Anton Chuvakin on illogic Rootkit Analysis

6,748 views

Published on

Anton Chuvakin on Unix Rootkits and Detailed illogic Rootkit Analysis

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,748
On SlideShare
0
From Embeds
0
Number of Embeds
72
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Anton Chuvakin on illogic Rootkit Analysis

  1. 1. UNIX Rootkits and Illogic Kit Analysis Anton Chuvakin, Ph.D. Senior Security Analyst FBI Academy June 2002
  2. 2. Rootkits: Introduction <ul><li>Set of tools deployed after system penetration </li></ul><ul><li>Purpose: </li></ul><ul><ul><li>Maintain access via backdoors </li></ul></ul><ul><ul><ul><li>Local and remote </li></ul></ul></ul><ul><ul><li>Attack other systems </li></ul></ul><ul><ul><ul><li>DoS, sniffing, scanning, etc </li></ul></ul></ul><ul><ul><li>Destroy evidence </li></ul></ul><ul><ul><ul><li>Clear audit trails </li></ul></ul></ul><ul><ul><ul><li>Prevent audit collection </li></ul></ul></ul>
  3. 3. Rootkits: Brief History <ul><li>From log cleaners to live kernel patching </li></ul><ul><ul><li>1989 log cleaners </li></ul></ul><ul><ul><li>1994 early SunOS kits </li></ul></ul><ul><ul><li>1996 first Linux rootkits </li></ul></ul><ul><ul><li>1997 LKM trojans proposed in ”Phrack” </li></ul></ul><ul><ul><li>1998 non-LKM kernel patching proposed </li></ul></ul><ul><ul><li>1999 adore LKM kit released </li></ul></ul><ul><ul><li>2000 t0rnkit v. 8 libproc trojan </li></ul></ul><ul><ul><li>2001 KIS trojan released </li></ul></ul>
  4. 4. Features: Remote Access <ul><li>Remote access </li></ul><ul><ul><li>Trojan existing daemons (telnet, sshd, ftpd, sendmail, named, httpd, tcpd, finger, inetd, others) </li></ul></ul><ul><ul><li>Create extra accounts (rewt) </li></ul></ul><ul><ul><li>Add network services (infamous /bin/sh in inetd.conf) </li></ul></ul><ul><ul><li>Add hostile CGI scripts (CGI shell) </li></ul></ul><ul><ul><li>Reverse access (xterm, reverse shell from crontab) </li></ul></ul><ul><ul><li>Kernel networking backdoor (kernel listener) </li></ul></ul>
  5. 5. Features: Local Access <ul><li>Local privilege escalation </li></ul><ul><ul><li>Extra root accounts </li></ul></ul><ul><ul><li>Hidden SUID root shells </li></ul></ul><ul><ul><li>Trojaned binaries </li></ul></ul><ul><ul><ul><li>Login, ping, su, password, any SUID root </li></ul></ul></ul><ul><ul><li>Kernel trojan to get root </li></ul></ul><ul><ul><ul><li>“ All-root” LKM gives root to all users </li></ul></ul></ul><ul><ul><li>Modified configuration files (even inittab) </li></ul></ul>
  6. 6. Features: Attacks <ul><li>Remote </li></ul><ul><ul><li>Scan and exploit </li></ul></ul><ul><ul><li>Denial-of-service and DDoS </li></ul></ul><ul><ul><li>IRC </li></ul></ul><ul><li>Local </li></ul><ul><ul><li>Network and local (e.g. ssh) sniffers </li></ul></ul><ul><ul><li>Password cracking </li></ul></ul>
  7. 7. Features: Hiding and Cleanup <ul><li>Hiding </li></ul><ul><ul><li>Files and file modifications </li></ul></ul><ul><ul><li>Processes </li></ul></ul><ul><ul><li>Connections (inbound and outgoing) </li></ul></ul><ul><ul><li>LKMs </li></ul></ul><ul><li>Cleanup </li></ul><ul><ul><li>Logs </li></ul></ul><ul><ul><li>Accounting records </li></ul></ul><ul><ul><li>Rootkit build files </li></ul></ul>
  8. 8. Rootkits: Perks <ul><li>Integrity checks against trojans (!) </li></ul><ul><li>Competing rootkit search and destroy (based on chkrootkit) </li></ul><ul><li>“ Interesting” file search (grep mastercard *) </li></ul><ul><li>Removal protection (Linux chattr) </li></ul><ul><li>Remote logging detection (@ in /etc/syslog.conf) </li></ul><ul><li>Adjustable configuration (various version and distros) </li></ul><ul><li>Password protection </li></ul><ul><li>System database collection (collect and mail system info) </li></ul><ul><li>Patching and hardening scripts </li></ul>
