Embed Size (px)
Citation preview
Module 2 Module 2 Rootkits &Rootkits &
Post-Intrusion ConcealmentPost-Intrusion Concealment
Highline Community CollegeHighline Community CollegeSeattle University Seattle University
University of Washington University of Washington in conjunction within conjunction with
the the National Science FoundationNational Science Foundation
ObjectivesObjectives
What are rootkits?What are rootkits? How do attackers use them?How do attackers use them? How do you defend against them?How do you defend against them? How can you identify them?How can you identify them?
Rootkits DefinedRootkits Defined
A set of tools used by an attacker A set of tools used by an attacker that allow them to conceal their that allow them to conceal their presence and maintain control of the presence and maintain control of the operating system without the operating system without the administrator being aware.administrator being aware.
Concealment using "Rootkits"Concealment using "Rootkits"
Replacement of operating system Replacement of operating system commands or system callscommands or system calls
Two fundamental typesTwo fundamental types• Application (User) LevelApplication (User) Level• Kernel LevelKernel Level
Configuration file(s) to control hidingConfiguration file(s) to control hiding Often simple to identify/bypass, but can be Often simple to identify/bypass, but can be
very difficult to detect/disablevery difficult to detect/disable
http://staff.washington.edu/dittrich/misc/faqs/rootkits.faqhttp://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
Application Level RootkitsApplication Level Rootkits
The original rootkits developed for UNIX The original rootkits developed for UNIX systemssystems
Many rootkit components are simply Many rootkit components are simply “Trojan Horses”“Trojan Horses”• Hackers modify common commands such as Hackers modify common commands such as lsls, , psps, , netstatnetstat so that they perform other so that they perform other things in addition to their intended functionthings in addition to their intended function
Special program to hide application Special program to hide application windows (Windows)windows (Windows)
Kernel Level RootkitsKernel Level Rootkits Loadable Kernel Modules (LKMs)Loadable Kernel Modules (LKMs)
• Loadable kernel modules are used by UNIX flavors Loadable kernel modules are used by UNIX flavors (e.g., Linux, FreeBSD, and Solaris) to interface with (e.g., Linux, FreeBSD, and Solaris) to interface with hardware and other data hardware and other data
Kernel level hooks to system calls (e.g., Kernel level hooks to system calls (e.g., function call table modification)function call table modification)
No replacement of operating system external No replacement of operating system external command programscommand programs
Programs hidden from Task Manager and Programs hidden from Task Manager and Explorer (Windows)Explorer (Windows)
Can fool "tripwire” style integrity checksCan fool "tripwire” style integrity checks MuchMuch harderharder to detect to detect
Longevity of RootkitsLongevity of Rootkits
Memory based rootkits exist only in RAM Memory based rootkits exist only in RAM and disappear after a rebootand disappear after a reboot• No visible footprint in file systemNo visible footprint in file system• Requires live system analysis (may be Requires live system analysis (may be very very
difficultdifficult to detect) to detect) Persistent rootkits stay alive even after a Persistent rootkits stay alive even after a
rebootreboot• Require modifying startup files (Unix), Startup Require modifying startup files (Unix), Startup
Folder (Windows) or Registry Keys (Windows)Folder (Windows) or Registry Keys (Windows)• Easier to find, but may require static (dead) Easier to find, but may require static (dead)
analysis of file systemanalysis of file system
Rootkit ExampleRootkit Example
Scan of the Month #15 (2001)Scan of the Month #15 (2001)http://project.honeynet.org/scans/scan15/som/som6.txthttp://project.honeynet.org/scans/scan15/som/som6.txt
Following is a step-by-step description of the installationprocess, as determined by the 'last/install' file: a) it instructs the shell to stop logging the script's commands. b) it checks to see if certain files are on the system (make, gcc, sshd). The positive or negative results do not affect the installation. c) it completely replaces: * /sbin/ifconfig * /bin/netstat …
Rootkit Example (cont)Rootkit Example (cont)
c) it completely replaces:… * /bin/ps * /usr/bin/top with its own binaries. Please note that these are precompiled binaries, which means that the time and footprint to install is significantly reduced compared to a kit which compiles sources. d) it creates two files, with the following purpose: * /dev/rpm - which lists process names to exclude from ps and top. * /dev/last - which lists subnets and ports to exclude from netstat.
