|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix |
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Ch10: Remote Access Trojans and Zombie Networks
Rootkits originated in Unix and were designed to allow an unauthorized person to gain access to the superuser or domain administrator's account and hide activities.
In Windows world a rootkit is a part of malware that provides stealth capabilities to other components of malware. In other words rootkit functionality provides the cover required to keep the malware hidden while the malware executes its payload.
RATs and Data Stealing Trojans (DATs) must persist on a compromised computer for an extended period in order to be considered successful by the attacker because the purpose of much malware involves the theft of sensitive data or other abuse of resources, such as
click-fraud.They can be written for any operating system and any OS has vulnerabilities that can be exploited and ways to hide processes and files from common view.
Kernel level rootkits can be found if you boot from a clean system (for example Linux in case of infected Windows PC) mount the drive and compare set of drivers and other critical files with the "trusted" system.
Again, rootkit is an old technology that started decades ago in Unix worlds. At the beginning rootkit consisted mainly of a group of trojanised Unix utilities are designed to replace the standard ones included with the OS. Those trojanized utilities were providing hiding for some process, files as well as a backdoor to root.
Initial motivating was stealing machine time and creating hidden file sharing and IRC sites from "rich and stupid" corporations or getting free access to Unix OS which in old times was pretty expensive, like $50-$70 per hour, service.
As detection tools improved and integrity based detection became mainstream, Unix rootkit gradually evolved to operating in kernel space instead of user space and started to include kernel modules that help to hide rootkit owner activity on the computer.
Recently Rootkit became one of the most popular Trojans sets used in remote network attacks targeted against "naive" home Linux installations. See for example the following CERT advisories:
First Linux rootkit that I encountered a decade ago was a pretty primitive set of Trojans:
du.c - 4877 bytes (Mar 1 1994) du5.c - 5588 bytes (Mar 1 1994) es.c - 12503 bytes (Mar 1 1994) fix.c - 3031 bytes (Mar 1 1994) host.c - 1727 bytes (Mar 1 1994) if.c - 8583 bytes (Mar 1 1994) ifconfig.c - 21262 bytes (Mar 1 1994) inet.c - 14505 bytes (Mar 1 1994) ipintrq.c - 629 bytes (Mar 1 1994) ls.c - 17661 bytes (Mar 1 1994) ls5.c - 24450 bytes (Mar 1 1994) main.c - 6660 bytes (Mar 1 1994) mbuf.c - 7883 bytes (Mar 1 1994) ns.c - 5975 bytes (Mar 1 1994) ps.c - 36196 bytes (Mar 1 1994) revarp.c - 11161 bytes (Mar 1 1994)
But against completely incompetent sysadmins it proved to be very effective ;-).
Recently loadable kernel modules gives Rootkit somewhat advanced capabilities, that are generally similar to those of stealth viruses of DOS era. And they face a common problem -- more complex toolkits are more prone to crash and more affected by incompatibilities between different versions of the kernels. Much like file viruses writers of early nineties (remember Dark Avenger and his Eddy virus ;-) those guys are not capable of doing something really interesting, but some of them are pretty clever in their own perverted way.
Here is listing of a more recent version of this crap from Devcon 2000:
AWESOME.C 08-Sep-2000 19:27 2k B4B0.C 08-Sep-2000 19:27 3k BDOOR.C 08-Sep-2000 19:27 4k BJ.TXT 08-Sep-2000 19:27 1k BOINFO.TXT 08-Sep-2000 19:27 6k BOWZ4P.C 08-Sep-2000 19:27 3k BUTTSNIFF_0_9_3.ZIP 08-Sep-2000 19:27 128k CLOAK.C 08-Sep-2000 19:27 2k CLOAK2.C 08-Sep-2000 19:27 11k CWHO.C 08-Sep-2000 19:27 3k DEAD.C 08-Sep-2000 19:27 1k DEMONKIT_1_0.TGZ 08-Sep-2000 19:27 147k DWARF.TGZ 08-Sep-2000 19:27 5k FAKESYSLOG.C 08-Sep-2000 19:28 3k FIX.C 08-Sep-2000 19:28 3k FORCE.C 08-Sep-2000 19:28 2k FWBACKDOOR.TXT 08-Sep-2000 19:28 27k GENERIC_BUFFER.TGZ 08-Sep-2000 19:28 5k HIDE.C 08-Sep-2000 19:28 3k INV.C 08-Sep-2000 19:28 1k INVIS.C 08-Sep-2000 19:28 1k