Presentation on theme: "Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr."— Presentation transcript:
Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne
Replaces key system components Less detectable than application-level Trojan Horse Backdoors Traditionally focus on UNIX systems Root access is required initially T raditional R oot K its
On Windows systems… RootKits Replace Dynamic Link Libraries or alters the system On UNIX systems… RootKits replace /bin/login with a backdoor version of /bin/login T raditional R oot K its
When an attacker enters the backdoor password access is given to the system Backdoor password still works if other passwords are changed Login is not recorded in wtmp or utmp files for the backdoor user T raditional R oot K its
Some other programs replaced: du - shows free disk space RootKits hides space used by attacking tools find - finds files Hides attacker’s files ifconfig - shows status of interfaces masks promiscuous mode ls - shows contents of directories Hides attacker’s files T raditional R oot K its
Linux RootKit 5 (lrk5) written by Lord Somer one of the most full-featured RootKits includes Trojan versions of the following: chfn, chsh, crontab, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, and su T raditional R oot K its
Try harder to stop attackers from getting root access Remember root-level access is needed to install a RootKit Use “echo *” command to look for changes D efending against T raditional R oot K its
Get a program to scan /bin/login and see if it has been corrupted Use a File Integrity Checker such as Tripwire Save hashes on read-only media D efending against T raditional R oot K its
Tripwire Available from www.tripwire.orgwww.tripwire.org First of the file integrity checkers Unix and NT versions available Network capable versions available Academic version is free. Commercial versions are not. Useful in finding trojan programs
Tripwire Generates a “signature” for each file based on checksums and other characteristics. These signatures are stored in a database file that should be kept offline. This is the baseline. Latest threat involves dynamic exec redirection. This is part of the newer Kernel Module Rootkits.
Tripwire List of files to check: tw.config All files in a directory will be checked. Can prune directories from the check step. Can examine just the directory and nothing else. Can check by access time but not recommended since you’ll get a report of everything that changed. Everything!
Tripwire To initialize the DB: tripwire –initialize Update DB interactively: tripwire -interactive Non-interactive DB update: tripwire – update
Security Configuration Management Video – Open Source Video Video – Proprietary Video Choose “Before and After Views”
Tripwire Advantages Simple interface, good choice of crypto hash functions, good all-around tool Security Issues How to protect DBs…? Need to protect tripwire executables? Disadvantages Kernel mod attacks, initial config takes quite some time to customize, no network security
Makes the Kernel the Trojan Horse Most difficult to detect Gives the attacker complete control of the underlying system Nothing on the system can be trusted K ernel -L evel R oot K its
Most common feature is execution redirection Instead of changing other programs to hide files, the kernel hides them Kernel may also hide processes that are running Port usage is often masked K ernel -L evel R oot K its
Some early Kernel-level RootKits are:Kernel-level RootKits Knark (Linux) Knark Adore (Linux) Plasmoid’s Solaris Loadable Kernel Module (Solaris) The Windows NT kernel-level RootKit (Windows) K ernel -L evel R oot K its
Implemented with Loadable Kernel Modules (LKM) LKM is used to extend the capabilities of the system only for some UNIX systems LKM makes it easy! To install the Knark RootKit type: “insmod knark.o,” no reboot necessary K ernel -L evel R oot K its
KNARK Background Written by Creed Released in 1999 Versions exist for Linux 2.2 and 2.4 kernels Very popular in ‘script kiddie’ community
KNARK Capabilities Hide/Unhide files or directories Hide TCP/UDP connections Execution Redirection Unauthenticated privilege escalation via the rootme program within knark Ability to change UID/GID of a running process Unauthenticated, privileged remote execution daemon Kill –31 to hide a running process
Installing KNARK KNARK IS installed as a Loadable Kernel Module (LKM) System must have LKM enabled in order to be able to load KNARK Can be defeated if LKM is disabled, HOWEVER, updating system becomes much more complicated The KNARK rootkit has an additional LKM module to hide the presence of KNARK from the insmod (installed module) command.
What does KNARK Change? KNARK modifies the system call table (sys_call_table) within kernel memory by redirecting some system calls (sys_read, sys_getdents) to malicous system calls written by CREED. These new malicious system calls function as normal except in certain circumstances.
What does KNARK Change? Can no longer trust the output of the system calls? Very difficult to detect rootkits such as KNARK using conventional methods System utility files (ls, ps) are not modified Kernel Output to system utility files IS modified.
Detecting KNARK Cyptographic Checksums of system utilities will NOT change when KNARK is installed May be possible to take cryptographic checksum of selected region of kernel in order to detect rootkit modification of kernel (StMichael) Can detect presence of KNARK type rootkits by examining sys_call_table
Detecting KNARK The file /boot/System.map is created when system is initially compiled /boot/System.map contains correct address of kernel system calls /boot/system map can be archived or retrieved from a known good system for comparison Must have Superuser (ROOT) privilege in order to read /dev/kmem (kernel memory)
Detecting KNARK using the kern_checkprogram Developed by Samhain labs GPL (‘free’) software Compares /boot/System.map file against the system call table in kernel memory Will not work against later versions of Red Hat Linux 2.4 or the Linux 2.6 kernel
KNARK Summary KNARK is a very powerful tool that was very popular with ‘script kiddies’ Very difficult to detect with conventional methods Can no longer trust system output once kernel is compromised Other kernel rootkits can defeat kern_check program (SuckIT)
Rootkit Summary Prevent hackers from gaining root access in order to prevent rootkits from being installed Must check systems on a periodic basis for rootkit exploits Current advice for a rootkitted system: Wipe out files and re-install operating system. Is it possible to re-establish trust on a Rootkited System?
Trojan Horse Backdoors Type of Trojan horse backdoor CharacteristicsAnalogyExample tools in this category Application-Level Trojan Horse Backdoor A separate application runs on the system An attacker adds poison to your soup. Sub7, BO2K, Tini, etc. Traditional RootKitsCritical Operating System components are replaced. An attacker replaces your potatoes with poison ones Lrk6, T0rnkit, etc. Kernel-Level RootKitsKernel is patched.An attacker replaces your tongue with a poison one. Knark, adore, Kernel Intrusion System, rootkit.com, etc. Traditional RootKit Kernel Trojan login Trojan ps Trojan ifconfig good tripwire Kernel-level RootKit Kernel good login good ps good ifconfig good tripwire Trojan Kernel Module Application-level Kernel Evil Program good program good program good program good program
Here Come the Worms! Compromising systems one-by-one can be such a chore Worms are attack tools that spread across a network, moving from host to host exploiting weaknesses Worms automate the process Take over systems Scan for new vulnerable systems Self-replicate by moving across the network to another vulnerable system Each instance of a worm is a “segment”
2001: Year of the Worm? In 2001, we saw: Ramen L10n Cheese Sadmind/IIS Code Red and Code Red II Nimda To date, worms haven’t been nearly as nasty as they could be Most damage is a result of worm resource consumption New generations of worms arrive every 2 to 6 months
Coming Soon - Super Worms Be on the lookout for very nasty new worms Multi-functional Spread, steal, erase, etc. Multi-platform Win, Linux, Solaris, BSD, AIX, HP-UX… Multi-exploit Many buffer overflows, etc. Zero-Day exploits Just discovered; no patch available Polymorphic Metamorphic We’ve seen many of these pieces, but no one has rolled them all together… yet!
Worm Defenses Buffer overflow defenses help a lot here Rapidly deploy patches Anti-virus solutions At the desktop… …AND at the mail server …AND at the file server Incident response capabilities, linked with network management