These are similar to a rootkit described here: http://www.sans.org/y2k/013101-1000.htm
Rootkit Example (obfuscated)Rootkit Example (obfuscated)
Scan of the Month #16 (2001)Scan of the Month #16 (2001)Contents of unknown fileContents of unknown file
0000000: a499 9693 9aa2 f599 9691 9bc2 d09b 9a89 ......õ....ÂÐ... 0000010: d08f 8b8c d0cf ced0 9d96 91d0 9996 919b Ð...ÐÏÎÐ...Ð.... 0000020: f59b 8ac2 d09b 9a89 d08f 8b8c d0cf ced0 õ..ÂÐ...Ð...ÐÏÎÐ 0000030: 9d96 91d0 9b8a f593 8cc2 d09b 9a89 d08f ...Ð..õ..ÂÐ...Ð. 0000040: 8b8c d0cf ced0 9d96 91d0 938c f599 9693 ..ÐÏÎÐ...Ð..õ... 0000050: 9aa0 9996 938b 9a8d 8cc2 cfce d393 9d93 .........ÂÏÎÓ... 0000060: 969d 8f8c d18c 90d3 8c91 d193 d38f 8d90 ....Ñ..Ó..Ñ.Ó... 0000070: 92d3 9c93 9a9e 919a 8dd3 9b90 8cd3 8a9c .Ó.......Ó...Ó.. 0000080: 9091 99d1 9691 89d3 8f8c 9d91 9cd3 938f ...Ñ...Ó.....Ó.. 0000090: 9e9c 9c8b d3aa acba adf5 f5a4 8f8c a2f5 ....Óª.º.õõ....õ 00000a0: 8f8c c2d0 9b9a 89d0 8f8b 8cd0 cfce d09d ..ÂÐ...Ð...ÐÏÎÐ. 00000b0: 9691 d08f 8c8d f58f 8ca0 9996 938b 9a8d ..Ð...õ......... 00000c0: 8cc2 938f 8ed3 938f 8c9c 979a 9bd3 8c97 .Â...Ó.......Ó.. 00000d0: ce8b d38f 8c8d d38c 8c97 9bcd d393 8f8c Î.Ó...Ó....ÍÓ... 00000e0: 9a8b d393 8f9e 9c9c 8bd3 9d91 9c93 8fd3 ..Ó......Ó.....Ó 00000f0: 938f 8c86 8cf5 938c 9099 a099 9693 8b9a .....õ.......... 0000100: 8d8c c293 8fd3 8a9c 9091 99d1 9691 89d3 ..Â..Ó.....Ñ...Ó . . .
Rootkit ExampleRootkit Example(de-obfuscated)(de-obfuscated)
Scan of the Month #16 (2001)Scan of the Month #16 (2001)http://project.honeynet.org/scans/scan16/som/som30.txthttp://project.honeynet.org/scans/scan16/som/som30.txt
[file] find=/usr/man/man1/xxxxxxbin/find du=/usr/man/man1/xxxxxxbin/du ls=/usr/local/bin/ls.gnu file_filters=xxxxxx,yyyyyy,aaaaaa,mmmmmmmmm
[ps] ps=/usr/man/man1/xxxxxxbin/ps ps_filters=nedit,bash . . .
