a hypothetical penetration and protection of rootkit

Posted by lipsius at 2020-03-19

I've heard that there are a lot of big bulls in freebuf, and there are countless big God level hackers. I've been struggling for a long time to write an article. The level is limited and the academic level is not good. I just want to talk about rootkit with you based on some experience gained from working in the network. If there is any mistake, I hope Haihan will point out it.

This article has been written for almost a week, and then changed it intermittently for another week. Finally, I decided to send it to show my face and ask for some FB gold coins by the way.


Although the open source idea makes Linux have indestructible code, the back door may exist in an inadvertent mouse click, whether you believe it or not, but security issues affect your every day.  

White hat and black hat are like a pair of inseparable wise men. They challenge each other by asking strange problems, so as to get the fun of spirit level. Although the onlookers can see clearly, they can't feel the thrill of confrontation. So this paper will try its best to simulate a gripping hacker war with the story as the carrier for the readers.

The first chapter

1.1 know yourself and your enemy

Xiaohei is a hacker expert and can skillfully use various hacker tools. The most attractive one is the precious data and the highest root permission in Xiaobai's private server, the computer room network manager.

Xiaobai is an all-out white hat. He is usually fascinated by the research of security operation and maintenance technology. The most precious thing is his private server. He will defend it to the death to prevent others from using it.

1.2 hiding knife in smile

The tempting server wandered in Xiaohei's mind every day, and finally couldn't help but walk to Xiaobai's office and ask Xiaobai, the network manager, to check the server for any problems because he couldn't copy files from the server shared folder.

Xiaobai then comes to Xiaohei's office and tries to download the shared file. It's really useless. So he logs in to the server remotely and finds that he can't log in either... It turns out that the computer network cable is not plugged in.

In fact, Xiaohei secretly installed a keyboard recorder on his notebook, and quickly opened it to check the results, as shown in the figure below:


1.3 anti passenger

Although I was scolded as a computer idiot, I didn't care about it at all, but I was cursed and mourned after the big happiness. It turned out that it was a low authority ordinary account. It seems that the title of security expert of webmaster Xiaobai was not a false name. The management server was so careful that I didn't need to log in root everyday. Alas, I learned how to use the fortress test machine in the computer room during school time Because the process is a little complicated and not the focus of the article, the linux download right is omitted, but the video tutorial has been done. See the thanks page for details.

After the previous story, I finally want to start rootkits, the core technology of this article. In the next chapter, I will continue to discuss and analyze the combination of theory and practice with story as the carrier

2.1 introduction to tools

Now that Xiaohei has obtained the administrator's permission, the next step is to enable him to use the server for a long time, so he thought of rootkits toolset.

Rootkits is a magic weapon that allows attackers to hide their tracks and retain root access after Linux / Unix obtains root access. Usually, attackers use Rootkit's inspection system checks whether there are other users logging in. If it is only itself, the attacker starts to clean up the relevant information in the log. Through the sniffer of rootkit, users and passwords of other systems can also be obtained!

At present, commonly used are: t0rn / mafix / eyelkm, etc.

2.2 function realization

Rootkits are usually divided into application level kernel level hardware level. In the early days, rootkits were mainly used to hide backdoors by replacing system tools such as login, PS, LS, netstat or modifying system configuration files such as. Rhosts. Hardware level rootkits mainly refer to BIOS Rootkits can obtain the control right before the system is loaded. By writing a file to the disk, and then loading the file by the bootloader to regain the control right, the virtual machine technology can also be used to make the whole operating system run in the rootkit. At present, the common rootkit is the internal core level rootkit. The function of the control system is realized by directly modifying the kernel to add hidden code.

2.3 stealing beams and changing posts

The most simple and practical application level rootkit implements its functions by replacing the original commands in the system with the commands that have added the over mentioned authority code, and generally provides a cleaning tool to remove its own whereabouts in the wtmp, utmp, lastlog and other log files, and the complex rootkit can also provide services such as channel, shell and finger to attackers

3.1 Maxfix

Mafix is a commonly used lightweight application level rootkits, which allows attackers to log in remotely by forging SSH protocol vulnerabilities. It is characterized by simple configuration and user-defined authentication password and port number.

3.1.1 installation and use

Xiaohei can't suppress his excitement at this time. Download mafix and unzip it as shown:

View the help file and start the installation. The format is:. Root password port, as shown below:

Because we also need remote access in the future, we add a command to the firewall so that Xiaohei can freely travel between servers.

At this time, open putty on the small black machine, input: SSH 12345, and connect. (Figure)

And now the login account has become root

3.1.2 theoretical thinking

So let me briefly analyze how mafix realizes its functions. First, I'll look at the code in the compressed package (if it's all pasted).. It's estimated to be 8000 words, so I'll simply find a paragraph):

It is clear at this time that mafix is a typical application level rootkit, which is implemented by replacing system commands in batches. However, because a large number of system commands are to be replaced, root users are required to use it.

