SANS Handler Review

Helios got mentioned by SANS handler Lenny Zeltser in todays Handlers Diaries. His ideas about using rootkit detection for incident handling are in line with a set of features that we plan to roll out (stuff like offline analysis with live-cds etc). You can read the diary entry here.

At MIEL Labs we're big followers of the SANS handlers diaries and would like to commend them on keeping us all up to date on the state of the 'Net.

The review mentions incorrectly that Helios does not detect the FuTo rootkit. The reason it was not detected in their tests was that the 'Advanced Detection' thread level detection feature was not enabled. When this feature is enabled, the second a hidden process gets CPU time, it will be detected. This can be seen in any of the FuTo videos on our videos page.

Look for a new version with more features based on community feedback very soon. We'll post here when it is updated.

Answering Concerns

First off, thanks for the feedback -- here are a few responses to questions people have raised:

1. Why .Net? - We're not.big .Net fans either. If you read the whitepaper, you'll notice that we are expressly not concerned with developing the GUI. The goal is to extend a set of API's for rootkit detection that other tools can call into. The current GUI is only used to demonstrate this, and is written in .Net because that was the quickest way to slap a GUI together. However, point noted, we will look at developing frontends and interfaces using the MFC. However, obviously our priorities are on developing core detection technology.

2. Patents –We know that nobody can patent public domain material. What you see on the website is the PUBLIC RELEASE of Helios. There are indigenously developed unique techniques that are not in the public release. These will be made available as soon as we decide our strategy with regard to the product development.

3. Open-source – quoting from our FAQ:

“If it wasn't for the community and sites like rootkit.com, the following statements would be true:

1. The antivirus companies would be far behind with this technology
2. The hacker underground would be even further ahead with this technology
3. The antivirus companies would be happy because we wouldn't know what they're not catching.
We could not have built Helios without the help of this community of brilliant people.”

There is a definite roadmap to open-sourcing parts of the product. We believe firmly that you can only use a security product when you can see what happens under the hood

4. Detection - We know there are techniques out there that we have not dealt with in the alpha. If you point us to something we don't detect, we'll try and get it in. Rootkit technology is an extremely vast area, there's lots of ground to cover.

5. Inoculation - Once again from the whitepaper - we agree that if code actually does execute, it's game-over! Detection is a less-desirable condition. If you are able to get your code into the kernel while Helios' inoculation features are turned on, we'd be concerned. :) If a kit is installed before security software, it has a free reign over the system. Our energies are being spent trying to prevent this from happening.

6. Features - Background scanning in our opinion is critical. There is no point having to run a tool AFTER the damage has been done (see point 5). We believe this is a significant advantage over on-demand scanners. We also have application integrity (which we haven't seen in other public tools) , inoculation features for NTFS ADS, physical memory blocking, driver loading protection, file & folder access control. We added these features because we felt they were missing in other tools.

Summing up - Once we get the APIs into a decent shape, you can add rootkit detection to ANY product you want (HIDS / HIPS / AV / etc). This ability should benefit the security community as a whole. We built this for the community and will make every possible effort to incorporate the features you want.

Check back often, we will be updating regularly.

Diggin'

Looks like someone was kind enough to submit us to Digg.

If you like what you see, Digg us!

Helios Videos

These videos will demonstrate the features of Helios and pit them against both the latest malware and anti-virus products. If you have any questions about the videos, we'd be happy to answer them.

You can choose either to stream the videos or download them for viewing offline (the downloadable files are also smaller):

Detecting processes hidden using function hooks

In this video we demonstrate the detection and removal of kernel level function hooks.

[stream] [download]

Detecting processes hidden using FuTo (handle table DKOM)

Thread level detection of processes hidden using the advanced FuTo rootkit

[stream] [download]

Helios v/s Antivirus against an undetectable FuTo

A video comparing Helios to popular antivirus products and showing the advantages of behavioral analysis over signature based analysis

[stream] [download]

Helios' Inoculation Features v/s Malware

A video demonstrating one of Helios' inoculation features to prevent rootkits from installing.

[stream] [download]

The Helios Application Protection feature (email stealing)

Demonstrates Helios' application integrity checking against an email interception rootkit.

[stream] [download]

Helios' inoculation features

An overview of Helios' powerful inoculation components that prevent rootkit installation.

[stream] [download]

Helios detecting detour function hooks (in-line hooking)

The detection and removal of in-line function hooks used by modern rootkits.

[stream] [download]

Note: If you choose to download the videos, you will need an SWF player to view them.

As more videos are completed, links will be created here so check back often to see new features in action.

Download Helios

The public version of Helios and Helios Lite are now available for download. We recommend that you download and use Helios Lite as it contains significantly enhanced detection features. These features will soon be incorporated into the complete Helios package.

The recommended minimum requirements are:

• Windows XP Service Pack 2
• 512 MB RAM. (256 MB for Helios Lite)
  
• 1 Ghz or higher processor (no requirement for Helios Lite)
  

Helios requires Microsoft .Net Framework 2.0 to be installed. Helios Lite does not need to be installed it can just be run by double clicking the executable file.

By downloading Helios you agree to the following agreement:

Software downloaded from MIEL e-Security's web site is provided 'as is' without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of fitness for a purpose, or the warranty of non-infringement. Without limiting the foregoing, MIEL e-Security makes no warranty that:

1. the software will meet your requirements
2. the software will be uninterrupted, timely, secure or error-free
3. the results that may be obtained from the use of the software will be effective, accurate or reliable
4. the quality of the software will meet your expectations
5. any errors in the software obtained from MIEL e-Security web site will be corrected.

Software and its documentation made available on MIEL e-Security's web site:

6. could include technical or other mistakes, inaccuracies or typographical errors. MIEL e-Security may make changes to the software or documentation made available on its web site.
7. may be out of date, and MIEL e-Security makes no commitment to update such materials.

MIEL e-Security assumes no responsibility for errors or ommissions in the software or documentation available from its web site.

In no event shall MIEL e-Security be liable to you or any third parties for any special, punitive, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not MIEL e-Security has been advised of the possibility of such damages, and on any theory of liability, arising out of or in connection with the use of this software.

The use of the software downloaded through the MIEL e-Security site is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. No advice or information, whether oral or written, obtained by you from MIEL e-Security or from MIEL e-Security's web site shall create any warranty for the software.

The latest version of Helios can always be found at the following URL:
http://helios.miel-labs.org/downloads/Helios.zip

The latest version of Helios Lite can always be found at the following URL:
http://helios.miel-labs.com/downloads/Helios-Lite.zip


Looking forward to your feedback

Technical Papers

We intend to post papers on rootkits, malware, operating system components and any other interesting things that we run into in this section. We plan to constantly be updating it with the newer papers describing the techniques used in Helios.

1. Hidden Process Detection using the PspCidTable
   This paper describes how the PspCidTable, a handle table in the Windows kernel, can be parsed to obtain information about the processes running on the system. This process list could be used for a cross-view scan of the system to find hidden processes.
   


2. Detection of Rootkits in the File System
   This paper contains a description of the structures used to parse the NTFS file system and how a cross-view scan of the entire hard disk could be performed to detect rootkits.
   


3. Detection of Rootkits in the Windows Registry
   This paper contains a description of the structures used to parse the Windows registry and how they can be used in cross-view detection of rootkits.
   


4. Helios Technology Whitepaper
   This paper contains a description of some of the most common techniques used by rootkits to hide their presence on the system and some of the methods that could be used to detect them.