We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAlivia Mugford
Modified over 3 years ago
Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar
Introduction History Objectives Phalanx’s standing in Rootkit classification Features Notable infections Detection mechanisms Prevention mechanisms Availability Agenda © 2011 Jinwei Liu & Subhra S. Sarkar
Phalanx is a self-injecting kernel rootkit designed for sniffing into user SSH credentials for Linux 2.6 branches. This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. Moreover, Phalanx allows continued privileged access to the compromised system while hiding its presence from administrators by subverting standard OS functionality. Introduction © 2011 Jinwei Liu & Subhra S. Sarkar
1. First surfaced in 2005 2. Originally developed by rebel (firstname.lastname@example.org) 3. Beta 1: Backdoor, file hiding, process hiding 4. Beta 2: Socket hiding, improved process hiding 5. Beta 3: TTY-Sniffer, improved obfuscation 6. Current version: Beta 6 (with additional functionalities) History © 2011 Jinwei Liu & Subhra S. Sarkar
The objectives of Phalanx fall into the following categories 1. HID: User space object hiding 2. PE: Privilege escalation 3. REE: Re-entry/backdoor 4. REC: Reconnaissance 5. NEU: Defense neutralization Objectives © 2011 Jinwei Liu & Subhra S. Sarkar
Rootkits can be broadly classified into the following categories 1. Type 0 rootkit 2. Type 1 rootkit (a) Hooking lookup Tables (b) Code patching (c) Hooking CPU registers Phalanx’s standing in rootkit classification © 2011 Jinwei Liu & Subhra S. Sarkar
3. Type 2 rootkit (a) Kernel object hooking (b) Direct kernel object manipulation 4. Type 3 rootkit (a) Virtual machine based (b) Hardware assisted virtual machine based From the above classification, its clear that Phalanx falls in Type 1 rootkit category. Phalanx’s standing in rootkit classification contd. © 2011 Jinwei Liu & Subhra S. Sarkar
1. Harvest SSH keys and other credentials 2. Creates hidden directory /etc/khubd.p2 or by some other name for collecting user information. Sometimes the directory name might be different to hide detection. 3. Uses methods to hide its running processes 4. Doesn’t show up in process listing using “ps” or ls /proc. However, it’s directory on /proc is accessible. Features © 2011 Jinwei Liu & Subhra S. Sarkar
1. Linux servers of kernel.org for distributing Linux Kernel Image were compromised in July, 2011 2. SRFC breach at University of Cambridge in April, 2009 3. Several attacks were launched in August, 2008 on servers running on Linux Notable infections © 2011 Jinwei Liu & Subhra S. Sarkar
1. Try doing “cd” inside /etc/khubd.p2 even though running “ls” command won’t list it. 2. “/dev/shm/” may contain files from attack. 3. Any directory by name “khubd.p2” is not displayed in “ls” directory listing, but the directory can be accessed using “cd” command. 4. Checking reference count in /etc/ against the number of directories shown by “ls” command. Detection mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar
1. Proactively identify and examine systems where SSH keys are used as part of automated processes. 2. Encourage users to use keys with passphrases 3. Review access paths to Internet facing systems and ensure that the systems are fully patched. Prevention mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar
Phalanx can be downloaded for free for educational purposes from the following URL http://packetstormsecurity.org/search/?q=phalanx Author: rebel (email@example.com) Current version available for download: beta 6 Release date: Nov 17, 2005 http://packetstormsecurity.org/search/?q=phalanx Availability © 2011 Jinwei Liu & Subhra S. Sarkar
Below is the list of references - 1. http://www.phrack.org/issues.html?issue=66&id=16 2. http://www.sophos.com/en-us/threat-center/threat-analyses/viruses- and-spyware/Troj~Phalanx2-A.aspx 3. http://www.madirish.net/?article=353 4. http://hep.uchicago.edu/admin/report_072808.html 5. http://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac ks 6. http://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit-665891/ 7. http://smartech.gatech.edu/handle/1853/34844 8. http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.htmlhttp://www.phrack.org/issues.html?issue=66&id=16http://www.sophos.com/en-us/threat-center/threat-analyses/viruses- and-spyware/Troj~Phalanx2-A.aspxhttp://www.madirish.net/?article=353http://hep.uchicago.edu/admin/report_072808.htmlhttp://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac kshttp://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit-665891/http://smartech.gatech.edu/handle/1853/34844http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.html References © 2011 Jinwei Liu & Subhra S. Sarkar
Thank You © 2011 Jinwei Liu & Subhra S. Sarkar
Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Litmus Learning Primer tests
The Free Software Desktop Project By: Joshua Anglero
COEN 250 Computer Forensics Unix System Life Response.
COMP1214 Systems & Platforms: Operating Systems Concepts Dr. Yvonne Howard – Rikki Prince – 1.
Operating System Structures
Thank you to IT Training at Indiana University Computer Malware.
MySQL Installation Guide. MySQL Downloading MySQL Installer.
CS426Fall 2010/Lecture 71 Computer Security CS 426 Lecture 7 Operating System Security Basics.
Cambridge Technicals Unit 12 P3 -Security risks.
Internet Information Server 6.0. IIS 6.0 Enhancements Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
PlanetLab What is PlanetLab? A group of computers available as a testbed for computer networking and distributed systems research.
Operating System Security : David Phillips A Study of Windows Rootkits.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Security Issues and Challenges in Cloud Computing
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat Collection of tools (programs) that enable administrator-level access to a computer or computer network. The main purpose.
© 2019 SlidePlayer.com Inc. All rights reserved.