Presentation is loading. Please wait.

Presentation is loading. Please wait.

Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar.

Similar presentations


Presentation on theme: "Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar."— Presentation transcript:

1

2 Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar

3 Introduction History Objectives Phalanx’s standing in Rootkit classification Features Notable infections Detection mechanisms Prevention mechanisms Availability Agenda © 2011 Jinwei Liu & Subhra S. Sarkar

4 Phalanx is a self-injecting kernel rootkit designed for sniffing into user SSH credentials for Linux 2.6 branches. This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. Moreover, Phalanx allows continued privileged access to the compromised system while hiding its presence from administrators by subverting standard OS functionality. Introduction © 2011 Jinwei Liu & Subhra S. Sarkar

5 1. First surfaced in Originally developed by rebel 3. Beta 1: Backdoor, file hiding, process hiding 4. Beta 2: Socket hiding, improved process hiding 5. Beta 3: TTY-Sniffer, improved obfuscation 6. Current version: Beta 6 (with additional functionalities) History © 2011 Jinwei Liu & Subhra S. Sarkar

6 The objectives of Phalanx fall into the following categories 1. HID: User space object hiding 2. PE: Privilege escalation 3. REE: Re-entry/backdoor 4. REC: Reconnaissance 5. NEU: Defense neutralization Objectives © 2011 Jinwei Liu & Subhra S. Sarkar

7 Rootkits can be broadly classified into the following categories 1. Type 0 rootkit 2. Type 1 rootkit (a) Hooking lookup Tables (b) Code patching (c) Hooking CPU registers Phalanx’s standing in rootkit classification © 2011 Jinwei Liu & Subhra S. Sarkar

8 3. Type 2 rootkit (a) Kernel object hooking (b) Direct kernel object manipulation 4. Type 3 rootkit (a) Virtual machine based (b) Hardware assisted virtual machine based From the above classification, its clear that Phalanx falls in Type 1 rootkit category. Phalanx’s standing in rootkit classification contd. © 2011 Jinwei Liu & Subhra S. Sarkar

9 1. Harvest SSH keys and other credentials 2. Creates hidden directory /etc/khubd.p2 or by some other name for collecting user information. Sometimes the directory name might be different to hide detection. 3. Uses methods to hide its running processes 4. Doesn’t show up in process listing using “ps” or ls /proc. However, it’s directory on /proc is accessible. Features © 2011 Jinwei Liu & Subhra S. Sarkar

10 1. Linux servers of kernel.org for distributing Linux Kernel Image were compromised in July, SRFC breach at University of Cambridge in April, Several attacks were launched in August, 2008 on servers running on Linux Notable infections © 2011 Jinwei Liu & Subhra S. Sarkar

11 1. Try doing “cd” inside /etc/khubd.p2 even though running “ls” command won’t list it. 2. “/dev/shm/” may contain files from attack. 3. Any directory by name “khubd.p2” is not displayed in “ls” directory listing, but the directory can be accessed using “cd” command. 4. Checking reference count in /etc/ against the number of directories shown by “ls” command. Detection mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar

12 1. Proactively identify and examine systems where SSH keys are used as part of automated processes. 2. Encourage users to use keys with passphrases 3. Review access paths to Internet facing systems and ensure that the systems are fully patched. Prevention mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar

13 Phalanx can be downloaded for free for educational purposes from the following URL Author: rebel Current version available for download: beta 6 Release date: Nov 17, Availability © 2011 Jinwei Liu & Subhra S. Sarkar

14 Below is the list of references and-spyware/Troj~Phalanx2-A.aspx cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac ks 6. based-attacks-phalanx2-rootkit / and-spyware/Troj~Phalanx2-A.aspxhttp://www.madirish.net/?article=353http://hep.uchicago.edu/admin/report_ htmlhttp://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac kshttp://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit /http://smartech.gatech.edu/handle/1853/34844http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.html References © 2011 Jinwei Liu & Subhra S. Sarkar

15 Thank You © 2011 Jinwei Liu & Subhra S. Sarkar


Download ppt "Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar."

Similar presentations


Ads by Google