  9. 9. Use (i.e. abuse) of rootkits <ul><li>Attacker’s operations: </li></ul><ul><li>Find the host </li></ul><ul><li>Check for vulnerability </li></ul><ul><li>Exploit and get access </li></ul><ul><li>Download tools </li></ul><ul><li>Build and deploy rootkit </li></ul><ul><li>Come back to use the system </li></ul>
  10. 10. Old rootkis (1994-2000) <ul><li>Binary replacement </li></ul><ul><ul><li>For backdooring and hiding </li></ul></ul><ul><ul><ul><li>ls, ps, top, rm, find, locate, login, netstat, password, su, du, ifconfig, pstree, finger, sshd, telnetd, others </li></ul></ul></ul><ul><ul><li>Adjust date, size and CRC on files </li></ul></ul><ul><li>Hiding </li></ul><ul><ul><li>Via configuration files for trojaned binaries </li></ul></ul><ul><li>Login/password sniffer </li></ul>
  11. 11. Newer kits (1999-2002) <ul><li>Loadable-kernel modules </li></ul><ul><ul><li>Adore, knark, KIS, etc </li></ul></ul><ul><li>Trojaned system libraries </li></ul><ul><ul><li>T0rnkit v. 8, preload kit </li></ul></ul><ul><li>More binaries replaces </li></ul><ul><ul><li>lsof, slocate, syslogd, tcpd, killall, others </li></ul></ul><ul><ul><li>Everything networked and/or SUID may be backdoored! </li></ul></ul><ul><li>Covert channels and backdoor activation </li></ul>
  12. 12. Introducing Illogic v. 1.2 I <ul><li>Huge kit (1.2 Mb archived) that contain “everything” </li></ul><ul><li>DoS tools </li></ul><ul><li>Sniffer and analysis tools </li></ul><ul><li>Secure remote access </li></ul><ul><li>Backup remote access </li></ul><ul><li>Multiple local holes </li></ul><ul><li>Advanced hardening and patching engine </li></ul>
  13. 13. Introducing Illogic v. 1.2 II <ul><li>Distinctive features: </li></ul><ul><ul><li>Patching engine (updates and secures the system) </li></ul></ul><ul><ul><li>Integrity checking for trojaned rootkit components </li></ul></ul><ul><ul><li>Password protection </li></ul></ul><ul><ul><li>Compressed binaries </li></ul></ul><ul><ul><li>Sysinfo reporting </li></ul></ul><ul><li>Found on our Linux honeypot Apr 30, 2002 </li></ul>
  14. 14. Illogic Components: RAT <ul><li>Remote access </li></ul><ul><ul><li>SSH on high port (standard backdoor) </li></ul></ul><ul><ul><li>Telnet backdoor (DISPLAY-activated) </li></ul></ul><ul><li>Local backdoors </li></ul><ul><ul><li>Trojans </li></ul></ul><ul><ul><ul><li>Ping </li></ul></ul></ul><ul><ul><ul><li>Su </li></ul></ul></ul><ul><ul><ul><li>Passwd </li></ul></ul></ul>
  15. 15. Illogic Components: Hiding <ul><li>Loadable-kernel module – Adore v. 0.38 </li></ul><ul><li>Adore features </li></ul><ul><ul><li>PROMISC flag hiding </li></ul></ul><ul><ul><li>File and directory hiding </li></ul></ul><ul><ul><li>Process-hiding </li></ul></ul><ul><ul><li>Netstat hiding </li></ul></ul><ul><ul><li>Separate root shell backdoor </li></ul></ul><ul><li>Standard log cleaner (cleans by IP and regex) </li></ul>
  16. 16. Illogic Components: Attacks I <ul><li>Impressive collection of automatic attack tools </li></ul><ul><li>Sniffer </li></ul><ul><li>Optional local SSH sniffer </li></ul><ul><li>Set of point-to-point DoS tools </li></ul>
  17. 17. Illogic Components: Attacks II <ul><li>FreeBSD telnet bug autorooter </li></ul><ul><li>ssh version scanner and exploit tool </li></ul><ul><li>statdx scanner and rooter </li></ul><ul><li>advanced“”r00t” combo scanner </li></ul><ul><ul><li>Bind 4.x, 8.x, LPRng, WU-FTPD < 2.6.1, ProFTPD < 1.2.0pre5, RPC (multiplatform) </li></ul></ul><ul><ul><li>Parallel execution, configuration files, etc </li></ul></ul><ul><ul><li>Fully random scan mode (!) </li></ul></ul><ul><li>Well-documented </li></ul>