INVISIBL.C 08-Sep-2000 19:28 1k LE.C 08-Sep-2000 19:28 2k LOGIN.C 08-Sep-2000 19:28 19k LRK4.TGZ 08-Sep-2000 19:28 879k MARRYV11.C 08-Sep-2000 19:28 24k MD5_TAR.Z 08-Sep-2000 19:28 34k MME.C 08-Sep-2000 19:28 4k NET/ 08-Sep-2000 19:27 - NETB160.ZIP 08-Sep-2000 19:28 513k NETBUS170.ZIP 08-Sep-2000 19:28 536k PORTD.C 08-Sep-2000 19:28 26k PORTMAP.C 08-Sep-2000 19:28 6k REMOVE.C 08-Sep-2000 19:28 5k RHCLEAN.C 08-Sep-2000 19:28 1k ROOTKITLINUX.TGZ 08-Sep-2000 19:28 73k ROOTKITSUNOS.TGZ 08-Sep-2000 19:28 68k SCO_ZAP.C 08-Sep-2000 19:28 2k SETTIME.C 08-Sep-2000 19:28 1k SOCKET_DEMON13.ZIP 08-Sep-2000 19:28 21k SPY.C 08-Sep-2000 19:28 3k SSH_1_2_27_BD.DIFF 08-Sep-2000 19:28 17k STEALTH.C 08-Sep-2000 19:28 1k TCPB.C 08-Sep-2000 19:28 7k TELNETD_HACKED.TGZ 08-Sep-2000 19:28 108k TRANS.TBL 08-Sep-2000 19:28 1k UCLOAK.C 08-Sep-2000 19:28 2k UTMP2.PL 08-Sep-2000 19:28 1k UTMPSPOOF.C 08-Sep-2000 19:28 2k UTMPX.TXT 08-Sep-2000 19:28 4k WIPE_1_00.TGZ 08-Sep-2000 19:28 4k WZAP.C 08-Sep-2000 19:28 1k ZAP.C 08-Sep-2000 19:28 2k ZAPREC.C 08-Sep-2000 19:28 2k
Linux Rootkit IV comes with these Trojaned files and special utility programs
(taken from the README files):
bindshell port/shell type daemon! chfn Trojaned! User->r00t chsh Trojaned! User->r00t crontab Trojaned! Hidden Crontab Entries du Trojaned! Hide files find Trojaned! Hide files fix File fixer! ifconfig Trojaned! Hide sniffing inetd Trojaned! Remote access killall Trojaned! Wont kill hidden processes linsniffer Packet sniffer! login Trojaned! Remote access ls Trojaned! Hide files netstat Trojaned! Hide connections passwd Trojaned! User->r00t pidof Trojaned! Hide processes ps Trojaned! Hide processes rshd Trojaned! Remote access sniffchk Program to check if sniffer is up and running syslogd Trojaned! Hide logs tcpd Trojaned! Hide connections, avoid denies top Trojaned! Hide processes wted wtmp/utmp editor! z2 Zap2 utmp/wtmp/lastlog eraser!
Later they evoleve in kernel module based malware. Some examples of LKM rootkits are Afhrm and Synapsis.
Theoretically integrity checkers can detect trojanized executable in non-kernel based rootkits Please note that practice had shown that checks done with the help of "all-encompassing" Tripwire rule-sets are usually ignored in a month or so even less after their creation. After this period Tripwire became just i useless ritual that is running but nobody is looking. I think that realistic limit for Tripwire policy is below a hundred files. A simple Perl script can help to solve the problem of non-existent files in the standard rulebase (input is the default policy source file on STDIN or as first argument, output on stdout is the new policy source file):
|
#! /usr/bin/perl while (<>) { if ($_ =~ /(\/[\w\-\.\/]+)/ && !($` =~ /#/)){ $_ = "#$_" if (! -e "$1"); } print $_; }
More flexible integrity checkers then Tripwire are based on scripting languages. See for example Afick: is a fast and portable intrusion detection and integrity monitoring system, designed to work on all platform (it only needs Perl and standard modules), including windows, Linux, UNIX. The configuration syntax is very close from tripwire/aide. Scripting language based integrity checkers have a better chances to provide real value in maintenance as you can adapt them to your needs (you you are strong C-programmer you can do the same with the Tripwire but generally I recommend spending your tie on other projects).
One typical oversight made by a lot of entry-level sysadmins is that after installing and hardening their machines they fail to create a baseline of the system configuration and burn a couple of CDs with vital directories. Althouth you can use RPM for checking baselines, its not that convininet. You probably would be much better off against intruders if you have a valid copy of major /etc files (inted.conf is often trojanized, rc files are vulnerable too), /bin, /usr/bin and a couple of other system directories. Create several HTML pages with a typical usage of resources, ports and so. For example something as simple as:
netstat -a -n > /root/Baseline/netstat-baseline
can give you a reference to latter check against and see if any additional ports are open.
