userland rootkits - linuxing in london feb 2017
TRANSCRIPT
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Userland RootkitsHow to Hide From root
Brett Mack @phpops
16/02/2017
1
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Userland RootkitsFor Fun and Profit
Brett Mack @phpops
16/02/2017
2
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Userland RootkitsFor Fun and Profit
Brett Mack @phpops
16/02/2017
3
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
16/02/2017
4
Malware is great…
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malware is great…
16/02/2017
5
right up until it is used
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malware is great…
16/02/2017
6
right up until it is used
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 7
Agenda
• What is a root kit?
• The LD_PRELOAD technique
• How to detect a root kit
• How to remove a root kit
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 8
What is a root kit?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9
What is a root kit?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10
What is a root kit?
•Essentially a MitM, sitting between users and the kernel
•Used to hide the presence of users/processes
•Used to maintain access to a box
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11
What is a root kit?
•The initial entry point on to your box
•A virus.
It is NOT:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 12
What is a root kit?
# strace ls /tmp
... stat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777,...}) = 0 open("/tmp", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3 ...
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 13
What is a root kit?
Call open()
Interrupt descriptor table (IDT) syscall table
Choose interrupt handler Choose system call sys_open()
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 14
What is a root kit?
Call open()
Interrupt descriptor table (IDT) syscall table
Choose interrupt handler Choose system call sys_open()
User mode
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 15
What is a root kit?
Call open()
Interrupt descriptor table (IDT) syscall table
Choose interrupt handler Choose system call sys_open()
User mode
kernel mode
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 16
What is a root kit?
The root kits of yesteryear
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 17
What is a root kit?
The root kits of yesteryear
#!/bin/bash mv /bin/ls /bin/.ls.bak echo <<EOF > /bin/ls #!/bin/bash /bin/.ls.bak $@ | grep -v greg EOF chmod 0755 /bin/ls
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 18
The LD_PRELOAD technique
DEMO
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 19
The LD_PRELOAD technique
LD_PRELOAD=/my/file.so ls -al
export LD_PRELOAD=/my/file.so
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 20
The LD_PRELOAD technique
LD_PRELOAD=/my/file.so ls -al
export LD_PRELOAD=/my/file.so
echo /my/file.so > /etc/ld.so.preload
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 21
The LD_PRELOAD technique
LD_PRELOAD=/my/file.so ls -al
export LD_PRELOAD=/my/file.so
echo /my/file.so > /etc/ld.so.preload
WHY?!?!?!
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22
The LD_PRELOAD technique
So why dynamically link?
•Much smaller file size
•You can update libraries while maintaining backwards compatibility
•Essentially we get much the same benefits as we do with micro services
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23
Detecting a root kit
Look at what is being linked by standard system tools
•strace
•ltrace
•ldd
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24
Removing a rootkit
There are tools out there that are good at removing certain types of root kit
•rkhunter
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 25
Thanks Questions