  18. 18. Illogic Components: Attacks III <ul><li>DoS tools: </li></ul><ul><ul><li>VadimII – UDP flood </li></ul></ul><ul><ul><li>Slice3 – SYN flood </li></ul></ul><ul><ul><li>Slice2 - SYN flood </li></ul></ul><ul><ul><li>Stealth </li></ul></ul><ul><ul><li>Synk – SYN flood </li></ul></ul><ul><li>Network and host resource starvation attacks </li></ul>
  19. 19. Illogic Components:Security <ul><li>Patching engine </li></ul><ul><ul><li>Determines and downloads updates from vendor site </li></ul></ul><ul><li>Rootkit search and destruction </li></ul><ul><ul><li>Rootkit and DdoS bot paths, filenames and processes checked </li></ul></ul><ul><li>Advanced hardening script </li></ul><ul><ul><li>SUID, insecure services, SYN-flood protection, network configuration </li></ul></ul>
  20. 20. Illogic Installation I <ul><li>Follow the installation script: </li></ul><ul><ul><li>Set environment </li></ul></ul><ul><ul><li>Display color logo </li></ul></ul><ul><ul><li>Kill HISTFILE/HISTSAVE </li></ul></ul><ul><ul><li>Check for system architecture and OS </li></ul></ul><ul><ul><li>Check for existing rootkits and DoS bots </li></ul></ul><ul><ul><li>Create dir structure in /lib/security/.config </li></ul></ul><ul><ul><li>Back up good binaries </li></ul></ul><ul><ul><li>Install log cleaner (as /usr/bin/sia) </li></ul></ul>
  21. 21. Illogic Installation II <ul><ul><li>Prepare trojans (login, etc) for size and date </li></ul></ul><ul><ul><li>Install ssh backdoor on custom port (ssh2d) </li></ul></ul><ul><ul><li>Install telnet backdoor </li></ul></ul><ul><ul><li>Install various local trojans </li></ul></ul><ul><ul><li>Unpack and install DoS tools, adore and scanners </li></ul></ul><ul><ul><li>Install sniffer and sniffer checker </li></ul></ul>
  22. 22. Illogic Installation III <ul><ul><li>Run patching and hardening scripts </li></ul></ul><ul><ul><ul><li>Cleanup of bad services (portmap, etc), secure FTP, etc </li></ul></ul></ul><ul><ul><li>Clean logs </li></ul></ul><ul><ul><li>Collect statistics about box (CPU info, memory, disk, ping yahoo, passwords, shadow) and email it to several addresses </li></ul></ul><ul><ul><li>Offer installation support by email (!) </li></ul></ul>
  23. 23. Illogic: Changes to System <ul><li>Directories created </li></ul><ul><ul><li>/lib/security/.config </li></ul></ul><ul><li>Files added </li></ul><ul><ul><li>/usr/bin/sia (log cleaner) </li></ul></ul><ul><ul><li>Several more in /usr/bin </li></ul></ul><ul><li>Files modified </li></ul><ul><ul><li>/etc/rc.d/init.d/network </li></ul></ul><ul><ul><li>sshd </li></ul></ul><ul><ul><li>Many in /usr/bin </li></ul></ul>
  24. 24. Future Trends <ul><li>Better HIDS protection </li></ul><ul><ul><li>Intergity check bypass described in papers (2000) </li></ul></ul><ul><li>Custom kernel hiding and non-LKM kernel attack </li></ul><ul><ul><li>Better LKMs that hide from detection </li></ul></ul><ul><ul><li>Non-LKM kernel patching (KIS) </li></ul></ul><ul><li>Covert channelling and passive backdoors </li></ul><ul><li>More application-level backdoors </li></ul>
  25. 25. Conclusion <ul><li>Illogic </li></ul><ul><ul><li>No new technology </li></ul></ul><ul><ul><li>Assembled not coded </li></ul></ul><ul><ul><li>Hacker’s “dream” - all-in-one </li></ul></ul><ul><ul><li>Rootkits bloat is good for security? </li></ul></ul><ul><li>Rootkits </li></ul><ul><ul><li>Bigger and nastier rootkits ahead! </li></ul></ul>
  26. 26. Thanks for Viewing the Presentation <ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li>http://www.chuvakin.org </li></ul><ul><li>Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org </li></ul><ul><li>Book on logs is coming soon! </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs </li></ul>

×