rootkits cis 413 this presentation is an amalgam of presentations by mark michael, randy marchany...
TRANSCRIPT
![Page 1: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/1.jpg)
Rootkits
CIS 413This presentation is an amalgam of presentations by
Mark Michael, Randy Marchany and Ed Skoudis.I have edited and added material.
Dr. Stephen C. Hayne
![Page 2: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/2.jpg)
Replaces key system components Less detectable than application-level
Trojan Horse Backdoors Traditionally focus on UNIX systems Root access is required initially
TTraditionalraditional R RootootKKitsits
![Page 3: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/3.jpg)
On Windows systems… RootKits Replace Dynamic Link
Libraries or alters the system On UNIX systems…
RootKits replace /bin/login with a backdoor version of /bin/login
TTraditionalraditional R RootootKKitsits
![Page 4: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/4.jpg)
When an attacker enters the backdoor password access is given to the system
Backdoor password still works if other passwords are changed
Login is not recorded in wtmp or utmp files for the backdoor user
TTraditionalraditional R RootootKKitsits
![Page 5: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/5.jpg)
Some other programs replaced: du - shows free disk space
RootKits hides space used by attacking tools find - finds files
Hides attacker’s files ifconfig - shows status of interfaces
masks promiscuous mode ls - shows contents of directories
Hides attacker’s files
TTraditionalraditional R RootootKKitsits
![Page 6: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/6.jpg)
Linux RootKit 5 (lrk5) written by Lord Somer one of the most full-featured RootKits includes Trojan versions of the following:
chfn, chsh, crontab, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, and su
TTraditionalraditional R RootootKKitsits
![Page 7: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/7.jpg)
Try harder to stop attackers from getting root access
Remember root-level access is needed to install a RootKit
Use “echo *” command to look for changes
DDefending against efending against TTraditional raditional
RRootootKKitsits
![Page 8: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/8.jpg)
Get a program to scan /bin/login and see if it has been corrupted
Use a File Integrity Checker such as Tripwire
Save hashes on read-only media
DDefending against efending against TTraditional raditional
RRootootKKitsits
![Page 9: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/9.jpg)
Tripwire
Available from www.tripwire.org First of the file integrity checkers Unix and NT versions available
Network capable versions available Academic version is free.
Commercial versions are not. Useful in finding trojan programs
![Page 10: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/10.jpg)
Tripwire Generates a “signature” for each file
based on checksums and other characteristics.
These signatures are stored in a database file that should be kept offline.
This is the baseline. Latest threat involves dynamic exec
redirection. This is part of the newer Kernel Module Rootkits.
![Page 11: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/11.jpg)
Security Configuration Management
Video – Open Source
Video – Proprietary Choose “Before and After Views”
![Page 12: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/12.jpg)
Tripwire Advantages
Simple interface, good choice of crypto hash functions, good all-around tool
Security Issues How to protect DBs…? Need to protect tripwire executables?
Disadvantages Kernel mod attacks, initial config takes quite
some time to customize, no network security
![Page 13: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/13.jpg)
Makes the Kernel the Trojan Horse Most difficult to detect Gives the attacker complete control
of the underlying system Nothing on the system can be trusted
KKernelernel-L-Levelevel R RootootKKitsits
![Page 14: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/14.jpg)
Most common feature is execution redirection
Instead of changing other programs to hide files, the kernel hides them
Kernel may also hide processes that are running
Port usage is often masked
KKernelernel-L-Levelevel R RootootKKitsits
![Page 15: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/15.jpg)
Some early Kernel-level RootKits are: Knark (Linux) Adore (Linux) Plasmoid’s Solaris Loadable Kernel
Module (Solaris) The Windows NT kernel-level RootKit
(Windows)
KKernelernel-L-Levelevel R RootootKKitsits
![Page 16: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/16.jpg)
Implemented with Loadable Kernel Modules (LKM) LKM is used to extend the capabilities of
the system only for some UNIX systems LKM makes it easy! To install the Knark RootKit type:
“insmod knark.o,” no reboot necessary
KKernelernel-L-Levelevel R RootootKKitsits
![Page 17: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/17.jpg)
KNARK Background
Written by Creed Released in 1999 Versions exist for Linux 2.2 and 2.4
kernels Very popular in ‘script kiddie’
community
![Page 18: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/18.jpg)
KNARK Capabilities Hide/Unhide files or directories Hide TCP/UDP connections Execution Redirection Unauthenticated privilege escalation via
the rootme program within knark Ability to change UID/GID of a running
process Unauthenticated, privileged remote
execution daemon Kill –31 to hide a running process
![Page 19: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/19.jpg)
Installing KNARK KNARK IS installed as a Loadable Kernel
Module (LKM) System must have LKM enabled in order to be
able to load KNARK Can be defeated if LKM is disabled, HOWEVER,
updating system becomes much more complicated
The KNARK rootkit has an additional LKM module to hide the presence of KNARK from the insmod (installed module) command.
