From: IPD [ipd@pedestalsoftware.com] Sent: Wednesday, June 07, 2000 9:42 AM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Proposal for protection from windows rootkit drivers Name : Integrity Protection Driver (IPD) Version: 1.0 - First Release Purpose: Prevent installation of rootkit device drivers on NT/2000 License: Open Source Summary ------- The most effective rootkits are designed as device drivers because they provide the greatest control over the operating system for the purpose of hiding trojans, DDOS tools, and altered data from change detection applications such as Intact and tripwire. Since they operate in kernel space they have full rein over virtually all system functions. One solution is to stop such drivers from being installed in the first place. We propose our own device driver that is designed specifically to block the installation of new drivers even if you have Administrator or LocalSystem credentials. We are calling our driver the Integrity Protection Driver (IPD). Integrity Protection Driver (IPD) --------------------------------- The IPD is an Open Source device driver designed to prohibit the installation of new services and drivers and to protect existing drivers from tampering. It installs on Windows NT and Windows 2000 computers. Updated information, source and binaries may be found at: http://www.pedestalsoftware.com/ What It Does ------------ The IPD uses undocumented service function hooking to alter the access mask on driver-related registry keys and files to be read-only no matter what account is requesting access. This effectively prohibits the Service Control Manager or user applications from changing, adding or deleting service and driver keys and values in the registry, and from adding to or replacing existing driver binaries in the %SystemRoot%\system32\drivers directory. Is there a way to circumvent the IPD? ------------------------------------- If there is a mechanism to load and execute a device driver without using Service Control Manager functions and without the need to write to the Services portion of the registry, then there may be a way to circumvent the IPD. We are not aware of any machanism to do this. However, if one is discovered the IPD could be ammended to hook and alter the functions used. What's Included --------------- The distribution includes the following files: ipd.sys -- the compiled device driver for x86 based computers ipdinstall.exe -- the installation/removal program readme -- readme file driver/* -- source files Installation ------------ To install the IPD device driver, unzip all files into a directory. Execute the ipdinstall.exe program to install and start the driver: ipdinstall.exe install The driver is installed for "automatic" startup, which means it will automatically start at system boot. The driver engages, or begins protecting, 20 minutes after it has started. IMPORTANT: * Once the Driver is started it may not be stopped. * Once the Driver is engaged it may not be removed. Even if the appropriate Service Control Manager function call marks the driver for deletion, the driver will still not be removed. Removal ------- YOU MUST REMOVE THE IPD DEVICE DRIVER WITHIN 20 MINUTES OF STARTUP, AND THEN REBOOT THE SYSTEM. If the driver has already engaged then you will have to reboot and remove it within 20 mintes of boot up. The remove command is: ipdinstall.exe remove Support ------- There is no support. New versions can be found at http://www.pedestalsoftware.com. Bug reports should be sent to bugs@pedestalsoftware.com. References ---------- Undocumented Windows NT by Dabak, Phadke and Borate, M&T Books, 1999. Microsoft Windows DDK. Copyright and Grant of Use -------------------------- The IPD is Open Source, please see the web site for details. Who is Pedestal Software? ------------------------- Pedestal Software is based near Boston, MA, and has been providing security software since 1996. Its founders come from the financial services and banking industries where security and system integrity are top priorities. On the web: http://www.pedestalsoftware.com email: support@pedestalsoftware.com