We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAlivia Mugford
Modified about 1 year ago
Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar
Introduction History Objectives Phalanx’s standing in Rootkit classification Features Notable infections Detection mechanisms Prevention mechanisms Availability Agenda © 2011 Jinwei Liu & Subhra S. Sarkar
Phalanx is a self-injecting kernel rootkit designed for sniffing into user SSH credentials for Linux 2.6 branches. This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. Moreover, Phalanx allows continued privileged access to the compromised system while hiding its presence from administrators by subverting standard OS functionality. Introduction © 2011 Jinwei Liu & Subhra S. Sarkar
1. First surfaced in Originally developed by rebel 3. Beta 1: Backdoor, file hiding, process hiding 4. Beta 2: Socket hiding, improved process hiding 5. Beta 3: TTY-Sniffer, improved obfuscation 6. Current version: Beta 6 (with additional functionalities) History © 2011 Jinwei Liu & Subhra S. Sarkar
The objectives of Phalanx fall into the following categories 1. HID: User space object hiding 2. PE: Privilege escalation 3. REE: Re-entry/backdoor 4. REC: Reconnaissance 5. NEU: Defense neutralization Objectives © 2011 Jinwei Liu & Subhra S. Sarkar
Rootkits can be broadly classified into the following categories 1. Type 0 rootkit 2. Type 1 rootkit (a) Hooking lookup Tables (b) Code patching (c) Hooking CPU registers Phalanx’s standing in rootkit classification © 2011 Jinwei Liu & Subhra S. Sarkar
3. Type 2 rootkit (a) Kernel object hooking (b) Direct kernel object manipulation 4. Type 3 rootkit (a) Virtual machine based (b) Hardware assisted virtual machine based From the above classification, its clear that Phalanx falls in Type 1 rootkit category. Phalanx’s standing in rootkit classification contd. © 2011 Jinwei Liu & Subhra S. Sarkar
1. Harvest SSH keys and other credentials 2. Creates hidden directory /etc/khubd.p2 or by some other name for collecting user information. Sometimes the directory name might be different to hide detection. 3. Uses methods to hide its running processes 4. Doesn’t show up in process listing using “ps” or ls /proc. However, it’s directory on /proc is accessible. Features © 2011 Jinwei Liu & Subhra S. Sarkar
1. Linux servers of kernel.org for distributing Linux Kernel Image were compromised in July, SRFC breach at University of Cambridge in April, Several attacks were launched in August, 2008 on servers running on Linux Notable infections © 2011 Jinwei Liu & Subhra S. Sarkar
1. Try doing “cd” inside /etc/khubd.p2 even though running “ls” command won’t list it. 2. “/dev/shm/” may contain files from attack. 3. Any directory by name “khubd.p2” is not displayed in “ls” directory listing, but the directory can be accessed using “cd” command. 4. Checking reference count in /etc/ against the number of directories shown by “ls” command. Detection mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar
1. Proactively identify and examine systems where SSH keys are used as part of automated processes. 2. Encourage users to use keys with passphrases 3. Review access paths to Internet facing systems and ensure that the systems are fully patched. Prevention mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar
Phalanx can be downloaded for free for educational purposes from the following URL Author: rebel Current version available for download: beta 6 Release date: Nov 17, Availability © 2011 Jinwei Liu & Subhra S. Sarkar
Below is the list of references and-spyware/Troj~Phalanx2-A.aspx cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac ks 6. based-attacks-phalanx2-rootkit / and-spyware/Troj~Phalanx2-A.aspxhttp://www.madirish.net/?article=353http://hep.uchicago.edu/admin/report_ htmlhttp://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac kshttp://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit /http://smartech.gatech.edu/handle/1853/34844http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.html References © 2011 Jinwei Liu & Subhra S. Sarkar
Thank You © 2011 Jinwei Liu & Subhra S. Sarkar
LKM Rootkits Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar.
Linux Kernel Rootkits Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar.
COEN 250 Computer Forensics Unix System Life Response.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Security Issues and Challenges in Cloud Computing Lambu Akhila Reddy CSC 557.
LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services.
Vijay krishnan Avinesh Dupat Collection of tools (programs) that enable administrator-level access to a computer or computer network. The main purpose.
Operating System Security : David Phillips A Study of Windows Rootkits.
Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Operating System Structures. Common System Components Due to the complex nature of the modern operating systems, it is partitioned into smaller component.
UNIT 12 P3 -SECURITY RISKS Cambridge Technicals. P3 Hacking Hacking This document will provide you with information about what is meant by “hacking”.
The Free Software Desktop Project By: Joshua Anglero
Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host Host In networking, a host is any device that has an IP address. Hosts include.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
KFSensor Honeypot and Intrusion Detection System Sunil Gurung [60-475] Security and Privacy on the Internet.
A presentation by John Rowley for IUP COSC 356 Dr. William Oblitey Faculty member in attendance.
1 What is a Kernel The kernel of any operating system is the core of all the system’s software. The only thing more fundamental than the kernel is the.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.
APT29 HAMMERTOSS JAYAKRISHNAN M. CONTENTS What is APT? Who is APT29? Introduction to Hammertoss 5 Stages of Hammertoss Detection and Prevention Conclusion.
Attack Plan Alex. Introduction This presents a step-by-step attack plan to clean up an infected computer This presents a step-by-step attack plan to clean.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Countering Kernel Rootkits with Lightweight Hook Protection Presented by: Hector M Lugo-Cordero, MS CAP 6135 March 24, 2011.
CS 1308 Computer Literacy and the Internet. Introduction Von Neumann computer “Naked machine” Hardware without any helpful user-oriented features.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
COMP1214 Systems & Platforms: Operating Systems Concepts Dr. Yvonne Howard – Rikki Prince – 1.
Thank you to IT Training at Indiana University Computer Malware.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.
Protecting Your Computer & Your Information. Threats Virus Worm Trojan horse Rootkits Blended methods Spyware & Malware All of the threat can have varying.
MySQL Installation Guide. MySQL Downloading MySQL Installer.
Linux Operations and Administration Chapter Nine Installing Software Packages.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
Internet Information Server 6.0. IIS 6.0 Enhancements Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
CS470, A.SelcukThe Big Picture1 The Big Picture Practical, Economic, Legal Considerations CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin.
Introduction to Linux ( I ) Sidney Fong 4 th Feb 2006.
PlanetLab What is PlanetLab? A group of computers available as a testbed for computer networking and distributed systems research.
Rootkits. EC-Council The Problem Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Securing Distributed Systems with Information Flow Control.
© 2017 SlidePlayer.com Inc. All rights reserved.