Proposal for protection from windows rootkit drivers

[ipd () PEDESTALSOFTWARE COM (IPD)]

Name: Integrity Protection Driver (IPD)
Version: 1.0 - First Release
Purpose: Prevent installation of rootkit device drivers on NT/2000
License: Open Source

Summary
-------
The most effective rootkits are designed as device drivers because they
provide the greatest control over the operating system for the purpose
of hiding trojans, DDOS tools, and altered data from change detection
applications such as Intact and tripwire. Since they operate in kernel
space they have full rein over virtually all system functions.

One solution is to stop such drivers from being installed in the first
place. We propose our own device driver that is designed specifically
to block the installation of new drivers even if you have
Administrator or LocalSystem credentials.

We are calling our driver the Integrity Protection Driver (IPD).

Integrity Protection Driver (IPD)
---------------------------------
The IPD is an Open Source device driver designed to prohibit the
installation of new services and drivers and to protect existing
drivers from tampering. It installs on Windows NT and Windows 2000
computers.

Updated information, source and binaries may be found at:

      http://www.pedestalsoftware.com/

What It Does
------------
The IPD uses undocumented service function hooking to alter the access
mask on driver-related registry keys and files to be read-only no matter
what account is requesting access. This effectively prohibits the
Service Control Manager or user applications from changing, adding or
deleting service and driver keys and values in the registry, and from
adding to or replacing existing driver binaries in the
%SystemRoot%\system32\drivers directory.

Is there a way to circumvent the IPD?
-------------------------------------
If there is a mechanism to load and execute a device driver without
using Service Control Manager functions and without the need to write to
the Services portion of the registry, then there may be a way to
circumvent the IPD. We are not aware of any machanism to do this.
However, if one is discovered the IPD could be ammended to hook and
alter the functions used.

What's Included
---------------
The distribution includes the following files:

  ipd.sys         -- the compiled device driver for x86 based computers
  ipdinstall.exe  -- the installation/removal program
  readme          -- readme file
  driver/*        -- source files

Installation
------------
To install the IPD device driver, unzip all files into a directory.
Execute the ipdinstall.exe program to install and start the driver:

        ipdinstall.exe install

The driver is installed for "automatic" startup, which means it will
automatically start at system boot. The driver engages, or begins
protecting, 20 minutes after it has started.

IMPORTANT:

* Once the Driver is started it may not be stopped.

* Once the Driver is engaged it may not be removed. Even if the
appropriate Service Control Manager function call marks the driver for
deletion, the driver will still not be removed.

Removal
-------
YOU MUST REMOVE THE IPD DEVICE DRIVER WITHIN 20 MINUTES OF STARTUP, AND
THEN REBOOT THE SYSTEM. If the driver has already engaged then you will
have to reboot and remove it within 20 mintes of boot up.

The remove command is:

        ipdinstall.exe remove

Support
-------
There is no support. New versions can be found at
http://www.pedestalsoftware.com. Bug reports should be sent to
bugs () pedestalsoftware com.

References
----------
Undocumented Windows NT by Dabak, Phadke and Borate, M&T Books, 1999.
Microsoft Windows DDK.

Copyright and Grant of Use
--------------------------
The IPD is Open Source, please see the web site for details.

Who is Pedestal Software?
-------------------------
Pedestal Software is based near Boston, MA, and has been providing
security software since 1996. Its founders come from the financial
services and banking industries where security and system integrity
are top priorities.

On the web: http://www.pedestalsoftware.com
email:      support () pedestalsoftware com