Many people have a misconception that rootkit is used as a tool to gain system root privileges. In fact, rootkit is a tool used by attackers to hide traces and retain root access. Usually, attackers gain root rights through remote attacks, or gain system access rights through password guessing or forced password cracking first. After entering the system, if he hasn't got the root right, he can get the root right through some security holes. Then, the attacker will install the rootkit in the hacked host, and then he will often check whether other users log in to the system through the backdoor of the rootkit. If he is alone, the attacker will start to clean up the relevant information in the log. After the attacker obtains the users and passwords of other systems through rootkit's sniffer, he will use this information to invade other systems.
What is a rootkit?
Rootkit appeared in the early 1990s, and the word rootkit first appeared in a security consulting report of1February 1994. This security consultation is CA- 1994-0 1 of CERT-CC, with the topic "Ongoing Network Monitoring Attacks", and the latest revision time is1September 1997 19. Rootkit technology has developed very rapidly since its appearance, and its application is more and more extensive, and the detection is becoming more and more difficult.
According to Rootkit, rootkit is a strange program with stealth function: neither static (in the form of a file) nor active (in the form of a process) will be detected. In other words, this program may always exist in our computers, but we have no idea that this function is exactly what many people dream of-whether it is computer hackers or computer forensics personnel. Hackers can put a Rootkit after the invasion, secretly spy on sensitive information, or wait for the opportunity; Forensic personnel can also use Rootkit to monitor suspects' illegal activities in real time, which can not only collect evidence, but also help to take timely action. !
I. Background knowledge
What we usually call smart phones, from supercomputers to personal PCs to smart phones, usually consist of hardware and software. In addition, the intelligence of equipment is realized by software. Of all the software, one is essential, and that is the operating system. Operating system can be simply understood as a set of highly reusable core programs. On the one hand, it manages the hardware equipment at the bottom, on the other hand, it provides a good running environment for other programs at the top. It is true that everyone has his own life and is all software, but the operating system enjoys the supreme privilege: it not only manages the hardware, but all other software must obey it.
Because there is an operating system between the application and the hardware, the application cannot directly access the hardware, but uses the hardware by calling the interface provided by the operating system. In other words, the hardware is invisible to the application. Of course, nothing is absolute, and it is not impossible for applications to bypass the operating system and directly access the hardware, but it will pay a high price. Imagine that a software developer is developing a software with rich functions, and the functions themselves are enough to give him a headache. Now he has to worry about a certain data on a certain track, a certain cluster, the binary code of a certain character's color on the display screen of a certain brand and other tedious things, not to mention the financial and material resources. It is unbearable to talk about the development cycle alone. So nowadays, all applications use the simple and clear services provided by the operating system to access the system, because after all, no one wants to ask for it.
Second, the main functions of the kernel
From the above, we know that the kernel is in the position of the core hub in the system. Here are some main functions closely related to Rootkit in the kernel, and more importantly, the significance of these functions to Rootkit:
Process management. A process can be simply understood as a running program, which needs to occupy system resources such as memory and CPU time. At present, most operating systems support multi-user and multi-task, which means that the system has to run multiple programs in parallel. Therefore, the kernel should not only have special code to allocate CPU time for processes or threads, but also open up a memory area to store data structures that record the details of these processes. How does the kernel know how many processes are in the system and the status of each process? Through these data structures, in other words, they are the basis of the existence of kernel-aware processes. Therefore, as long as these data structures are modified, the process can be hidden.
File access. The file system is one of the most important functions provided by the operating system. The driver in the kernel abstracts the original structure of cylinder, sector and other devices into a more easy-to-use file system, and provides a consistent interface for upper-level programs to call. In other words, this part of the code completely controls the access to the hard disk. By modifying this part of the code in the kernel, an attacker can hide files and directories.
Security control. For most operating systems, because there are multiple processes in the system at the same time, in order to avoid conflicts between processes, the kernel must implement effective isolation measures for each process. For example, in an MS-Windows system, each process is forced to specify specific permissions and a separate memory range. So for the attacker, as long as the code responsible for security affairs in the kernel is slightly modified, the whole security mechanism will collapse.
