车)
2。jump into:一头扎进》
Figure 1
Windows applications run in one of two modes: kernel mode or user mode. Kernel mode applications perform tasks such as accessing hardware resources on behalf of a user application. These applications typically have privileged access to system resources. Because of this, user applications are run in user mode to protect the integrity of the operating system. User mode applications, like word processors and Internet browsers, are unable to directly access hardware or protected OS services. Rather, they must make calls to kernel libraries or drivers that ensure resource requests are executed on behalf of the user applications. This separation of processing tasks is enforced at the hardware level. Kernel malware circumvents this abstraction of privileges by running in kernel mode with direct access to all system services. In other words, it has complete control of the infected system. One attack vector is the installation of a malicious driver.
Windows应用程序运行于两种模式之一:内核模式或用户模式。内核模式应用程序为用户模式应用程序执行诸如访问硬件资源之类的任务。这些应用程序通常有系统资源访问特权。因此,用户模式应用程序在用户模式中运行,以保护操作系统完整性。用户模式应用程序,像字处理程序和Internet浏览器,不能直接访问硬件或被保护的操作系统服务。进一步说,它们必须调用内核库或驱动程序,内核库或驱动程序代表用户模式应用程序保证资源请求被执行。这种处理任务分离是硬件层强制。内核恶意软件以内核模式运行,直接访问系统服务来绕过这种特权抽取。换句话说,它具有对被感染系统的完全控制。一种攻击导向是恶意驱动程序的安装。
《endurer注:1。on behalf of:代表,为了》
Malware running in full-kernel mode performs all tasks within the kernel layer. Although it might need a little help from the user to get installed, once operational it performs its assigned tasks without further user intervention.
运行于完全内核模式的恶意软件在内核层执行所有任务。虽然它可能需要用户的些许帮助来取得安装,一旦投入运转,它会执行设定任务,无需更多用户介入。
Semi-kernel mode malware runs in both user mode and kernel mode. One method of deployment consists of placing a .dll or .exe in user mode with access to a kernel mode driver.
不完全内核模式恶意软件运行于用户模式和内核模式。部署方式由在用户模式放置一个可以访问内核模式驱动程序的.dll 或.exe构成。
《endurer注:1。consist of: 由...组成》
According to Kasslin, there is a rise in popularity of kernel malware that coincides with the move of cyber criminals to a hacking-for-profit model. The advantage to criminals is that kernel malware is usually undetectable when using standard antivirus and antispyware applications.
在Kasslin看来,内核模式恶意软件流行上升与网络犯罪向获利黑客模式的转移吻合。罪犯的优势是内核恶意软件用标准抗病毒和抗间谍应用程序通常检测不到。
《endurer注:1。coincide with:符合(一致于,与...重合)》
Mounting a defense
装配防卫
The first line of defense is denying local administrator access to PC users. If an attacker can’t take advantage of user privileges to install kernel-based software, the level of effort required to compromise the PC might be high enough to encourage him to find a softer target. In addition, management should ensure user awareness of the dangers of clicking on unknown links and consenting to the installation of unauthorized software.
防卫的第一条是拒绝本地管理员访问电脑用户。如果攻击者不能利用用户特权安装内核软件,危害此PC所需的努力可能高到激励他寻找更软弱的目标。另外,管理员需要确保用户知道点击未知链接和同意安装未认证软件的危害。
《endurer注:1。take advantage of:利用
2。In addition:另外,加之
3。aware of:知道(察觉到,意识到)
4。consent to:赞成(同意)》
Another important control is the implementation of a personal firewall on all workstations. This can help prevent self-propagating infections from spreading. It should be coupled with a strong patch management process. Patching helps eliminate software flaws that can be used to inject malicious kernel code.
另一个重要控制是在所有工作站安装启用个人防火墙。这会有助于防止自我繁殖的感染程序传播。需要配以一个强劲的补丁程序管理程序。打补丁有助于消除软件缺陷,这些缺陷可能会被用来注入恶意内核代码。
《endurer注:1。coupled with:连同,与...一起》
Also, consider prohibiting the installation of any unsigned drivers. Installation of malicious drivers is a favorite method of placing kernel malware on target systems.
此外,建议禁止安装无标注的驱动程序。安装恶意驱动程序是在目标系统中放置内核级恶意软件的最受欢迎的方法。
Please see “Mount a Rootkit Defense” for more information on this growing threat.
请看“装配Rootkit防卫”来了解关于这个正在增长的威胁的更多信息。