Download to read offline
Uploaded byBrett Mack
Userland Rootkits - Linuxing in London Feb 2017
The document discusses userland rootkits, focusing on their functionality, detection, and removal. It explains the concept of rootkits as malicious software that hides the presence of users and processes while maintaining unauthorized access. Additionally, it covers techniques such as ld_preload for exploitation and tools like rkhunter for rootkit detection and removal.
More Related Content
Similar to Userland Rootkits - Linuxing in London Feb 2017
Userland Rootkits - Linuxing in London Feb 2017
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 7 Agenda • Whatis a root kit? • The LD_PRELOAD technique • How to detect a root kit • How to remove a root kit
- 8.
- 9.
- 10. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10 What isa root kit? •Essentially a MitM, sitting between users and the kernel •Used to hide the presence of users/processes •Used to maintain access to a box
- 11. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11 What isa root kit? •The initial entry point on to your box •A virus. It is NOT:
- 12. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 12 What isa root kit? # strace ls /tmp ... stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777,...}) = 0 open("/tmp", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3 ...
- 13. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 13 What isa root kit? Call open() Interrupt descriptor table (IDT) syscall table Choose interrupt handler Choose system call sys_open()
- 14. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 14 What isa root kit? Call open() Interrupt descriptor table (IDT) syscall table Choose interrupt handler Choose system call sys_open() User mode
- 15. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 15 What isa root kit? Call open() Interrupt descriptor table (IDT) syscall table Choose interrupt handler Choose system call sys_open() User mode kernel mode
- 16.
- 17. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 17 What isa root kit? The root kits of yesteryear #!/bin/bash mv /bin/ls /bin/.ls.bak echo <<EOF > /bin/ls #!/bin/bash /bin/.ls.bak $@ | grep -v greg EOF chmod 0755 /bin/ls
- 18.
- 19. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 19 The LD_PRELOADtechnique LD_PRELOAD=/my/file.so ls -al export LD_PRELOAD=/my/file.so
- 20. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 20 The LD_PRELOADtechnique LD_PRELOAD=/my/file.so ls -al export LD_PRELOAD=/my/file.so echo /my/file.so > /etc/ld.so.preload
- 21. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 21 The LD_PRELOADtechnique LD_PRELOAD=/my/file.so ls -al export LD_PRELOAD=/my/file.so echo /my/file.so > /etc/ld.so.preload WHY?!?!?!
- 22. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22 The LD_PRELOADtechnique So why dynamically link? •Much smaller file size •You can update libraries while maintaining backwards compatibility •Essentially we get much the same benefits as we do with micro services
- 23. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23 Detecting aroot kit Look at what is being linked by standard system tools •strace •ltrace •ldd
- 24. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24 Removing arootkit There are tools out there that are good at removing certain types of root kit •rkhunter
- 25.