Memory management. At present, the memory management mechanism of hardware platforms (such as Intel Pentium series processors) is very complicated, and one memory address can be converted into multiple physical addresses. For example, process A reads the memory according to the address 0x0030030, and the value it gets is "airplane"; However, process B also reads the memory with the same address 0x0030030, but it gets the value "cannon". As mentioned above, it is not surprising that the same address points to two different physical memory locations, and each location stores different data-it is just that the two processes map virtual addresses to physical addresses in different ways. If we make good use of this, we can make Rootkit avoid the tracking of debugging programs and forensic software.
The main functions of the kernel and its significance to Rootkit are introduced above. At this point, let's cut to the chase, that is, as long as we subvert (that is, modify) the core services of the operating system, then the whole system, including various applications, is completely under our control. To subvert the kernel, the premise is to import our code into the kernel.
Among them, the rootkit of SunOS and Linux operating systems is the most (big trees attract wind: P). All rootkits are basically composed of several independent programs. Typical rootkit include:
1 Ethernet sniffer is used to obtain user name, password and other information transmitted on the network.
Trojan horse programs, such as inetd or login, provide a back door for attackers.
3 programs that hide the attacker's directories and processes, such as ps, netstat, rshd and ls.
4 may also contain some log cleaning tools, such as zap, zap2 or z2, which are used by attackers to delete entries about their whereabouts in log files such as wtmp, utmp and lastlog.
Some complex rootkit can also provide telnet, shell, finger and other services to attackers.
It also includes some scripts to clean up other files in the /var/log and /var/adm directories.
Attackers use the related programs in rootkit to replace the original ps, ls, netstat, df and other programs, which makes it impossible for system administrators to find their traces through these tools. Then use the log cleaning tool to clean up the system log and eliminate your own traces. Then, attackers often enter the system through the installed back door and check the logs of the sniffer to launch other attacks. If the attacker can install rootkit correctly and clean up the log files reasonably, it will be difficult for the system administrator to realize that the system has been invaded. He won't realize that there is a catastrophe until one day the administrator of other systems contacts him, or the sniffer logs fill all the disks. However, most attackers are not careful when cleaning up system logs or simply deleting all system logs. An alert system administrator can judge that the system has been invaded according to these abnormal situations. However, in the process of system recovery and cleaning, the most commonly used commands such as ps, df and ls are no longer credible. Many rootkits have a program called FIX. Before installing rootkit, an attacker can use this program to take a snapshot of the binary code of the system and then install a replacement program. FIX can forge three timestamps (atime, ctime, mtime), date, authority, user and user group of the replacement program according to the original program. If attackers can use these excellent applications accurately and be careful when installing rootkit, it will be difficult for system administrators to find them.
LINUX ROOTKIT IV
As mentioned earlier, most rootkits are aimed at Linux and SunOS. Here is a very typical Linux Rootkit——Linux Rootkit IV. Linux Rootkit IV is an open source Rootkit, written by Lord Somer and released in June 1998 1 1. However, it is not the first Linux Rootkit. Before it, there were Linux rootkits such as lrk, lnrk, lrk2 and lrk3. These rootkits include common rootkit components, such as sniffers, log editing/deleting tools and backdoor programs.
After so many years of development, the functions of Linux Rootkit IV have become more and more perfect, and there are more and more functions. However, although its code is huge, it is very simple to install and use, and it can be successfully installed as long as make install is executed. If you want to install a shadow tool, just execute make shadow install. Note: Linux Rootkit IV can only be used in Linux 2.x kernel. Here is a brief introduction to the various tools included in Linux Rootkit IV. Please refer to the readme file of its distribution package for details.
A program to hide the whereabouts of intruders.
In order to hide the intruder's whereabouts, the author of Linux Rootkit IV painstakingly wrote many replacement programs for system commands, and used these programs to replace the original system commands to hide the intruder's whereabouts. These procedures include:
ls、find、du
These programs will prevent the display of intruder files and calculate the space occupied by intruder files. Before compiling, intruders can set the location of their own files through ROOTKIT_FILES_FILE, and the default is /dev/ptyr. Note that if you use the SHOWFLAG option at compile time, you can use the ls -/ command to list all files. These programs can also automatically hide all files named ptyr, hack.dir and W4r3z.
ps、top、pidof
These programs are used to hide all processes related to intruders.
netstat
Hide network data traffic from/into the specified IP address or port.
