UNIX Rootkits and Illogic Kit Analysis Anton Chuvakin, Ph.D. Senior Security Analyst FBI Academy June 2002

Rootkits: Introduction Set of tools deployed after system penetration Purpose: Maintain access via backdoors Local and remote Attack other systems DoS, sniffing, scanning, etc Destroy evidence Clear audit trails Prevent audit collection

Set of tools deployed after system penetration

Purpose:

Maintain access via backdoors

Local and remote

Attack other systems

DoS, sniffing, scanning, etc

Destroy evidence

Clear audit trails

Prevent audit collection

Rootkits: Brief History From log cleaners to live kernel patching 1989 log cleaners 1994 early SunOS kits 1996 first Linux rootkits 1997 LKM trojans proposed in ”Phrack” 1998 non-LKM kernel patching proposed 1999 adore LKM kit released 2000 t0rnkit v. 8 libproc trojan 2001 KIS trojan released

From log cleaners to live kernel patching

1989 log cleaners

1994 early SunOS kits

1996 first Linux rootkits

1997 LKM trojans proposed in ”Phrack”

1998 non-LKM kernel patching proposed

1999 adore LKM kit released

2000 t0rnkit v. 8 libproc trojan

2001 KIS trojan released

Features: Remote Access Remote access Trojan existing daemons (telnet, sshd, ftpd, sendmail, named, httpd, tcpd, finger, inetd, others) Create extra accounts (rewt) Add network services (infamous /bin/sh in inetd.conf) Add hostile CGI scripts (CGI shell) Reverse access (xterm, reverse shell from crontab) Kernel networking backdoor (kernel listener)

Remote access

Trojan existing daemons (telnet, sshd, ftpd, sendmail, named, httpd, tcpd, finger, inetd, others)

Create extra accounts (rewt)

Add network services (infamous /bin/sh in inetd.conf)

Add hostile CGI scripts (CGI shell)

Reverse access (xterm, reverse shell from crontab)

Kernel networking backdoor (kernel listener)

Features: Local Access Local privilege escalation Extra root accounts Hidden SUID root shells Trojaned binaries Login, ping, su, password, any SUID root Kernel trojan to get root “ All-root” LKM gives root to all users Modified configuration files (even inittab)

Local privilege escalation

Extra root accounts

Hidden SUID root shells

Trojaned binaries

Login, ping, su, password, any SUID root

Kernel trojan to get root

“ All-root” LKM gives root to all users

Modified configuration files (even inittab)

Features: Attacks Remote Scan and exploit Denial-of-service and DDoS IRC Local Network and local (e.g. ssh) sniffers Password cracking

Remote

Scan and exploit

Denial-of-service and DDoS

IRC

Local

Network and local (e.g. ssh) sniffers

Password cracking

Features: Hiding and Cleanup Hiding Files and file modifications Processes Connections (inbound and outgoing) LKMs Cleanup Logs Accounting records Rootkit build files

Hiding

Files and file modifications

Processes

Connections (inbound and outgoing)

LKMs

Cleanup

Logs

Accounting records

Rootkit build files

Rootkits: Perks Integrity checks against trojans (!) Competing rootkit search and destroy (based on chkrootkit) “ Interesting” file search (grep mastercard *) Removal protection (Linux chattr) Remote logging detection (@ in /etc/syslog.conf) Adjustable configuration (various version and distros) Password protection System database collection (collect and mail system info) Patching and hardening scripts

Integrity checks against trojans (!)