Rootkit ExampleRootkit Example(de-obfuscated) (cont)(de-obfuscated) (cont)
. . . [netstat] netstat=/usr/man/man1/xxxxxxbin/netstat net_filters=innu.org [login] su_pass=h4x0r su_loc=/usr/man/man1/xxxxxxbin/su ping=/usr/man/man1/xxxxxxbin/ping passwd=/usr/man/man1/xxxxxxbin/passwd shell=/usr/man/man1/xxxxxxbin/bash
Concealment using LKMsConcealment using LKMs
Example: "Omerta" in "The Hacker's Example: "Omerta" in "The Hacker's Challenge”Challenge”http://www.osborne.com/pressroom/0072193840_press.shthttp://www.osborne.com/pressroom/0072193840_press.shtmlml
Example: SucKITExample: SucKIT• Advances in Kernel HackingAdvances in Kernel Hacking
http://www.phrack.org/phrack/58/p58-0x06http://www.phrack.org/phrack/58/p58-0x06• Linux on-the-fly kernel patching without LKMLinux on-the-fly kernel patching without LKM
http://www.phrack.org/phrack/58/p58-0x07http://www.phrack.org/phrack/58/p58-0x07• Linux x86 kernel function hooking emulationLinux x86 kernel function hooking emulation
http://www.phrack.org/phrack/58/p58-0x08http://www.phrack.org/phrack/58/p58-0x08
LKM Example: AdoreLKM Example: Adore
Excerpt from "Omerta" analysisExcerpt from "Omerta" analysis
----------------------------------------------------------------------------- # diff rc.local /etc/rc.d/rc.local 36d35 < /usr/sbin/initd ----------------------------------------------------------------------------- The file "initd" is the method used to load the kernel module, and to start the bindshell process, on each boot: ----------------------------------------------------------------------------- #!/bin/sh # automatic install script to load kernel modules for ipv6 support. # do not edit the file directly. /sbin/insmod -f /lib/modules/2.2.16-3/net/ipv6.o >/dev/null 2>/dev/null /usr/sbin/rpc.status ----------------------------------------------------------------------------- . . .
LKM Example: Adore (cont)LKM Example: Adore (cont)
. . . ----------------------------------------------------------------------------- The file "rpc.status" contains strings that indicate it is a remote access shell of some sort: ----------------------------------------------------------------------------- . . . leeto bindshell. Enter valid IPX address: gdb (nfsiod) socket bind listen accept /bin/sh /dev/null . . . -----------------------------------------------------------------------------
Excerpt from "Omerta" analysisExcerpt from "Omerta" analysis
Example: SucKITExample: SucKIT
From the READMEFrom the README
SucKIT v1.3a, (c) 2002 by sd <[email protected]> & devik <[email protected]> +-------------------------------------------------------------+
Code: by sd, with a lot of help from devik <[email protected]> Concepts: by Silvio Cesare - /dev/kmem, devik - kmalloc & IDT http://phrack.org/p58/phrack-09 Tested: by hundreds of script kiddos around the globe :) Targets: i386-Linux boxen, kernels 2.2.x, 2.4.x without security patches/modules. Downloads: http://sd.g-art.nl/sk
. . .
Example: SucKIT (cont)Example: SucKIT (cont)
From the READMEFrom the README
. . .
The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmem trick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have integrated TTY shell access (xor+sha1) which can be invoked through any running service on a server. No compiling on target box needed, one binary can work on any of 2.2.x & 2.4.x kernels precompiled (libc-free)
Example: SucKIT sniffer logExample: SucKIT sniffer log .sniffer output.sniffer output
root@moon's password: root@moon's password: fr8!rainfr8!rain
ssh adonis :ssh adonis :
root@adonis's password: root@adonis's password: f93Dk;-wf93Dk;-w
ssh -l victim bashful :ssh -l victim bashful :
The authenticity of host 'bashful (192.168.0.89)' can't be established.The authenticity of host 'bashful (192.168.0.89)' can't be established.
DSA key fingerprint is DSA key fingerprint is c5:92:c5:4f:3b:51:8b:51:3a:0c:6d:aa:d5:56:8c:fec5:92:c5:4f:3b:51:8b:51:3a:0c:6d:aa:d5:56:8c:fe..
Are you sure you want to continue connecting (yes/no)? Warning: Are you sure you want to continue connecting (yes/no)? Warning: PermanentlyPermanently
added 'bashful,192.168.0.89' (DSA) to the list of known hosts.added 'bashful,192.168.0.89' (DSA) to the list of known hosts.
victim@bashful's password: victim@bashful's password: t8erTotst8erTots
. . .. . .
Example: SucKIT sniffer (cont)Example: SucKIT sniffer (cont)
. . .. . .
ssh -l victim ida :ssh -l victim ida :
The authenticity of host 'ida (192.168.0.56)' can't be established.The authenticity of host 'ida (192.168.0.56)' can't be established.
DSA key fingerprint is DSA key fingerprint is 17:da:11:28:ea:43:a4:a6:ed:84:4f:43:b5:a2:43:1f17:da:11:28:ea:43:a4:a6:ed:84:4f:43:b5:a2:43:1f..