The above code sets the listening password according to the user's requirements, from which we can know that the password is MD5 encrypted, saved in / etc / sh.conf and write protected, as shown below.

In recent days, Xiaobai, the network manager, always received complaints that the server could not log in, and the speed of uploading and downloading files was very slow, because the traffic of the Internet suddenly soared and a large amount of data flowed into the computer room. In fact, Xiaobai also noticed that a lot of WGet commands appeared after carefully checking the history records. Click in to see that it was the company's server that downloaded the hacker tutorial. It must have been Xiaohei! You have to make up the back door before you can find him.

4.1 Rkhunter

Rkhunter, whose Chinese name is "rootkit Hunter", can find most known rootkits, some sniffers and backdoor programs. It can confirm whether the server has infected rootkits by executing a series of test scripts, such as checking the basic files used by rootkits, error file permissions of executable binary files, detecting kernel modules, etc.

4.1.1 installation and use

Xiaobai first downloads it from the network to rkhunter, and then decompresses it, as shown in the following figure

Enter the unzipped directory and perform the. – install automatic installation, as shown in the following figure:

After installation, you can use the rkhunter command. Here are some useful parameters:

Next, run rkhunter – checkall, hit enter continuously, and get the report after a few minutes, as shown in the figure:

As you can see from the report, there are many suspicious files and the rootkit types are listed.

4.1.2 in depth study

Rkhunter owns and maintains a database containing rootkit features, and then it detects rootkits in the system based on this database, so it can upgrade this database

Rkhunter writes the corresponding information to the log at the same time when checking, and prompts that its location is / var / log / rkhunter / rkhunter.log

In short, rkhunter is like our anti-virus software. It has its own virus database and compares every key command. When suspicious code is found, it will prompt the user.

4.2 Chkrootkit

Of course, if it's not authoritative to just use rkhunter to check and scan, install another check. Chkrootkit is a small and easy-to-use tool on UNIX platform that can detect a variety of rootkit intrusions. Its functions include detecting file modification, utmp / wtmp / last log modification, promiscuous interfaces, malicious kernel modules.

4.2.1 installation and use

Xiaobai first downloads the chkrootkit resource package from the network and decompresses it in the server, as shown in the following figure:

Next, use the command make sense to install the software, as shown below:

Run the command. / chkconfig | grep infeed to search for the infected file, as shown in the following figure:

4.2.2 in depth study

The above code defines the commands and tools to be checked, and users can add them by themselves.

4.3 reinforcement plan

Through the inspection of the above two tools, webmaster Xiaobai has been convinced of the fact that the server has been intruded, but has considered that the core level rootkits use LKM technology, and a large number of data in the system has been modified and the common Trojan back door has high concealment after all, in order to ensure the safety, it is necessary to redo the system.

The tool mafix used in this paper is application level rootkit, then add the LKM hiding technology of core level rootkit, the biggest feature of Trojan horse is concealment, which can't be easily detected, so hiding relevant information of Trojan horse is the key factor. For Linux operating system, there are two standards: static hiding and dynamic hiding.

Static hiding refers to the hiding of Trojan files. We can't see our Trojan server program with "LS" command. Dynamic hiding refers to the hiding of process and communication port when the Trojan is running. For example, the Trojan process cannot be found by using "PS-A" command, and the communication condition of the Trojan port cannot be displayed by using "netstat at" command.

Because of the security of Linux itself, it is impossible to hide Trojan files and processes by using shell program, so we need to modify the system call of Linux kernel to hide Trojan related information, which is LKM technology.

LKM is loadable kernel modules. These modules are originally used by Linux system to expand its functions.

When LKM is loaded into the kernel, it can modify kernel variables, reload kernel functions, and easily expand or reduce some functions of the operating system kernel. At the same time, the dynamic loading module also means that it can leave more memory for the user program. Because of these advantages, they are often used by special devices or file systems (such as sound cards, printers, etc.).

For many system calls, you don't need to hijack all of them. You just need to hijack the key system calls that the system administrator uses to view files, processes, network connections and other commands. The following analysis focuses on the key system calls intercepted by LKM backdoor during design.

Executing each command in user space is the completion of some system calls to the kernel. For example, if you use the command "LS" to view the current directory information, you will call open(), gendents64(), write(), and other system calls. If you can intercept the call write() and modify its output, the current output information is not the real system information. The biggest feature of LKM technology is to intercept and modify multiple system calls, so as to change the whole system response. See an example of intercepting a write () system call.