![Page 20: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/20.jpg)
What does KNARK Change?
KNARK modifies the system call table (sys_call_table) within kernel memory by redirecting some system calls (sys_read, sys_getdents) to malicous system calls written by CREED.
These new malicious system calls function as normal except in certain circumstances.
![Page 21: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/21.jpg)
What does KNARK change?
![Page 22: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/22.jpg)
What does KNARK Change?
Can no longer trust the output of the system calls?
Very difficult to detect rootkits such as KNARK using conventional methods System utility files (ls, ps) are not
modified Kernel Output to system utility files IS
modified.
![Page 23: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/23.jpg)
Detecting KNARK
Cyptographic Checksums of system utilities will NOT change when KNARK is installed May be possible to take cryptographic
checksum of selected region of kernel in order to detect rootkit modification of kernel (StMichael)
Can detect presence of KNARK type rootkits by examining sys_call_table
![Page 24: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/24.jpg)
Detecting KNARK The file /boot/System.map is created
when system is initially compiled /boot/System.map contains correct address
of kernel system calls /boot/system map can be archived or
retrieved from a known good system for comparison
Must have Superuser (ROOT) privilege in order to read /dev/kmem (kernel memory)
![Page 25: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/25.jpg)
Detecting KNARK using the kern_check program
Developed by Samhain labs GPL (‘free’) software Compares /boot/System.map file
against the system call table in kernel memory
Will not work against later versions of Red Hat Linux 2.4 or the Linux 2.6 kernel
![Page 26: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/26.jpg)
KNARK Summary
KNARK is a very powerful tool that was very popular with ‘script kiddies’
Very difficult to detect with conventional methods
Can no longer trust system output once kernel is compromised
Other kernel rootkits can defeat kern_check program (SuckIT)
![Page 27: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/27.jpg)
Rootkit Summary Prevent hackers from gaining root access in
order to prevent rootkits from being installed
Must check systems on a periodic basis for rootkit exploits
Current advice for a rootkitted system: Wipe out files and re-install operating system.
Is it possible to re-establish trust on a Rootkited System?
![Page 28: Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr](https://reader036.vdocuments.site/reader036/viewer/2022062417/551be6ac550346c3588b6089/html5/thumbnails/28.jpg)
Trojan Horse BackdoorsType of Trojan horse backdoor
Characteristics
Analogy Example tools in this category
Application-Level Trojan Horse Backdoor
A separate application runs on the system
An attacker adds poison to your soup.
Sub7, BO2K, Tini, etc.
Traditional RootKits Critical Operating System components are replaced.
An attacker replaces your potatoes with poison ones
Lrk6, T0rnkit, etc.
Kernel-Level RootKits
Kernel is patched. An attacker replaces your tongue with a poison one.
Knark, adore, Kernel Intrusion System, rootkit.com, etc.Traditional RootKit
Kernel
Trojan
login
Trojan
ps
Trojan
ifconfig
good
tripwire
Kernel-level RootKit
Kernel
good
login
good
ps
good
ifconfig
good
tripwire
Trojan
Kernel Module
Application-level
Kernel
Evil Program
good
program
good
program
good
program
good
program