RootKits

1. RootKits are collections of programs that an intruder would install after having gained root access. His overall goal is to hide his future activity on that system.
2. RootKits have appeared for all major OS. Occasionally, overzealous companies (e.g., Sony in 2005) have used rootkits embedded in their products in an attempt to protect their intellectual property.

1. A rootkit replaces existing and well-known programs with Trojans.
2. A rootkit would disable auditing when a certain user is logged on.
3. A rootkit would allow anyone to login if a certain backdoor password is used.
4. A rootkit could patch the kernel itself, allowing anyone to run privileged code if they use a special filename.

1. A web search can easily find the source code of many rootkits. E.g., LRK5 and Kernel Beast at http://packetstormsecurity.com/. They actually worked as rootkits at one time. But, as of 2013, these two do not compile without erros and actually work as rootkits. Nevertheless, it is worthwhile to study their source code.
2. https://github.com/milabs/awesome-linux-rootkits 2018 A list of rootkits.
3. https://github.com/chokepoint/Jynx2 2012. JynxKit2 is an LD_PRELOAD userland rootkit based on the original JynxKit. The backdoor has been replaced with an "accept()" system hook.
4. https://github.com/croemheld/lkm-rootkit 2017 An LKM rootkit for newer kernel versions.
5. https://serverascode.com/2019/05/17/install-a-rootkit-for-testing.html 2019

This lab is not scheduled for Fall 2020. But highly educational. Should we make this a "Bonus Lab"?

Objective: To experience rootkits and their detection. You will be using two machines: one for compiling fresh copies of rootkit detection packages on a clean Linux machine, another running a rooted Linux system.

1. Download onto a clean Linux machine (M1) the source code of two rootkit detection packages among many available on the net. See the Rootkit Detection section above.
2. Boot another machine (M2) from a Linux Live DVD. Corrupt this system with a rootkit. See the notes of the Source Code of Rootkits section above. Setup a new user named "intruder".
3. Login from M1 to M2 as user "intruder". Use the machine M2. Be creative.
4. Which of the activity of user intruder are you (as root on M2) able to observe with standard Unix utilities? Re-read the section "Analysis of N.F.O Incident" above.
5. Download from M1 the rootkit detection packages. Run these. Write a report on how you would clean M2 up.
6. Suppose you are the attacker. What changes would you make to M2 so that these rootkit detection tools become ineffective if they were downloaded and built on M2 instead of M1?
7. There is a possibility that you may not succeed in installing a rootkit. Even so, (attempt to) do all the rest.
8. Bonus Points: Build the rootkit LRKn, n >= 5. Websearch for it. Fix carefully so that there are no compilation errors. Explore if the two Trojans ls and ps, included in this rootkit, "do their thing." Suggest how the source code of LRKn could be revised for modern Linuxes.
9. Bonus Points: Build the rootkit KBeast (websearch) so that there are no compilation errors. Explore if it "works." Suggest how it (the source code) could be revised.
10. ./rootKitLabGS.html Grading Sheet 2013

1. Wikipedia, Rootkit, http://en.wikipedia.org/wiki/Rootkit. Required reading.
2. Greg Hoglund, James Butler, Rootkits: Subverting the Windows Kernel, 352 pages, Addison-Wesley, ISBN-10: 0321294319, 2005. A related free PDF of 240+ pages dated 2008 is http://publicintelligence.net/hbgary-windows-rootkit-analysis-report/ Highly recommended reading.
3. Dave Dittrich, "Root Kits and hiding files/directories/processes after a break-in", Date: 2002/01/05, http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq {This link is broken, but do search for it.} Recommended reading.
4. TBD https://appsec-labs.com/ReFrameworker "A Managed Code Rootkit (MCR) is deployed inside an application level virtual machine such as those employed in Java, .NET, Dalvik, Python, … ." April 2010. Recommended visit.
5. Dong-Hoon You, Android Platform Based Linux Kernel Rootkit, http://www.phrack.org/issues.html?issue=68&id=6 Phrack, 2012. Recommended Reading.
6. fG, Revisiting Mac OS X Kernel Rootkits, http://phrack.org/issues/69/7.html, 2016 Phrack, Volume 0x0f, Issue 0x45, Phile #0x07 of 0x10. Recommended Reading.
7. Alex Matrosov, Eugene Rodionov, and Sergey Bratus, Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats, January 2019, 504 pp., ISBN-13: 978-1-59327-716-1 https://nostarch.com/rootkits Recommended Reading.
8. https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 Jan 2017 Recommended Reading.
9. https://www.la-samhna.de/library/rootkits/index.html 2002 {Still good.} Recommended Reading.
10. https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf {Become familiar with balckhat.com.} Recommended Reading.
11. https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/ Sep 2019