The netstat command is used to view the network connection status. The write() system call is used to display the command result. Before interception, the output of the command netstat – at is:

It can be seen from the output that the local IP is "", and another user with the IP of "" connects to the local computer through telnet. Now an LKM is used to intercept the write() system call. The purpose is to mask the information containing the string "", so as to realize the function of hiding the network connection. The key codes are as follows:

After loading the LKM, the write() system call is changed to new write(): judge whether the output contains the string "". If so, do nothing, otherwise return the real write() call. Now let's look at the output of the command netstat – at (as shown below):

Netstat command output after loading LKM

Hidden successfully! Check the login record of / etc / log again, and the remote login record from "" is gone.

This is the power of LKM backdoor to intercept system calls. Now no matter which command the administrator uses, as long as the command will use the write() system call, the information containing the string "" will not be displayed. This can not only hide the current network connection, but also erase the traces left in the system log after logging in.

Therefore, in the back door such as adore rootkit, the interception of the write() system call is implemented, hiding the hacker's footsteps. Of course, you can modify this output in other ways, such as changing "" to "" and any IP address you want to modify to deceive the administrator.

Safety reinforcement plan

Linux can be divided into two layers in structure, namely, kernel and off kernel program.

It is impossible for rootkits to attack and destroy the Linux kernel from the perspective of mechanism. The only thing it can use is the LKM method. Therefore, Linux backdoor detector must strictly guard this defense line to protect the system kernel from being attacked and tampered.

Then the following detection code will provide two ways to protect the kernel.

The first method can be called "single module kernel", that is, no one is allowed to load program modules into the kernel after the system is started. Although this method ensures the absolute security of the kernel, it also brings inconvenience to the expansion and development of the system functions. This "single module kernel" method is suitable for applications that are not ready for any system expansion and development.

The second method can be called "LKM with safety detection", which is suitable for the application environment of software development. The specific step is to load LKM detector for the system after the system is started, which is responsible for managing and monitoring all subsequent LKM activities.

To load a module, you must use the command insmod. By using the strace command, you will find that it uses the system call create module(). If you can intercept the system call create module(), the loading of any LKM will be controlled.

For the "single module kernel" mode, you only need to modify create ﹣ module() to an empty function. The LKM mode with safety detection needs to be modified.

Module detection mechanism of detector: record every newly loaded module

Use LKM to record the name of each newly loaded module. Experience in debugging LKM:

The file / proc / kmsg records the printk () output of all kernel modules. Consider this: intercept the create ﹐ module() system call, and let it record the module name in the file / root / log ﹐ LKM after loading each LKM. Then every move of the kernel module is monitored by the system administrator.

Here is the key code to intercept this system call:

Now load any LKM into the kernel, and record the name of this module in / root / log_lkm.

In this way, the system administrator only needs to pay attention to / root / log ﹣ LKM to find and delete any illegal LKM. The reason why it is not directly output to / proc / kmsg is that with Xiaobai's understanding of Xiaohei, we know that if he uses the core level rootkit, he will be able to check / proc / kmsg to see whether he has left footprints. If there is a record, it will be erased by other methods. After all, Xiaohei now has the highest authority of the system.

System call detection mechanism of detector: record the change of system call address

LKM backdoor tools are implemented by modifying system calls, which will inevitably lead to changes in system call addresses. By detecting the changes in these addresses, you can determine whether the system is loaded with LKM backdoor.

Before detection, the unmodified address should be saved (it may be saved in log ﹣ LKM), and then the address of all system calls should be recorded by another LKM. For comparison, the current system call address should be stored in another file log ﹣ syscall under the / root directory. The key code of LKM for recording the current system call address is as follows:

After these two lkms are loaded into the kernel, the first 240 addresses of system calls and the names of modules that are loaded later are recorded in log ﹣ LKM, and the current addresses of system calls are recorded in log ﹣ syscall. By contrast, if the address of some system calls changes, there is no doubt that the system has been loaded by the attacker (Xiaohei).

The system administrator should now analyze the record of the newly loaded module in the log? LKM file, find out which LKM caused the change of the system call address, and then determine the LKM back door module.

It should be noted that LKM backdoor tools often only modify a few key system calls. Therefore, this LKM can be simplified to detect address changes of only a few important system calls.

These important system calls are: getdents64(), kill(), read(), write(), fork(), clone(), execve(), getuid(), query_module().

Hidden mechanism of detector

In order to make the detector run more safely and effectively, it must also be hidden, that is, to hide the module itself and the file log_lkm, log_syscall.

In order for the detector to run in the kernel all the time and not be "kicked out" of the kernel due to system restart, the administrator must put the behavior of loading the detector into the system startup sequence. The simple way is to add a line in / etc / rc.local: insmod LKM. O, to realize that the LKM detector will be loaded every time the system starts.

If it's just a boring paper, it's a technical article of copying points from the network to paste in and gather words, so this paper takes an intruded story as the carrier, and the intruder Xiaohei uses the mafix tool to invade the server, while the network management Xiaobai uses two tools: rkhunter and chkrootkit