We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAlivia Mugford
Modified about 1 year ago
Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar
Introduction History Objectives Phalanx’s standing in Rootkit classification Features Notable infections Detection mechanisms Prevention mechanisms Availability Agenda © 2011 Jinwei Liu & Subhra S. Sarkar
Phalanx is a self-injecting kernel rootkit designed for sniffing into user SSH credentials for Linux 2.6 branches. This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. Moreover, Phalanx allows continued privileged access to the compromised system while hiding its presence from administrators by subverting standard OS functionality. Introduction © 2011 Jinwei Liu & Subhra S. Sarkar
1. First surfaced in Originally developed by rebel 3. Beta 1: Backdoor, file hiding, process hiding 4. Beta 2: Socket hiding, improved process hiding 5. Beta 3: TTY-Sniffer, improved obfuscation 6. Current version: Beta 6 (with additional functionalities) History © 2011 Jinwei Liu & Subhra S. Sarkar
The objectives of Phalanx fall into the following categories 1. HID: User space object hiding 2. PE: Privilege escalation 3. REE: Re-entry/backdoor 4. REC: Reconnaissance 5. NEU: Defense neutralization Objectives © 2011 Jinwei Liu & Subhra S. Sarkar
Rootkits can be broadly classified into the following categories 1. Type 0 rootkit 2. Type 1 rootkit (a) Hooking lookup Tables (b) Code patching (c) Hooking CPU registers Phalanx’s standing in rootkit classification © 2011 Jinwei Liu & Subhra S. Sarkar
3. Type 2 rootkit (a) Kernel object hooking (b) Direct kernel object manipulation 4. Type 3 rootkit (a) Virtual machine based (b) Hardware assisted virtual machine based From the above classification, its clear that Phalanx falls in Type 1 rootkit category. Phalanx’s standing in rootkit classification contd. © 2011 Jinwei Liu & Subhra S. Sarkar
1. Harvest SSH keys and other credentials 2. Creates hidden directory /etc/khubd.p2 or by some other name for collecting user information. Sometimes the directory name might be different to hide detection. 3. Uses methods to hide its running processes 4. Doesn’t show up in process listing using “ps” or ls /proc. However, it’s directory on /proc is accessible. Features © 2011 Jinwei Liu & Subhra S. Sarkar
1. Linux servers of kernel.org for distributing Linux Kernel Image were compromised in July, SRFC breach at University of Cambridge in April, Several attacks were launched in August, 2008 on servers running on Linux Notable infections © 2011 Jinwei Liu & Subhra S. Sarkar
1. Try doing “cd” inside /etc/khubd.p2 even though running “ls” command won’t list it. 2. “/dev/shm/” may contain files from attack. 3. Any directory by name “khubd.p2” is not displayed in “ls” directory listing, but the directory can be accessed using “cd” command. 4. Checking reference count in /etc/ against the number of directories shown by “ls” command. Detection mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar
1. Proactively identify and examine systems where SSH keys are used as part of automated processes. 2. Encourage users to use keys with passphrases 3. Review access paths to Internet facing systems and ensure that the systems are fully patched. Prevention mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar
Phalanx can be downloaded for free for educational purposes from the following URL Author: rebel Current version available for download: beta 6 Release date: Nov 17, Availability © 2011 Jinwei Liu & Subhra S. Sarkar
Below is the list of references and-spyware/Troj~Phalanx2-A.aspx cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac ks 6. based-attacks-phalanx2-rootkit / and-spyware/Troj~Phalanx2-A.aspxhttp://www.madirish.net/?article=353http://hep.uchicago.edu/admin/report_ htmlhttp://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac kshttp://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit /http://smartech.gatech.edu/handle/1853/34844http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.html References © 2011 Jinwei Liu & Subhra S. Sarkar
Thank You © 2011 Jinwei Liu & Subhra S. Sarkar
Presented by: Brian Bourne, CMS Consulting Inc.. The contents of this presentation are the property of CMS Consulting Inc. No portion, in whole or in.
Operating System Structures. Common System Components Due to the complex nature of the modern operating systems, it is partitioned into smaller component.
No Worms or Viruses Allowed How to keep your computer Lab/Classroom computers Safe and Secure: Ernest Staats MS Information Assurance,
Infecting the Mach-o Object Format By Neil Archibald.
Introduction Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP)
Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The.
Operating System Security Qiwen Pan and Hailei Jiang.
LIS900C: webmastering I: the static web site Thomas Krichel
Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Escaping from Protected Mode Internet Explorer Tom Keetch Application Security Specialist Threat &
LIS901N: webmastering I: the static web site Thomas Krichel
SADC Course in Statistics Managing data using CSPro.
Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Courtesy of Purdue University Writing Lab Research and the Internet.
Linux Introduction Presenter: Jolanta Soltis. Overview What is Unix/Linux? History of Linux Features Supported Under Linux The future of Linux.
Jump to Contents Instructor Tutorial essignments.com Paperless assignment submission system.
Security incident report Oxford Particle Physics April 2003 P.D.Gronbech.
A Survey on Languages, Enumerations and Other Tools used for Security Information Communication and Sharing LACNIC XI - Salvador May 28th, 2008 Presented.
LIS651 lecture 5 origins of wotan direct use of wotan Thomas Krichel
LIS650lecture 1 Major HTML Thomas Krichel
LIS651 lecture 5 direct use of wotan Thomas Krichel
Introduction to Java 2 Programming Lecture 1 Java, Principles of OO, UML.
Connect & Go v4 Self Directed Learning Module Central - Learning and Development Team.
© 2008 IBM WebSphere Portal v6.1 Migration Rob Holt WebSphere Portal Migration Lead.
Ed Skoudis June 6, 2003 Seminar Series Breaking News – The Latest Computer Attacks and Defenses.
Ethical Hacking Module XVIII Linux Hacking. EC-Council Module Objective Why Linux? Compiling Programs in Linux Scanning Networks Mapping Networks Password.
Using the Internet. Objectives Learn about the many systems that use the Internet for communication. Examine the organization of the Internet infrastructure.
LIS650lecture 0 Introductory lecture Thomas Krichel
Operating systems course Class 1/spring Teacher: Pekka Skype pmakkone makkonen/24/643/155.
The New Breed of Hacker Tools & Techniques Ed Skoudis VP, Security Strategy Predictive Systems
© 2016 SlidePlayer.com Inc. All rights reserved.