Competing rootkit search and destroy (based on chkrootkit)

“ Interesting” file search (grep mastercard *)

Removal protection (Linux chattr)

Remote logging detection (@ in /etc/syslog.conf)

Adjustable configuration (various version and distros)

Password protection

System database collection (collect and mail system info)

Patching and hardening scripts

Use (i.e. abuse) of rootkits Attacker’s operations: Find the host Check for vulnerability Exploit and get access Download tools Build and deploy rootkit Come back to use the system

Attacker’s operations:

Find the host

Check for vulnerability

Exploit and get access

Download tools

Build and deploy rootkit

Come back to use the system

Old rootkis (1994-2000) Binary replacement For backdooring and hiding ls, ps, top, rm, find, locate, login, netstat, password, su, du, ifconfig, pstree, finger, sshd, telnetd, others Adjust date, size and CRC on files Hiding Via configuration files for trojaned binaries Login/password sniffer

Binary replacement

For backdooring and hiding

ls, ps, top, rm, find, locate, login, netstat, password, su, du, ifconfig, pstree, finger, sshd, telnetd, others

Adjust date, size and CRC on files

Hiding

Via configuration files for trojaned binaries

Login/password sniffer

Newer kits (1999-2002) Loadable-kernel modules Adore, knark, KIS, etc Trojaned system libraries T0rnkit v. 8, preload kit More binaries replaces lsof, slocate, syslogd, tcpd, killall, others Everything networked and/or SUID may be backdoored! Covert channels and backdoor activation

Loadable-kernel modules

Adore, knark, KIS, etc

Trojaned system libraries

T0rnkit v. 8, preload kit

More binaries replaces

lsof, slocate, syslogd, tcpd, killall, others

Everything networked and/or SUID may be backdoored!

Covert channels and backdoor activation

Introducing Illogic v. 1.2 I Huge kit (1.2 Mb archived) that contain “everything” DoS tools Sniffer and analysis tools Secure remote access Backup remote access Multiple local holes Advanced hardening and patching engine

Huge kit (1.2 Mb archived) that contain “everything”

DoS tools

Sniffer and analysis tools

Secure remote access

Backup remote access

Multiple local holes

Advanced hardening and patching engine

Introducing Illogic v. 1.2 II Distinctive features: Patching engine (updates and secures the system) Integrity checking for trojaned rootkit components Password protection Compressed binaries Sysinfo reporting Found on our Linux honeypot Apr 30, 2002

Distinctive features:

Patching engine (updates and secures the system)

Integrity checking for trojaned rootkit components

Password protection

Compressed binaries

Sysinfo reporting

Found on our Linux honeypot Apr 30, 2002

Illogic Components: RAT Remote access SSH on high port (standard backdoor) Telnet backdoor (DISPLAY-activated) Local backdoors Trojans Ping Su Passwd

Remote access

SSH on high port (standard backdoor)

Telnet backdoor (DISPLAY-activated)

Local backdoors

Trojans

Ping

Su

Passwd

Illogic Components: Hiding Loadable-kernel module – Adore v. 0.38 Adore features PROMISC flag hiding File and directory hiding Process-hiding Netstat hiding Separate root shell backdoor Standard log cleaner (cleans by IP and regex)

Loadable-kernel module – Adore v. 0.38

Adore features

PROMISC flag hiding

File and directory hiding

Process-hiding

Netstat hiding

Separate root shell backdoor

Standard log cleaner (cleans by IP and regex)

Illogic Components: Attacks I Impressive collection of automatic attack tools Sniffer Optional local SSH sniffer Set of point-to-point DoS tools

Impressive collection of automatic attack tools

Sniffer

Optional local SSH sniffer

Set of point-to-point DoS tools

Illogic Components: Attacks II FreeBSD telnet bug autorooter ssh version scanner and exploit tool statdx scanner and rooter advanced“”r00t” combo scanner Bind 4.x, 8.x, LPRng, WU-FTPD < 2.6.1, ProFTPD < 1.2.0pre5, RPC (multiplatform) Parallel execution, configuration files, etc Fully random scan mode (!) Well-documented

FreeBSD telnet bug autorooter

ssh version scanner and exploit tool

statdx scanner and rooter

advanced“”r00t” combo scanner

Bind 4.x, 8.x, LPRng, WU-FTPD < 2.6.1, ProFTPD < 1.2.0pre5, RPC (multiplatform)

Parallel execution, configuration files, etc

Fully random scan mode (!)

