Traditional Rootkits: An In-depth Look at Lrk4 and KNARK, Lab Reports of Electrical and Electronics Engineering

Download Traditional Rootkits: An In-depth Look at Lrk4 and KNARK and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity! Traditional Rootkits – Lrk4 & KNARK Based on a paper by John Levine & Julian Grizzard http://users.ece.gatech.edu/~owen/Research/Conference%20Publications/rookit_southeastcon2003.pdf ECE 4883 Internetwork Security Lrk4 Background ! Written by Lord Somer ! Released in November 1998 ! Several more recent versions are available (lrk5 and lrk6); however, lrk4 is the most stable out of all of them ! Updates for lrk4 still being posted ! However, to run lrk4, it is necessary to install old libraries since lrk4 was built against these earlier libraries Hiding lrk4 on the system ! How do you make sure you’re changed binaries are not easily detected? ! Run “fix” tool (normally comes with the rootkit) ! This changes the date of the binaries so that it looks like they are old binaries ! Always remember to delete all source code off the system after compilation Detecting lrk4 ! The “fix” tool has a bug – it changes the date of the binary but not the size ! Any file integrity software (such as Tripwire) will catch the change in binary sizes ! ldd command can be used to see what libraries a binary links to – this can also be used to detect a corrupted binary ! The following screenshot shows the output from running the ldd command against the normal login and the corrupted login root@localhostlocaldomain: / _|/)|/x File Edit ‘Settings Help Lrk4 Code — “Rewt” = ‘emacs: login.c Lam File Edit View Gmds Tools Options Buffers ¢ Help #endif = int eliteHl; char rewt[5]; stropy(revt, "") ; rewt[Q]='r'; rewt[1]="'8'; rewt[2]='v'; rewt[3]='t'; rewt[4]="\0'; #if defined (RADIUS) || defined (DES RPC) || defined (KERBEROS) /* from pwauth.c */ extern char *clear_pass; extern int wine clear pass; 1s08--*+-HEmacs: Login. c (C Isearch Abbrev) ----318-------------------------- T-search: elite Lrk4 Code ! The following code allows for the hacker to gain root access with the username “rewt” Lrk4 Code – Trojan Password ! Ok, so we have root being passed in … what about the password? ! pw_auth program check’s to see if a user’s password is valid ! pw_auth code is modified so that trojan password “satori” is added to password list ! Trojan password stored in a seven character array and values copied from rootkit.h header file Open | Died | Save | Print | cut | Copy | Paste | Undo | Spell | Replace) tail | info | Compile) Debug | Mews if (preauth flag) Ay goto auth_ok; elite=0; 1=pw_auth (pwent. pw passwd, name, reason, (char *) 0); if (2 == 0 goto auth_ok; uf (i==3) elite++; 1f (1==3) goto auth_ok; #ifdef RADIUS ft * Tf normal passwd authentication didn't work, try radius. d 1509--*+-HEnacs: Login. ¢ (U0) ee | Lrk4 Code – Logging Events ! So we’ve gained access to the machine … how can we make sure our activities aren’t logged? ! Check to see if the user has entered the trojan password and username “rewt” ! If so, then bypass logging activities to the SYSLOG file ! This is accomplished with the following code fragment: Lrk4 Code — Logging Events emacs: lagin.c Peles Ale Edit View Cmds Tools Options Buffers C Help 4 AB cs * D | | Gl) | S<) | Bh) | | ees) i | & Open | Dired | Save Print Cut Copy | Paste | Undo | Spell} Replace) tail Info__} Compile if (lelite) { ry if (pwent.pwuid == SYSLOG((LOG_NOTICE, ROOT_LOGIN, fromhost)); else if (getdef _bool({"LOG OK LOGINS")} S¥SLOG((LOG_INFO, REG LOGIN, name, fromhost)}; } /* end elite +/ closelog (); #ifdef RADIUS if (is_rad_login) { printf ("Starting rad_login\n"}; rad_login(Srad_user_data); exit) ; t shell (pwent.pwoshell, (char *) 0); /* exec the shell finally. */ /*NOTREACHED*+ # return (0); #endif t 1808--*+-XEmacs: Login. c (C Abbrev} ----Bot--------- chkrootkit ! This is simply a script file that can be used to detect the presence of rootkits based on certain signatures ! For example, by detecting the string “root” in the login file, chkrootkit recognizes that the system has been compromised since the original login file did not have those strings in it ! Show in the following screenshot are the results of running the chkrootkit program root@localhostlocaldomain: ‘mntfloppy —||5 File Edit Settings Help Lrk4 Summary ! Lrk4 is a very powerful tool ! Trojan username and password can be used to gain root access on a system ! Not easy to get lrk4 to work sometimes – requires a degree of programming skill ! Tracks can be covered to a certain extent – however, file integrity systems will still detect that a rootkit has been installed Installing KNARK ! KNARK IS installed as a Loadable Kernel Module (LKM) ! System must have LKM enabled in order to be able to load KNARK ! Can be defeated if LKM is disabled, HOWEVER, updating system becomes much more complicated ! The KNARK rootkit has an additional LKM module to hide the presence of KNARK from the insmod (installed module) command. What does KNARK Change? ! KNARK modifies the system call table (sys_call_table) within kernel memory by redirecting some system calls (sys_read, sys_getdents) to malicous system calls written by CREED. ! These new malicious system calls function as normal except in certain circumstances. What does KNARK change? ee ea es Ze sys_fork() sys_rcad() SyS_exuecvel) sys_chdic(} Step 1: Normal System eto aatena SCT Pal Kenack_fock() n . a koack_coad(} 8 al knark_enecve() #11 — ; ke ‘ sys_fork() \ sys_tead() SsyS_execvel) sys_chdirt} Step 2: Post Knark Install Detecting KNARK ! Cyptographic Checksums of system utilities will NOT change when KNARK is installed ! May be possible to take cryptographic checksum of selected region of kernel in order to detect rootkit modification of kernel (StMichael) ! Can detect presence of KNARK type rootkits by examining sys_call_table Detecting KNARK ! The file /boot/System.map is created when system is initially compiled ! /boot/System.map contains correct address of kernel system calls ! /boot/system map can be archived or retrieved from a known good system for comparison ! Must have Superuser (ROOT) privilege in order to read /dev/kmem (kernel memory) Deteting KNARK using the kern_check program ! Developed by Samhain labs ! GPL (‘free’) software ! Compares /boot/System.map file against the system call table in kernel memory ! Will not work against later versions of Red Hat Linux 2.4 or the Linux 2.6 kernel