Are you sure you want to continue connecting (yes/no)? Warning: Permanently Are you sure you want to continue connecting (yes/no)? Warning: Permanently added 'ida,192.168.0.56' (DSA) to the list of known hosts.added 'ida,192.168.0.56' (DSA) to the list of known hosts.
victim@ida's password: victim@ida's password: t8erTotst8erTots
ssh metate :ssh metate :
root@metate's password: root@metate's password: fr8!rainfr8!rain
ssh adonis :ssh adonis :
root@adonis's password: root@adonis's password: f93Dk;-wf93Dk;-w
ssh incubus :ssh incubus :
ssh_exchange_identification: Connection closed by remote hostssh_exchange_identification: Connection closed by remote host
ssh adonis :ssh adonis :
root@adonis's password: root@adonis's password: f93Dk;-wf93Dk;-w
Something is WrongSomething is Wrong
Something doesn’t “feel or look” right to Something doesn’t “feel or look” right to the sysadminthe sysadmin
Compare internal view vs. external viewCompare internal view vs. external view• netstat/lsofnetstat/lsof (Unix) or FPort (Windows) vs. (Unix) or FPort (Windows) vs.
NmapNmap Trust very little without proof and second Trust very little without proof and second
sources of info (best is external to suspect sources of info (best is external to suspect system)system)
On initial installation, get MD5/SHA1 hash On initial installation, get MD5/SHA1 hash value of each filevalue of each file• Compare laterCompare later• Or get from hash index site Or get from hash index site
How to DetectHow to Detect
Keep a close eye on your system Keep a close eye on your system (e.g., file fingerprinting, centralized (e.g., file fingerprinting, centralized system logging)system logging)
Notice unusual traffic with IDS, etc.Notice unusual traffic with IDS, etc. Notice unusual ports being used (this Notice unusual ports being used (this
could also be botnet activity)could also be botnet activity)
UNIX toolsUNIX tools http://www.chkrootkit.orghttp://www.chkrootkit.org
• chkrootkitchkrootkit chkrootkitchkrootkit: shell script that checks system binaries : shell script that checks system binaries
for rootkit modification. for rootkit modification. ifpromisc.cifpromisc.c: checks if the interface is in promiscuous : checks if the interface is in promiscuous
mode. mode. chklastlog.cchklastlog.c: checks for lastlog deletions. : checks for lastlog deletions. chkwtmp.cchkwtmp.c: checks for wtmp deletions. : checks for wtmp deletions. check_wtmpx.ccheck_wtmpx.c: checks for wtmpx deletions. : checks for wtmpx deletions.
(Solaris only) (Solaris only) chkproc.cchkproc.c: checks for signs of LKM trojans. : checks for signs of LKM trojans. chkdirs.cchkdirs.c: checks for signs of LKM trojans. : checks for signs of LKM trojans. strings.cstrings.c: quick and dirty strings replacement. : quick and dirty strings replacement. chkutmp.cchkutmp.c: checks for utmp deletions : checks for utmp deletions
UNIX tools (cont’d)UNIX tools (cont’d) http://www.rootkit.nl/projects/http://www.rootkit.nl/projects/
rootkit_hunter.htmlrootkit_hunter.html• rkhunter (from their site)rkhunter (from their site)
Rootkit hunter is a scanning tool to assure you (to Rootkit hunter is a scanning tool to assure you (to about 99.9%*) you're clean of nasty tools. This tool about 99.9%*) you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by scans for rootkits, backdoors and local exploits by running tests like:running tests like:
- MD5 hash compare- MD5 hash compare- Look for default files used by rootkits- Look for default files used by rootkits- Wrong file permissions for binaries- Wrong file permissions for binaries- Look for suspected strings in LKM and KLD modules- Look for suspected strings in LKM and KLD modules- Look for hidden files- Look for hidden files- Optional scan within plaintext and binary files- Optional scan within plaintext and binary files
Rootkit Hunter is released as GPL licensed project Rootkit Hunter is released as GPL licensed project and free for everyone to use.and free for everyone to use.
