Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to...

Click here to load reader

download Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion

of 56

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to...

  • Rootkits

  • AgendaIntroductionDefinition of a RootkitTypes of rootkitsExisting Methodologies to Detect RootkitsLrk4KnarkConclusion

  • IntroductionCurrent Vulnerabilities on the Internet Current Techniques Used by System Administrators to monitor the status of SystemsIntrusion Detection SystemsFile Integrity ProgramsSignature Analysis Programs

  • AgendaIntroductionDefinition of a RootkitTypes of rootkitsExisting Methodologies to Detect RootkitsLrk4KnarkConclusion

  • Definition of a RootkitTrojan Horse into a Computer SystemMalicious Programs that pretend to be normal programsMay also be programs:that masquerade as possible programswith names that approximate existing programalready running and not easily identifiable by user

  • Definition of a RootkitInstalling a Rootkit on a Target SystemHacker MUST already have root level access on target systemGain root level access by compromising system via buffer overflow, password attack, social engineeringRootkit allows hacker to get back onto system with root level privilege

  • Definition of a RootkitRootkits are a recent phenomenonDeveloped by hackers to conceal their activitiesOne method is to replace existing binary system files that continue to function as normal but allow hacker back door accessCan be developed by skilled hacker with programming expertise

  • AgendaIntroductionDefinition of a RootkitTypes of rootkitsExisting Methodologies to Detect RootkitsLrk4KnarkConclusion

  • Types of RootkitsUser-level RootkitsKernel-level Rootkits

  • Types of RootkitsUser-level rootkitsReplace utilities such as ps, ls, ifconfig, etcReplace key librariesDetectable by utilities like tripwire

  • Types of RootkitsKernel-level rootkitsReplace or hook key kernel functionsThrough, e.g., loadable kernel modules or direct kernel memory accessA common detection strategy: compare the view obtained by enumerating kernel data structures with that obtained by the API interfaceCan be defended by kernel-driver signing (required by 64-bit windows)

  • Types of RootkitsBootkit (variant of kernel-level rootkit)Replace the boot loader (master boot record)Used to attack full disk encryption keyMalicious boot loader can intercept encryption keys or disable requirement for kernel-driver signing

  • Types of RootkitsHypervisor-level rootkitsHardware/formware rootkitsWhoever gets to the lower level has the upper hand.

  • AgendaIntroductionDefinition of a RootkitTypes of rootkitsExisting Methodologies to Detect RootkitsLrk4KnarkConclusion

  • Existing Methodologies to Detect RootkitsUse of Host Based Intrusion Detection System (IDS)TRIPWIREAdvanced Intrusion Detection Environment (AIDE)Downloadable on Internet Chkrootkitchkrootkit is available at:

  • Existing Methodologies to Detect RootkitsAIDEOpen Source ProductCan support multiple Integrity Checking AlgorithmsCustomized Configuration File (aide.conf) is necessary

  • Detecting a rootkit using AIDEAIDE is a program that detects rootkits based on the checksums of the binary filesAs can be seen from the following screen shot, AIDE detected that the netstat and login files have been changed by looking at their checksumschsh, chfn, and passwd were not detected because they were not in this directoryOnce this was done, another tool was used to detect rootkit -- chkrootkit

  • Detecting a rootkit using AIDE

  • Detecting Rootkit with chkrootkitThis is simply a script file that can be used to detect the presence of rootkits based on certain signaturesFor example, by detecting the string root in the login file, chkrootkit recognizes that the system has been compromised since the original login file did not have those strings in itShow in the following screenshot are the results of running the chkrootkit program

  • chkrootkit

  • Existing Methodologies to Detect RootkitsInstallation of IDSPrior to installation 5 investigations per weekAfter installation up to 5 investigations per dayAnomaly Based IDS monitors machines on campusA Honeynet is currently running at Georgia Tech

  • Existing Methodologies to Detect RootkitsSteps taken upon investigation of a compromised system:Contact responsible system administratorSystem may be rebooted with known good media with suspect hard drive mounted read-onlyDuplicate copy of hard drive may be produced with cryptographic checksum signature for possible criminal investigation

  • Existing Methodologies to Detect RootkitsForensic Investigation of compromised system:No formalized methodology currently exists for forensic investigationLogs will be examined firstMay have no record of exploit or may be deleted entirelySteps may be taken to retrieve deleted log files

  • Existing Methodologies to Detect RootkitsPreviously know target directories will be examined for suspicious files or entrieseg. t0rn rootkit creates /etc/ttyhash which is a copy of the original /bin/login progamchkrootkit program may be run to check for previously known exploitschkrootkit is available at:

  • Existing Methodologies to Detect RootkitsFor LINUX/UNIX systems various commands will be used to check for compromises:find & locate to look for suspicious files and directoriesfile & strings to examine suspect filesldd (load library dependencies) & straceSimilar methodology used for other operating systems

  • AgendaIntroductionDefinition of a RootkitTypes of rootkitsExisting Methodologies to Detect RootkitsLrk4KnarkConclusion

  • Lrk4 BackgroundWritten by Lord Somer Released in November 1998Several more recent versions are available (lrk5 and lrk6); however, lrk4 is the most stable out of all of themUpdates for lrk4 still being postedHowever, to run lrk4, it is necessary to install old libraries since lrk4 was built against these earlier libraries

  • Installing lrk4Although a Makefile is included with lrk4, compilation results in several errorsThis is due to uniqueness of each operating systemFor this lab, red Hat 7.2 is usedOne major problem numerous references to pre-defined library functionsOther problemsFailure to reference necessary librariesFailure to define referenced variablesGetting the rootkit to work requires some knowledge of programming

  • What does lrk4 change?The following binaries are changed by lrk4:login this signs a user onto the systemchfn used to change finger informationchsh used to change login shellpasswd updates a users authentication tokenImportant change hacker can now log onto system using the name rewt and password satoriTo learn more about the changes, view the README file

  • Hiding lrk4 on the systemHow do you make sure youre changed binaries are not easily detected?Run fix tool (normally comes with the rootkit)This changes the date of the binaries so that it looks like they are old binaries

  • Detecting lrk4The fix tool has a bug it changes the date of the binary but not the sizeAny file integrity software (such as Tripwire) will catch the change in binary sizesldd command can be used to see what libraries a binary links to this can also be used to detect a corrupted binaryThe following screenshot shows the output from running the ldd command against the normal login and the corrupted login

  • Detecting lrk4

  • Detecting lrk4As can be seen, the corrupted login only links to three libraries while the normal login links to six libraries a clear indication that the binary has been changedNotice that the corrupted login does not use the Password Authentication Module (PAM)Instead, Shadow-suite software is usedHence, no link to the PAM libraryAvailability of a rpm for Shadow Suite is probably why it was used instead of PAM for the corrupted login otherwise the PAM module would have to be modified

  • Lrk4 CodeRunning the diff command on the two login files reveals some noticeable differences:Integer variable eliteFive character array rewtCharacter array stores the name rewt and a terminating null character, as shown in the next screenshotIf another character array had been used for the comparison, the string root would never have been detected

  • Lrk4 Code Rewt

  • Lrk4 CodeThe following code allows for the hacker to gain root access with the username rewt

  • Lrk4 Code Trojan PasswordOk, so we have root being passed in what about the password?pw_auth program checks to see if a users password is validpw_auth code is modified so that trojan password satori is added to password listTrojan password stored in a seven character array and values copied from rootkit.h header file

  • Lrk4 Code Trojan Password

  • Lrk4 Code Trojan PasswordClean pw_auth would return value of 0 whenever password validatedEdited pw_auth returns value of 3 when input password matches password in rootkit.hProgram then transitions to the auth_ok portion of login.cElite variable is set to 1Significant for remainder of login.c program

  • Lrk4 Code Trojan Password

  • Lrk4 Code Logging EventsSo weve gained access to the machine how can we make sure our activities arent logged?Check to see if the user has entered the trojan password and username rewtIf so, then bypass logging activities to the SYSLOG fileThis is accomplished with the following code fragment:

  • Lrk4 Code Logging Events

  • Lrk4 SummaryLrk4 is a very powerful toolTrojan username and password can be used to gain ro