Linux Rootkit

1
Linux Rootkit
??? lttim_hsu_at_issdu.com.twgt
March 2005
2
Table of contents

• What is Rootkit
• Rootkit feature
• Applcation/Kernel Rootkit
• To detect Rootkit

3
Rootkit

• root administrator super-user
• Installed after the attacker gains super-user
  access.
• To hide their presence
• Provide backdoors for easy re-entry

4
Rootkit Feature

• Backdoor
• Full control without any logs
• Hidden
• Self
• Process
• Files/Directories
• Logs
• Sniffit

5
Application Rootkit

• Widely used
• Trojaned system files
• Program replace to hide presence
• Hide files or directories
• ls, find, du, locate
• Hide process
• ps, pstree
• Hide network connections
• netstat
• Hide sniffit for PROMISC
• ifconfig

6
Application Rootkit

• Program with backdoor
• Any SUID program possible
• passwd,chsh,chfn
• For authentication
• login,PAM Library
• Network daemons with backdoor
• Any daemon possible
• sshd,telnetd,ftpd,smbd,rpc.mountd

7
Application Rootkit

• Sniffit
• All network clients possible
• telnet,ftp,ssh,scp
• Install sniffit program
• linsniffer,sniffit

8
Application Rootkit

• Others
• To revise file timestamp and checksum
• fix
• To erase entries from utmp/wtmp/lastlog
• zap,z2,wted
• To bind a rootshell to a port(31337 by default)
• bindshell

9
Kernel Rootkit

• Powerful and less detectable
• Loaded Kernel Module
• Modify kernel on-the-fly

10
Loaded Kernel Module
Core Kernel
MODULE
NET
FS
MM
DRIVER
DRIVER
HARDWARE
11
System Call Flow
12
Kernel Rootkit Feature

• Execution redirection
• Hide files and directories
• Hide file/directories contents
• Hide module and symbol
• Hide Processes
• Hide network connections
• Hide sniffit
• Bypass permission protection
• TTY Hijacking
• Remote control or loging

13
Loaded Kernel Module

• Most popular method
• Infect an existing 'trusted' kernel module
• Replace system call model
• Manipulate 'Virtual File System'
• Example Knark, Adore, Adore-ng

14
Modify kernel on-the-fly

• NOT requiring LKM feature support
• Install via /dev/kmem
• Example SuckIT

15
How to detect

• Something wrong
• Segmentation fault
• high-loading
• Unexpected reboot
• /bin/ls -alc
• /usr/bin/lsattr
• list file attributes on a Linux ext2/ext3 file
  system
• /bin/rpm -Va
• nmap

16
Scan tools for rootkits

• Tripwire
• http//www.tripwire.org
• Chkrootkit
• http//www.chkrootkit.org
• Rkhunter
• http//www.rootkit.nl

17
Scan Technique

• Integrity
• Tripwire, AIDE, Samhain, RPM
• Signature
• Chkrootkit, Rkhunter
• Dynamic analysis
• St Michael, AIRT, Execution path analysis
• Static analysis
• Kstat, Kmodscan

18
Enhanced Rootkit
19
Ideal rootkit

• Install/Setup interface
• Application rootkits Kernel rootkit
• CGI backdoor
• Reverse-connected backdoor
• Complete Documents
• README, Changelog, FAQ
• Report via Email
• Example ZK rootkit, Superkit

20
More feature

• Sniffit more
• Keystrokes, IRC, Mail.
• /dev/kmem lie
• ELF-encryption by burneye tool
• Add-on
• Scan tools
• Brute force tools
• Exploits
• Infected by virus (RST)

21
Question ?
22
Thank You END