Well-documented

Illogic Components: Attacks III DoS tools: VadimII – UDP flood Slice3 – SYN flood Slice2 - SYN flood Stealth Synk – SYN flood Network and host resource starvation attacks

DoS tools:

VadimII – UDP flood

Slice3 – SYN flood

Slice2 - SYN flood

Stealth

Synk – SYN flood

Network and host resource starvation attacks

Illogic Components:Security Patching engine Determines and downloads updates from vendor site Rootkit search and destruction Rootkit and DdoS bot paths, filenames and processes checked Advanced hardening script SUID, insecure services, SYN-flood protection, network configuration

Patching engine

Determines and downloads updates from vendor site

Rootkit search and destruction

Rootkit and DdoS bot paths, filenames and processes checked

Advanced hardening script

SUID, insecure services, SYN-flood protection, network configuration

Illogic Installation I Follow the installation script: Set environment Display color logo Kill HISTFILE/HISTSAVE Check for system architecture and OS Check for existing rootkits and DoS bots Create dir structure in /lib/security/.config Back up good binaries Install log cleaner (as /usr/bin/sia)

Follow the installation script:

Set environment

Display color logo

Kill HISTFILE/HISTSAVE

Check for system architecture and OS

Check for existing rootkits and DoS bots

Create dir structure in /lib/security/.config

Back up good binaries

Install log cleaner (as /usr/bin/sia)

Illogic Installation II Prepare trojans (login, etc) for size and date Install ssh backdoor on custom port (ssh2d) Install telnet backdoor Install various local trojans Unpack and install DoS tools, adore and scanners Install sniffer and sniffer checker

Prepare trojans (login, etc) for size and date

Install ssh backdoor on custom port (ssh2d)

Install telnet backdoor

Install various local trojans

Unpack and install DoS tools, adore and scanners

Install sniffer and sniffer checker

Illogic Installation III Run patching and hardening scripts Cleanup of bad services (portmap, etc), secure FTP, etc Clean logs Collect statistics about box (CPU info, memory, disk, ping yahoo, passwords, shadow) and email it to several addresses Offer installation support by email (!)

Run patching and hardening scripts

Cleanup of bad services (portmap, etc), secure FTP, etc

Clean logs

Collect statistics about box (CPU info, memory, disk, ping yahoo, passwords, shadow) and email it to several addresses

Offer installation support by email (!)

Illogic: Changes to System Directories created /lib/security/.config Files added /usr/bin/sia (log cleaner) Several more in /usr/bin Files modified /etc/rc.d/init.d/network sshd Many in /usr/bin

Directories created

/lib/security/.config

Files added

/usr/bin/sia (log cleaner)

Several more in /usr/bin

Files modified

/etc/rc.d/init.d/network

sshd

Many in /usr/bin

Future Trends Better HIDS protection Intergity check bypass described in papers (2000) Custom kernel hiding and non-LKM kernel attack Better LKMs that hide from detection Non-LKM kernel patching (KIS) Covert channelling and passive backdoors More application-level backdoors

Better HIDS protection

Intergity check bypass described in papers (2000)

Custom kernel hiding and non-LKM kernel attack

Better LKMs that hide from detection

Non-LKM kernel patching (KIS)

Covert channelling and passive backdoors

More application-level backdoors

Conclusion Illogic No new technology Assembled not coded Hacker’s “dream” - all-in-one Rootkits bloat is good for security? Rootkits Bigger and nastier rootkits ahead!

Illogic

No new technology

Assembled not coded

Hacker’s “dream” - all-in-one

Rootkits bloat is good for security?

Rootkits

Bigger and nastier rootkits ahead!

Thanks for Viewing the Presentation Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org Book on logs is coming soon! See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA

http://www.chuvakin.org

Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org

Book on logs is coming soon!

See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs