Rootkits

Pat TenHoopen - WMLUG

Rootkits
July 2009

Slide 1

What is a rootkit?
A rootkit is a pro ra! t"at# on$e installed# tries to "ide itsel% %ro! dete$tion& 't does not rant ad!inistrati(e-user pri(ile es& 't "as to )e installed )y so!eone *it" t"e ri "ts to !odi%y t"e %ile syste!&
Rootkits
July 2009

Slide 2

What is a Rootkit?
T"e purpose or %un$tion o% t"e rootkit *ill (ary dependin on *"at it *as *ritten to do& So!e rootkits install keylo ers# pro(ide )a$k-doors %or a$$ess# )ut in eneral# t"ey pro(ide a$$ess to t"e syste! to unaut"ori,ed users&
Rootkits
July 2009

Slide +

Rootkits vs Viruses
A rootkit *ill not nor!ally try to spread to ot"er syste!s on$e it is installed# unlike a (irus# )ut it *ill try to !aintain its $ontrol o% t"e syste!& A rootkit !ay )e installed )y a (irus# usually in t"e %or! o% a tro.an&
Rootkits
July 2009

Slide -

How Do Rootkits Get Installed?

0ootkits need to )e installed )y a ad!inistrati(e-le(el user& T"is $an )e a$$o!plis"ed )y p"ysi$al a$$ess to t"e syste!# or )y t"e un*ittin installation o% appli$ations or de(i$e dri(ers t"at $ontain a tro.an# )y t"e syste! ad!in&
Rootkits
July 2009

Slide /

Checking For Rootkits

2"e$kin %or rootkit installers $an )e a$$o!plis"ed )e%ore t"e syste! is $o!pro!ised t"rou " si nature s$annin o% %iles )y an anti-(irus pro ra!& Ho*e(er# on$e t"e rootkit "as )een e3e$uted# t"e syste! $annot )e trusted# as t"e rootkit oes into stealt" !ode and !odi%ies t"e s$annin results to "ide itsel%&
Rootkits
July 2009

Slide 1

Checking For Rootkits

5or e3a!ple# t"e rootkit *ill !ost likely !odi%y t"e output o% a pro$ess list so t"at it doesn6t s"o* itsel%& Like*ise# a %ile listin *ill not s"o* t"e rootkit6s %iles&

Rootkits
July 2009

Slide 4

Checking For Rootkits

T"e !ost e%%e$ti(e *ay to $"e$k %or a rootkit is to )oot t"e syste! %ro! a trusted# $lean 8S sour$e 9li(e 2:; and s$an t"e syste!& T"e rootkit isn6t a$ti(e at t"at point and $an )e dete$ted eit"er t"rou " its o*n %iles )ein %ound or utilities and dri(ers )ein $o!pared to $lean $opies& '% t"ey di%%er# t"en t"ey are !ost likely
$o!pro!ised&
Rootkits
July 2009

Slide 7

Detector - chkrootkit
chkrootkit
"ttp<==***&$"krootkit&or =

$"krootkit is a tool t"at $"e$ks %or si ns o% a rootkit& 't $"e$ks %or $"an es in )inaries# >'2 pro!is$uous !ode# lastlo deletion# lo ta!perin # rootkit $on%i %iles# and "idden pro$esses& $"krootkit "as )een tested on<
Linu3 2&0&3# 2&2&3# 2&-&3 and 2&1&3# 5ree?S: 2&2&3# +&3# -&3 and /&3# 8pen?S: 2&3# +&3 and -&3&# >et?S: 1&1&3# Solaris 2&/&1# 2&1# 7&0 and 9&0# HP-U@ 11# Tru1-# ?S:' and Ma$ 8S @
Rootkits
July 2009

Slide 9

Chkrootkit detection list

T"e %ollo*in rootkits# *or!s and LAMs are $urrently dete$ted<
01& 0-& 04& 10& 1+& 11& 19& 22& 2/& 27& +1& +-& +4& -0& -+& -1& -9& /2& //& /7& 11& lrk+# lrk-# lrk/# lrk1 9and (ariants;B t0rn 9and (ariants;B r"C14D-s"aperB 0A14B LP: Wor!B S"it2 Wor!B Mania$-0AB 3&$ Wor!B knark LAMB ?o)kitB S"o*teeB Mit"0a6s 0ootkitB S$alperB 'llo i$ rootkitB 0o!anian rootkitB AEuati$a rootkitB T22 Wor!B Anonoyin rootkitB ,a0*T rootkitB Aen a+ rootkitB Hnye LAMB 02& 0/& 07& 11& 1-& 14& 20& 2+& 21& 29& +2& +/& +7& -1& --& -4& /0& /+& /1& /9& 12& Solaris rootkitB A!)ient6s 0ootkit 9A0A;B 0SHAB Lion Wor!B kenny-rkB 8!e a Wor!B ds$-rootkitB 0ST&) tro.anB MonkitB Pi,dakitB 8pti$kitB Geor eB Slapper A# ?# 2 and :B SA rootkit& L82 rootkitB FA rootkitB Gol$ rootkitB S"kit rootkitB Madalin rootkitB HS0A rootkitB Lupper&Wor!B 0+& 01& 09& 12& 1/& 17& 21& 2-& 24& +0& ++& +1& +9& -2& -/& -7& /1& /-& /4& 10& 1+& 5ree?S: rootkitB 0a!en Wor!B 0o!anian rootkitB Adore Wor!B Adore LAMB Wor!kit Wor!B :u$o$i rootkitB duara*k,B HidrootkitB t0rn (7&0B T&0&AB Su$A'TB 8pen?S: rk (1B se)ek LAMB s"(- rootkitB //707&A Wor!B Gold2 rootkitB A.aAit rootkitB 5u rootkitB rootedoor rootkitB s"(/B

Rootkits
July 2009

Slide 10

Detector - rkhunter
Rootkit Hunter
"ttp<==***&rootkit&nl=pro.e$ts=rootkitI"unter&"t!l

0ootkit Hunter 9rk"unter; is a rootkit s$annin tool& 't $"e$ks %or $"an es in )inaries# rootkit %iles# "idden %iles# and *ron )inary per!issions# a!on ot"er t"in s& 't is supported on !ost Linu3 and ?S: distri)utions# and Solaris Sun8S& 't is not supported on >et?S:&

Rootkits
July 2009

Slide 11

rkhunter detection list

T"e %ollo*in rootkits=)a$kdoors=LAM6s=*or!s are dete$ted< //707 Tro.an - Gariant A# A:M W0r!# A.aAit# aPa Ait# Apa$"e Wor!# A!)ient 9ark; 0ootkit# ?alaur 0ootkit# ?eastAit# )e@2# ?8?Ait# 2i>'A Wor! 9Slapper&? (ariant;# :anny?oy6s A)use Ait# :e(il 0ootAit# :i$a# :rea!s 0ootkit# :uara*k, 0ootkit# 5lea Linu3 0ootkit# 5ree?S: 0ootkit# 5u$kJit 0ootkit# GasAit# Heroin LAM# H.2 0ootkit# i noAit# '!peralsS-5?0A# 'ri3 0ootkit# Aitko# Anark# Li0n Wor!# Lo$kit = LJA2# !odIroot!e 9Apa$"e )a$kdoor;# M0A# >i0 0ootkit# >S:AP 90ootAit %or Sun8S;# 8pti$ Ait 9Tu3;# 8, 0ootkit# Porta$elo# 0+dstor! Toolkit# 0H-S"arpe6s rootkit# 0SHA6s rootkit# S$alper Wor!# S"utdo*n# SHG- 0ootkit# SHG/ 0ootkit# Sin 0ootkit# Slapper# Sneakin 0ootkit# Su$kit# Sun8S 0ootkit# Superkit# T?: 9Telnet ?a$k:oor;# TeLeAiT# T0rn 0ootkit# Tro.anit Ait# U0A 9Uni(ersal 0ootAit;# G$Ait# Gol$ 0ootkit# @-8r Sun8S 0ootkit# ,a0*T&AiT 0ootkit 8t"ers< Anti Anti-sni%%er Lu2e LAM TH2 ?a$kdoor

Rootkits
July 2009

Slide 12

Detector - OSS C
OSS C
"ttp<==***&osse$&net=!ain=

8SSH2 is an 8pen Sour$e Host-)ased 'ntrusion :ete$tion Syste! 9H':S;& 't per%or!s lo analysis# %ile inte rity $"e$kin # poli$y !onitorin # rootkit dete$tion# real-ti!e alertin and a$ti(e response& 't runs on !ost operatin syste!s# in$ludin Linu3# Ma$ 8S# Solaris# HP-U@# A'@ and Windo*s&
Rootkits
July 2009

Slide 1+

Other !ools
T"ese tools are !eant to )e run )e%ore in%e$tion# and periodi$ally t"erea%ter to $"e$k %or syste! $"an es<
"ID
"ttp<==***&$s&tut&%i=Kra!!er=aide&"t!l

#"dvanced Intrusion Detection

nviron$ent%

A':H is a %ree repla$e!ent %or Trip*ire& 't does t"e sa!e t"in s as t"e se!i-%ree Trip*ire and !ore& "FIC& #"nother File Integrit' Checker%
"ttp<==a%i$k&sour$e%or e&net=

A5'2A is a se$urity tool# (ery $lose %ro! t"e *ell kno*n Trip*ire& 't allo*s to !onitor t"e $"an es on your %iles syste!s# and so $an dete$t intrusions&
Rootkits
July 2009

Slide 1-

Re$oval
W"at do you do i% a $"e$ker %inds a rootkit or you suspe$t you "a(e oneL

Rootkits
July 2009

Slide 1/

Re$oval
W"at do you do i% a $"e$ker %inds a rootkit or you suspe$t you "a(e oneL Hasy *ay< 0e%or!at and reinstall t"e 8S

Rootkits
July 2009

Slide 11

Re$oval
W"at do you do i% a $"e$ker %inds a rootkit or you suspe$t you "a(e oneL Hasy *ay< Hard *ay< 0e%or!at and reinstall t"e 8S ?oot *it" a $lean# read-only $opy o% an 8S 9(ia li(e 2:# et$&; and re!o(e t"e in%e$ted %iles !anually

Rootkits
July 2009

Slide 14

(ore In)o on Rootkits

5or !ore in%or!ation# see<

"ttp<==linu3"elp&)lo spot&$o!=2001=12=(arious-*ays-o%-dete$tin -rootkits-in&"t!l

"ttp<==en&*ikipedia&or =*iki=0ootkit

Rootkits
July 2009

Slide 17

Conclusion
A )inary6s do*nload sour$e=repository s"ould )e (eri%ied as le iti!ate and t"e %iles $"e$ked *it" an anti-(irus=rootkit s$anner )e%ore installation& P"ysi$al se$urity o% a syste! is also (ital& Alt"ou " rootkits !ay not )e e3tre!ely pre(alent# usin a rootkit $"e$ker alon *it" %ile inte rity $"e$ker s"ould )e $onsidered ood pra$ti$e&
Rootkits
July 2009

Slide 19

*uestions?

L
Rootkits
July 2009

Slide 20

!hank +ou

T"ank you %or your ti!e and attentionM

Rootkits
July 2009

Slide 21