RootKits
Table of Contents
1 Overview
- RootKits are collections of programs that an intruder would install after having gained root access. His overall goal is to hide his future activity on that system.
- RootKits have appeared for all major OS. Occasionally, overzealous companies (e.g., Sony in 2005) have used rootkits embedded in their products in an attempt to protect their intellectual property.
2 What Does a RootKit Do?
- A rootkit replaces existing and well-known programs with Trojans.
- A rootkit would disable auditing when a certain user is logged on.
- A rootkit would allow anyone to login if a certain backdoor password is used.
- A rootkit could patch the kernel itself, allowing anyone to run privileged code if they use a special filename.
3 Source Code of RootKits
- A web search can easily find the source code of many rootkits. E.g., LRK5 and Kernel Beast at http://packetstormsecurity.com/. They actually worked as rootkits at one time. But, as of 2013, these two do not compile without erros and actually work as rootkits. Nevertheless, it is worthwhile to study their source code.
- https://github.com/milabs/awesome-linux-rootkits 2018 A list of rootkits.
- https://github.com/chokepoint/Jynx2 2012. JynxKit2 is an
LD_PRELOAD
userland rootkit based on the original JynxKit. The backdoor has been replaced with an "accept()" system hook. - https://github.com/croemheld/lkm-rootkit 2017 An LKM rootkit for newer kernel versions.
- https://serverascode.com/2019/05/17/install-a-rootkit-for-testing.html 2019
3.1 How Do You Build a Pre-Written RootKit?
- Obviously, no well known distro gives you a packaged rootkit rk for
you to
apt install rk
. - There are quite a few source code releases of rootkits. Configuring them, and make-ing them is non-trivial, but not a difficult task.
- As an example, study ../RootKits/rootkit-lrkiv.html It explores an early, but capable, rootkit named Linux-Rootkit LRK4. Src of LRK5 can be found.
3.2 RootKit Detection
- Recognizing and Recovering from Rootkit Attacks by David O'Brien, 1996. See link below. Required reading.
- There are several rootkit detection packages that are now standard
in various Linux distributions. E.g., the following are in Debian/
Ubuntu:
/usr/sbin/chkrootkit
: POSIX shell script, executable;/usr/bin/rkhunter
: POSIX shell script, executable;/usr/sbin/unhide
: ELF 64-bit LSB executable, x86-64; - Read http://support.kaspersky.com/5353 for a description of their rootkit detection tools on Windows.
4 A Lab on RootKits
This lab is not scheduled for Fall 2020. But highly educational. Should we make this a "Bonus Lab"?
Objective: To experience rootkits and their detection. You will be using two machines: one for compiling fresh copies of rootkit detection packages on a clean Linux machine, another running a rooted Linux system.
- Download onto a clean Linux machine (M1) the source code of two rootkit detection packages among many available on the net. See the Rootkit Detection section above.
- Boot another machine (M2) from a Linux Live DVD. Corrupt this system with a rootkit. See the notes of the Source Code of Rootkits section above. Setup a new user named "intruder".
- Login from M1 to M2 as user "intruder". Use the machine M2. Be creative.
- Which of the activity of user intruder are you (as root on M2) able to observe with standard Unix utilities? Re-read the section "Analysis of N.F.O Incident" above.
- Download from M1 the rootkit detection packages. Run these. Write a report on how you would clean M2 up.
- Suppose you are the attacker. What changes would you make to M2 so that these rootkit detection tools become ineffective if they were downloaded and built on M2 instead of M1?
- There is a possibility that you may not succeed in installing a rootkit. Even so, (attempt to) do all the rest.
- Bonus Points: Build the rootkit LRKn, n >= 5. Websearch for it.
Fix carefully so that there are no compilation errors. Explore if
the two Trojans
ls
andps
, included in this rootkit, "do their thing." Suggest how the source code of LRKn could be revised for modern Linuxes. - Bonus Points: Build the rootkit KBeast (websearch) so that there are no compilation errors. Explore if it "works." Suggest how it (the source code) could be revised.
- ./rootKitLabGS.html Grading Sheet 2013
5 References
- Wikipedia, Rootkit, http://en.wikipedia.org/wiki/Rootkit. Required reading.
- Greg Hoglund, James Butler, Rootkits: Subverting the Windows Kernel, 352 pages, Addison-Wesley, ISBN-10: 0321294319, 2005. A related free PDF of 240+ pages dated 2008 is http://publicintelligence.net/hbgary-windows-rootkit-analysis-report/ Highly recommended reading.
- Dave Dittrich, "Root Kits and hiding files/directories/processes after a break-in", Date: 2002/01/05, http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq {This link is broken, but do search for it.} Recommended reading.
- TBD https://appsec-labs.com/ReFrameworker "A Managed Code Rootkit (MCR) is deployed inside an application level virtual machine such as those employed in Java, .NET, Dalvik, Python, … ." April 2010. Recommended visit.
- Dong-Hoon You, Android Platform Based Linux Kernel Rootkit, http://www.phrack.org/issues.html?issue=68&id=6 Phrack, 2012. Recommended Reading.
- fG, Revisiting Mac OS X Kernel Rootkits, http://phrack.org/issues/69/7.html, 2016 Phrack, Volume 0x0f, Issue 0x45, Phile #0x07 of 0x10. Recommended Reading.
- Alex Matrosov, Eugene Rodionov, and Sergey Bratus, Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats, January 2019, 504 pp., ISBN-13: 978-1-59327-716-1 https://nostarch.com/rootkits Recommended Reading.
- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 Jan 2017 Recommended Reading.
- https://www.la-samhna.de/library/rootkits/index.html 2002 {Still good.} Recommended Reading.
- https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf {Become familiar with balckhat.com.} Recommended Reading.
- https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ Sep 2019