Presentation is loading. Please wait.

Presentation is loading. Please wait.

Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar.

Published byAlivia Mugford Modified over 9 years ago

Similar presentations

Presentation on theme: "Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar."— Presentation transcript:

1

2 Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar

3 Introduction History Objectives Phalanx’s standing in Rootkit classification Features Notable infections Detection mechanisms Prevention mechanisms Availability Agenda © 2011 Jinwei Liu & Subhra S. Sarkar

4 Phalanx is a self-injecting kernel rootkit designed for sniffing into user SSH credentials for Linux 2.6 branches. This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. Moreover, Phalanx allows continued privileged access to the compromised system while hiding its presence from administrators by subverting standard OS functionality. Introduction © 2011 Jinwei Liu & Subhra S. Sarkar

5 1. First surfaced in 2005 2. Originally developed by rebel (rebel@pulltheplug.org) 3. Beta 1: Backdoor, file hiding, process hiding 4. Beta 2: Socket hiding, improved process hiding 5. Beta 3: TTY-Sniffer, improved obfuscation 6. Current version: Beta 6 (with additional functionalities) History © 2011 Jinwei Liu & Subhra S. Sarkar

6 The objectives of Phalanx fall into the following categories 1. HID: User space object hiding 2. PE: Privilege escalation 3. REE: Re-entry/backdoor 4. REC: Reconnaissance 5. NEU: Defense neutralization Objectives © 2011 Jinwei Liu & Subhra S. Sarkar

7 Rootkits can be broadly classified into the following categories 1. Type 0 rootkit 2. Type 1 rootkit (a) Hooking lookup Tables (b) Code patching (c) Hooking CPU registers Phalanx’s standing in rootkit classification © 2011 Jinwei Liu & Subhra S. Sarkar

8 3. Type 2 rootkit (a) Kernel object hooking (b) Direct kernel object manipulation 4. Type 3 rootkit (a) Virtual machine based (b) Hardware assisted virtual machine based From the above classification, its clear that Phalanx falls in Type 1 rootkit category. Phalanx’s standing in rootkit classification contd. © 2011 Jinwei Liu & Subhra S. Sarkar

9 1. Harvest SSH keys and other credentials 2. Creates hidden directory /etc/khubd.p2 or by some other name for collecting user information. Sometimes the directory name might be different to hide detection. 3. Uses methods to hide its running processes 4. Doesn’t show up in process listing using “ps” or ls /proc. However, it’s directory on /proc is accessible. Features © 2011 Jinwei Liu & Subhra S. Sarkar

10 1. Linux servers of kernel.org for distributing Linux Kernel Image were compromised in July, 2011 2. SRFC breach at University of Cambridge in April, 2009 3. Several attacks were launched in August, 2008 on servers running on Linux Notable infections © 2011 Jinwei Liu & Subhra S. Sarkar

11 1. Try doing “cd” inside /etc/khubd.p2 even though running “ls” command won’t list it. 2. “/dev/shm/” may contain files from attack. 3. Any directory by name “khubd.p2” is not displayed in “ls” directory listing, but the directory can be accessed using “cd” command. 4. Checking reference count in /etc/ against the number of directories shown by “ls” command. Detection mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar

12 1. Proactively identify and examine systems where SSH keys are used as part of automated processes. 2. Encourage users to use keys with passphrases 3. Review access paths to Internet facing systems and ensure that the systems are fully patched. Prevention mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar

13 Phalanx can be downloaded for free for educational purposes from the following URL http://packetstormsecurity.org/search/?q=phalanx Author: rebel (rebel@pulltheplug.org) Current version available for download: beta 6 Release date: Nov 17, 2005 http://packetstormsecurity.org/search/?q=phalanx Availability © 2011 Jinwei Liu & Subhra S. Sarkar

14 Below is the list of references - 1. http://www.phrack.org/issues.html?issue=66&id=16 2. http://www.sophos.com/en-us/threat-center/threat-analyses/viruses- and-spyware/Troj~Phalanx2-A.aspx 3. http://www.madirish.net/?article=353 4. http://hep.uchicago.edu/admin/report_072808.html 5. http://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac ks 6. http://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit-665891/ 7. http://smartech.gatech.edu/handle/1853/34844 8. http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.htmlhttp://www.phrack.org/issues.html?issue=66&id=16http://www.sophos.com/en-us/threat-center/threat-analyses/viruses- and-spyware/Troj~Phalanx2-A.aspxhttp://www.madirish.net/?article=353http://hep.uchicago.edu/admin/report_072808.htmlhttp://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac kshttp://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit-665891/http://smartech.gatech.edu/handle/1853/34844http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.html References © 2011 Jinwei Liu & Subhra S. Sarkar

15 Thank You © 2011 Jinwei Liu & Subhra S. Sarkar

Download ppt "Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar."

Similar presentations

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Computer Technology Timpview High School. A collection of local, regional, national, and international computer networks that are linked together to exchange.

Computer Technology Timpview High School. A collection of local, regional, national, and international computer networks that are linked together to exchange.
The Free Software Desktop Project WWW.GNOME.ORG By: Joshua Anglero www.angleroj.com www.kde.org.

The Free Software Desktop Project By: Joshua Anglero
COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
COMP1214 Systems & Platforms: Operating Systems Concepts Dr. Yvonne Howard – Rikki Prince – 1.

COMP1214 Systems & Platforms: Operating Systems Concepts Dr. Yvonne Howard – Rikki Prince – 1.
Operating System Structures

Operating System Structures
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
MySQL Installation Guide. MySQL Downloading MySQL Installer.

MySQL Installation Guide. MySQL Downloading MySQL Installer.
Cambridge Technicals Unit 12 P3 -Security risks.

Cambridge Technicals Unit 12 P3 -Security risks.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.

Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
PlanetLab www.planet-lab.org. What is PlanetLab? A group of computers available as a testbed for computer networking and distributed systems research.

PlanetLab What is PlanetLab? A group of computers available as a testbed for computer networking and distributed systems research.
December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.

December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
How an attacker can maintain control over their victim’s system without being discovered.

How an attacker can maintain control over their victim’s system without being discovered.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.

Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Windows Security and Rootkits Mike Willard January 2007.

Windows Security and Rootkits Mike Willard January 2007.

Similar presentations

Ads by Google