But even if this is not the case, detecting rootkit it's not that difficult and DOS viruses experience can be quite helpful. As I mentioned before, those guys are not very original and mostly repeat tricks of the virus writers ten years later. And actually the more they try to hide the easier is to detect them as in more complex system something always go wrong even with a slightly different version of kernel.
The first thing to do is to get a normal bash. One way to do it is to mount the CD-ROM with copy of /bin and /usr/bin tries and start a shell to work from. For instance:
/mnt/cdrom/bin/bash -rcfile /mnt/cdrom/etc/bashrc -noprofile -i
After than you can try to use find from CD Rom detect suspicious files like "...". Please note that ls and find on the harddrive are usually trojanized.
There are a couple of free rootkit detectors. I recommend chkrootkit (http://www.chkrootkit.org/) -- a simple script that locally check for signs of a rootkit. It contains:
The following rootkits and worms are currently detected:
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, FreeBSD 2.2.x, 3.x and 4.0, OpenBSD 2.6, 2.7 and 2.8, Solaris 2.5.1, 2.6 and 8.0. More details can be found on the chkrootkit's README.
There is also a useful little daemon called "rkdet" for Linux that monitors checksums for common Trojan targets (login, ls,netstat etc.)and can disable networking if triggered. Reporting is by email and syslog. See http://vancouver-webpages.com/rkdet/.
Normally in such cases it make sense to create a mirror installation on a separate box and burn a couple of CDs to verify the integrity of common directories. One machine then distribute binaries around the site. RPM has facilities for verifying that a package is not corrupt or has components missing. A program added or removed by a cracker will not match the original and RPM will generally report a verification failure. For example you can check if ps is Trojanized by using:
rpm -q -f /bin/ls/ -s | grep /bin/ls/
that assumes that RPM database (the files/var/lib/rpm/fileindex.rpm and /var/lib/rpm/packages.rpm) is intact.
If you are paranoid (I never saw a Trojan RPM executable but your mileage may vary) that it would be good to load rpm binary from CD or writeprotected floppy:
root# /mnt/cdrom/bin/rpm -Va
You can try to get all "5" lines to see what modules were changed. Again if you are paranoid that every time a new RPM is added to the system, the RPM database needs to be burned on CD (the files/var/lib/rpm/fileindex.rpm and /var/lib/rpm/packages.rpm most likely won't fit on a single floppy. gzipped, each should fit on a separatefloppy) or re-archived. Also, keep in mind that it won't verify programs that RPM did not install. In future consider having this (as wellas the actual /bin/rpm executable) on a CD or a Zip cartridge.
There is also a bootable SuSe auditdisk with integrity checking tools and the checksums providing a very secure method to check for damage. It ships standard with SuSE and can easily be ported to other Linux distributions, and is GPL licensed. You can get SuSE auditdisk from: http://www.suse.de/~marc/.
Windows rootkits initially were created as derivatives on Unix rootkits but gradually became a unique software technology as Windows is quite a different OS in comparison with Unix. The book Rootkits Subverting the Windows Kernel by Greg Hoglund, and Greg Hoglund (Addison-Wesley) is good resource about this development.
An example of modern windows rootkit is Hacker Defender (hxdef) -- an open source Windows NT/2000/XP rootkit. It is not just a proof of concept (like most rootkits); it is a full-fledged rootkit able to hide its process, port, registry entries, and files by replacing valid system calls or DLLs by Trojaned ones. It can bypass some malware detection systems. Some anti virus application such as Kaspersky has special detection features that help to detect and eradiate it. As the codebase is old, stable and open source other anti-viruses should also be able to detect hxdef.
Advanced rootkits utilize special service on a Windows OS. Earlier Windows kernel mode Trojans included Slanret, IERK, and Backdoor-AL.
Information below was taken from Microsoft 2012 paper on the subject (Microsoft2012)
Win32/Alureon is a multi-component family of Trojans that is involved in a broad range of subversive activities online that generate revenue from various sources for its controllers. Contain a rootkit to hide their activities.Win32/Alureon is mostly associated with moderating affected user activities online to the attacker's benefit. As such, the various components of this malware family have been used to:
Win32/Alureon has been actively developed, aggressively deployed, and professionally managed by its authors for many years. The pervasiveness of its components in the wild, which other malware families often use, and its use of stealth, makes this malware family a notable threat.
