Linux Rootkits
One way an intruder can maintain access to a compromised system is by installing a rootkit.
A rootkit contains a set of tools and replacement executables for many of the operating system’s critical components, used to hide evidence of the attacker’s presence and to give the attacker backdoor access to the
system.
Rootkits require root access to to install, but once set up, the attacker can get root access back at any time.
Conventionally, UNIX and Linux have been known to have rootkits built, as the intruder is aware of the code. Here we will focus on rootkits that use the LKM or Loadable Kernel Module.
A brief review:
Rootkits appeared in the early 90’s, and one of the first advisories came out in Feb 1994. This advisory
from CERT-CC addressed “Ongoing Network Monitoring Attacks” CA-1994-01 revised on September 19, 1997.
Rootkits have increased in popularity since then and are getting increasingly difficult to detect. The most common rootkits are used for SunOS and Linux operating systems. Rootkits contain several different programs. A typical rootkit will include an Ethernet Sniffer, which is designed to sniff out passwords. Rootkits can also include Trojan programs used as backdoors such as inetd or login. Support programs such as ps, netstat, rshd, and ls to hide the attacker directories or processes.
Finally, log cleaners, such as zap, zap2, or z2, are used to remove login entries from the wtmp, utmp, and lastlog files.
Some rootkits also enable services such as telnet, shell, and finger. The rootkit may also include scripts that will clean up other files in the /var/log and var/adm directories. Using the modified programs of ls, ps, and df installed on the box, the intruder can “hide” his/her files and programs from the legitimate system administrator.
The intruder next uses programs within the rootkit to clean up the extensive log files generated from the initial
vulnerability exploitation. The intruder then uses the installed backdoor program for future access to the compromised system in order to retrieve sniffer logs or launch another attack. If a rootkit is properly installed and the log-files are cleaned correctly, a normal system administrator is unaware that the intrusion has even occurred until another site contacts him or the disks fill because of the sniffer logs.
The most severe threat to system security that can be caused by a rootkit comes from those that deploy LKM (Loadable Kernel Module) trojans. Loadable Kernel Modules are a mechanism for adding functionality to an operating-system kernel without requiring a kernel recompilation. Even if an infected system is rebooted, the LKM process will reload the Trojan during boot-up just like any other kernel module. Loadable Kernel Modules are used by many operating systems including Linux, Solaris, and FreeBSD.
The LKM rootkits facilitate the subversion of system binaries. Knark, Adore, and Rtkit are just a few of many LKM rootkits available today. As they run as part of the kernel, these rootkits are less detectable than conventional ones.
Let us see how a typical backdoor can be installed by an intruder.
The goal of backdoor is to give access to the hacker despite measures by the compromised system’s administrator, with least amount of time and visibility. The backdoor that gives local user root access can be: set uid programs, trojaned system programs, cron job backdoor.
Set uid programs. The attacker may plant some set uid shell program in the file system, which when executed will grant the root to the attacker.
Trojaned system programs. The attacker can alter some system programs, such as “login” that will give him root access. Cron job backdoor. The attacker may add or modify the jobs of the cron while his program is running so that he can get root access.
The backdoor that gives remote user root access can be: “.rhost” file ssh authorized keys, bind shell, trojaned service.
“.rhosts” file. Once “+ +” is in some user’s .rhosts file, anybody can log into that account from anywhere without
password.
ssh authorized keys. The attacker may put his public key into victims ssh configuration file “authorized_keys”, so
that he can log into that account without password.
Bind shell. The attacker can bind the shell to certain TCP port. Anybody doing a telnet to that port will have an
interactive shell. More sophisticated backdoors of this kind can be UDP based, or unconnected TCP, or even ICMP
based.
Trojaned service. Any open service can be trojaned to give access to remote user. For example, trojaned the inetd
program creates a bind shell at certain port, or trojaned ssh daemon give access to certain password.
After the intruder plants and runs the backdoor, his attention turns to hiding his files and processes. However, these can be easily detected by the system administrator – especially if the system is running tripwire.
Let us see how a LKM rootkit helps achieve the attacker’s needs.
In the case of LKM trojaned rootkits, the attacker can put LKM in /tmp or /var/tmp, the directory that the system
administrator cannot monitor. Moreover, he can effectively hide files, processes, and network connections. Since he can modify the kernel structures, he can replace the original system calls with his own version.
To hide files. Commands like “ls”, “du” use sys_getdents() to obtain the information of a directory. The LKM will
just filter out files such that they are hidden.
To hide processes. In Linux implementations, process information is mapped to a directory in /proc file system. An attacker can modify sys_getdents() and mark this process as invisible in the task structure. The normal
implementation is to set task’s flag (signal number) to some unused value.
To hide network connections. Similar to process hiding, the attacker can try to hide something inside /proc/net/tcp and /proc/net/udp files. He can trojan the sys_read () so that whenever the system reads these two files and a line matching certain string, the system call will not reveal the network connection.
To redirect file execution. Sometimes, the intruder may want to replace the system binaries, like “login”, without
changing the file. He can replace sys_execve () so that whenever the system tries to execute the “login” program,
it will be re-directed to execute the intruder’s version of login program.
To hide sniffer. Here we refer to hiding the promiscuous flag of the network interface. The system call to Trojan in
this case is sys_ioctl().
To communicate with LKM. Once the hacker has his LKM installed, he will attempt to modify some system calls
such that when a special parameter is passed, the system call will be subverted.
To hide LKM. A perfect LKM must be able to hide itself from the administrator. The LKM’s in the system are kept
in a single linked list. To hide a LKM an attacker can just remove it from the list so that command such as “lsmod”
will not reveal it.
To hide symbols in the LKM. Normally functions defined in the LKM will be exported so that other LKM can use
them. An attacker can use a macro and put it at the end of LKM to prevent any symbols from being exported.