* No, not really 99.9%.. It's just another security layer * No, not really 99.9%.. It's just another security layer
Windows ToolsWindows Tools http://www.sysinternals.com/ntw2k/http://www.sysinternals.com/ntw2k/
freeware/rootkitreveal.shtmlfreeware/rootkitreveal.shtml • RootkitRevealerRootkitRevealer
Interesting quote from the siteInteresting quote from the site The reason that there is no longer a command-line The reason that there is no longer a command-line
version is that malware authors have started version is that malware authors have started targetting RootkitRevealer's scan by using its targetting RootkitRevealer's scan by using its executable name. We've therefore updated executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. named copy of itself that runs as a Windows service. This type of execution is not conducive to a This type of execution is not conducive to a command-line interface. Note that you can use command-line interface. Note that you can use command-line options to execute an automatic scan command-line options to execute an automatic scan with results logged to a file, which is the equivalent of with results logged to a file, which is the equivalent of the command-line version's behavior the command-line version's behavior
Windows Tools (cont’d)Windows Tools (cont’d)
http://greatis.com/unhackme/http://greatis.com/unhackme/• unhackmeunhackme
Windows NT4/2000/XP through SP2Windows NT4/2000/XP through SP2 What's new in version 2.5What's new in version 2.5 Added Added
detection of AFX Rootkit 2005, Elite detection of AFX Rootkit 2005, Elite Keylogger, hidden processes. Keylogger, hidden processes.
What's new in version 2.0What's new in version 2.0 Added detection and removal of AFX Rootkit Added detection and removal of AFX Rootkit
and Vanquish Rootkit. and Vanquish Rootkit. UnHackMe monitor. UnHackMe monitor.
• Not GPL Not GPL
Windows Tools (cont’d)Windows Tools (cont’d) http://www.iarsn.com/taskinfo.htmlhttp://www.iarsn.com/taskinfo.html
• TaskinfoTaskinfo Used to look for rogue processesUsed to look for rogue processes Works on Windows 95 through 2003 serverWorks on Windows 95 through 2003 server TaskInfo shows information about TaskInfo shows information about all running processes all running processes
and threadsand threads including ring0 VxD threads. Information including ring0 VxD threads. Information about each process includes:about each process includes:
Most of the Most of the ProcessesProcesses that want to be that want to be invisibleinvisible like like worms, keyloggers and other spy softwareworms, keyloggers and other spy software
All threads (with details including Thread Start Address and All threads (with details including Thread Start Address and Call Stack with Symbolic Information if possible) Call Stack with Symbolic Information if possible)
CPU usage (multiple CPU supported) CPU usage (multiple CPU supported) Memory usage Memory usage Scheduling rate Scheduling rate Path Path Opened files and handles Opened files and handles Loaded modules (DLLs etc.) Loaded modules (DLLs etc.) Command line Command line Environment variables Environment variables Version information Version information Connections Connections
What to do NextWhat to do Next
Most companies and organizations want to Most companies and organizations want to clean up the mess and get back to work clean up the mess and get back to work (“wipe and reinstall”)(“wipe and reinstall”)
What if it’s on more than one machine?What if it’s on more than one machine? What if the attacker has other back doors?What if the attacker has other back doors? What about sniffed passwords, or logged What about sniffed passwords, or logged
keystrokes?keystrokes? How did they get in to begin with?How did they get in to begin with?
Steps to TakeSteps to Take
Isolate the system from the networkIsolate the system from the network Image the drive(s) if possibleImage the drive(s) if possible Determine which rootkit was usedDetermine which rootkit was used Go online for information on how to Go online for information on how to
clean up the driveclean up the drive
ResourcesResources
http://staff.washington.edu/dittrich/misc/http://staff.washington.edu/dittrich/misc/faqs/faqs/rootkitsrootkits.faq .faq
http://en.wikipedia.org/wiki/Root_kithttp://en.wikipedia.org/wiki/Root_kit http://www.sysinternals.com/ntw2k/freeware/http://www.sysinternals.com/ntw2k/freeware/
rootkitreveal.shtmlrootkitreveal.shtml http://http://www.www.rootkitrootkit.com .com http://http://research.research.microsoftmicrosoft.com/.com/rootkitrootkit/ /