Alureon has used several methods to hide its processes and other system changes, including the following:
Win32/Rustock (for detailed information about the Rustock family download the Microsoft Malware Protection Center Threst Report – Rustock available at battling_the_rustock_threat.pdf). A multi-component family of rootkit-enabled backdoor trojans initially developed to aid in the distribution of "spam" email through a botnet. A botnet is a large attacker-controlled network of compromised computers. First discovered sometime in early 2006, Rustock evolved to become a prevalent and pervasive threat. Some reports suggest that at its peak, the million-strong Rustock botnet was responsible for almost 80 percent of spam traffic, sending more than 2,000 spam messages per second.
Rustock used a complex method to install its drivers to complicate its detection and removal.10 In addition, the rootkit drivers hooked system functions to hide itself and its components. This was achieved by patching the SSDT to hook the events ZwCreateEvent, ZwCreateKey, and ZwOpenKey. This method made it possible for the rootkit drivers to filter requests containing each driver’s name and return STATUS_UNSUCCESSFUL if matched, thus avoiding detection. Rustock also attempted to hide network and disk I/O operations. To achieve this, a driver of this rootkit hooked the set of ntoskrnl.exe and ntdll.dll APIs, and then communicated directly with the NTFS file system (NTFS) and TCP/IP devices, such as NTFS, IP, TCP, UDP, RawIP, and IPMULTICAST.
Microsoft, in conjunction with industry and academic partners, utilized a novel combination of legal and technical actions to take control of the Rustock botnet in March 2011 as part of Project MARS (Microsoft Active Response for Security)11. This action resulted in the gathering of evidence which became part of an ongoing criminal investigation12.
A multi-component family of malware that attempts to steal sensitive data, such as user names and passwords for different systems. This includes attempting to steal authentication details for a variety of FTP, HTTP, and email accounts, as well as credentials used for online banking and other financial transactions. Sinowal may specifically attempt to target and replace digital certificates used by the affected user during encrypted Secure Socket Layer (SSL) transactions, thus corrupting the integrity of these communications. Sinowal may also provide backdoor functionality to the remote attacker, allowing unauthorized access and arbitrary files. Sensitive data captured by Sinowal may also be uploaded to a website for retrieval by the attacker.
Sinowal’s data stealing payload makes its extended presence on an affected computer a key determiner of the malware’s success. Sinowal thus attempts to use stealth to maintain its presence and avoid being detected while it silently gathers data and sends it to a remote attacker. Similar to Rustock, Sinowal also uses a complex method to install its drivers. The eventual effect of these machinations is that the MBR is overwritten with malicious code, and the main driver is written to the end of the physical drive14. With these changes in place, Sinowal can gain control of the affected system loading its driver at an early point in the boot process.
This is a trojan that downloads and executes arbitrary files. The downloaded files may be executed from disk or injected directly into other processes. While the functionality of the downloaded files is variable, Cutwail usually downloads other components that send spam. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
Cutwail uses a kernel mode rootkit. It installs several device drivers to hide its components from affected users. However, Cutwail not only can hide itself, it can also prevent the removal of its files and registry entries. To hide and protect its registry entries, Cutwail hooks the functions ZwDeleteValueKey(), ZwEnumerateKey(), ZwEnumerateValueKey(), ZwOpenKey(), and ZwSetValueKey()in the SSDT. To protect its files on disk, it also implements a file system filter driver.
Kernel level rootkits can be found if you boot from a clean system (for example Linux in case of infected Windows PC) mount the drive and compare set of drivers and other critical files with the "trusted" uninfected system.
A very powerful strategy for elimination of Windows rootkits is Softpanorama Malware Defense Strategy
There are multiple program that try to detect presence of rootkit. One such program is Trend Micro Download Center
+---------------------------------------------------- | Trend Micro RootkitBuster | Module version: 5.0.0.1102 | Computer Name: D620A | OS version: 5.1-2600 | User Name: nnb +---------------------------------------------------- --== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==-- No hidden files found. --== Dump Hidden Registry Value on HKLM ==-- [HIDDEN_REGISTRY][Hidden Reg Key]: KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641950674 SubKey : 001641950674 FullLength: 89 1 hidden registry entries found.--== Dump Hidden Process ==-- No hidden processes found. --== Dump Hidden Driver ==-- No hidden drivers found. --== Service Win32 API Hook List ==-- No hidden operating system service hooks found. --== Dump Hidden Port ==-- No hidden ports found.
Dr. Nikolai Bezroukov
Unix rootkits:
Linux Kernel-Level Trojan - Kernel Intrusion System (KIS)(Jul 23, 2001)
Worm Targeting Linux Could Cause Serious Damage(Mar 24, 2001)
RootPrompt.org: Cracked! Part 4: The Sniffer(May 31, 2000)
Windows malware with rootkits capabilities:
Reprints
Zoo
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019