Kilar
Will not kill the intruder's hidden process.
ifconfig
If an intruder starts the sniffer, this program will prevent the PROMISC tag from being displayed, making it difficult for the system administrator to find that the network interface is already in promiscuous mode.
crontab
Hide crontab entries about attackers.
tcpd
Prevents some connections from being recorded.
syslogd
Filter out some connection information in the log.
Troy plan
Provide a back door for local users, including:
Neutrophil chemokine
A program to enhance the rights of local ordinary users. Run chfn, and when it prompts for a new user name, if the user enters the password of rookit, his permission will be promoted to root. The default rootkit password is satori.
chsh
This is also a program to enhance the authority of local users. Run chsh, and when it prompts for a new shell, if the user enters the rootkit password, his permission will be promoted to root.
password
Its function is the same as the above two programs. When prompted for a new password, if you enter the rookit password, the permissions can be changed to root.
log in
Allow any account to log in with a rootkit password. If the root account login is denied, you can try rewt. This program can also prohibit recording the history of commands when using the back door.
Trojan network monitoring plan
These programs provide a back door for remote users, and can provide inetd, rsh, ssh and other services to remote users, depending on the version. With the upgrade of the version, the functions of Linux Rootkit IV become more and more powerful and rich. Generally includes the following network service programs:
inetd
Trojan inetd program, providing remote access service for attackers.
rshd
Provide remote shell services for attackers. Attackers can use rsh-l rootkit password host command to start the remote root shell.
sshd
Backdoor program that provides ssh service for attackers.
Tool program
All programs that do not belong to the above types can be classified into this category, and they realize some functions of remote shell, such as log cleaning, message sniffing, port binding, etc., including:
fixed
File attribute forgery program
linsniffer
Message sniffer.
Sniff
A simple bash shell script to check whether the sniffer is running in the system.
wted
Wtmp/utmp log editor. You can use this tool to edit all wtmp or utmp files.
z2
Utmp/wtmp/lastlog log cleaning tool. You can delete all entries about the user name in the utmp/wtmp/lastlog file. However, if you need to manually modify the source code of the Linux system, please set the location of the log file.
bindshell rootkit
Bind the shell service to a port, and the default port is 12497. Provide shell services for remote attackers.
How to find rootkit
Obviously, only by making your network very secure so that attackers can take advantage of it can you protect your network from rootkit. However, I'm afraid no one can provide this guarantee, but keeping some good habits in daily network management and maintenance can reduce the losses caused by rootkit to a certain extent and discover the existence of rootkit in time.
First of all, don't use clear text transmission password on the network, or use one-time password. In this way, even if your system has installed rootkit, attackers can't get more user names and passwords through network monitoring, thus avoiding the spread of intrusion.
Using detection tools such as Tripwire and aide can help you find the attacker's intrusion in time, and they can provide a good check on the integrity of the system. These tools are different from other intrusion detection tools. Instead of detecting intrusion through so-called attack signatures, they monitor and check the changes in the system. Tripwire first establishes a feature database for the system files and directories to be monitored by using specific feature code functions. The so-called feature code function is a function that takes any file as input and generates fixed-size data (feature code). If the intruder modifies the file, even if the file size remains the same, it will destroy the file's signature code. Using this database, Tripwire can easily find changes in the system. Moreover, it is almost impossible to forge the signature code of the file, and any changes to the system can't escape the monitoring of Tripwire (of course, the premise is that you have made an accurate configuration of your system: please refer to the related articles of this site for the use of P, Tripwire and aide). Finally, you need to be able to put this signature database in a safe place.
Rootkit is a special type of malware. Rootkit is special because you don't know what they are doing. Rootkit can hardly detect them and it is almost impossible to delete them. Although there are more and more detection tools, malware developers are still looking for new ways to cover up their tracks.
The purpose of Rootkit is to hide itself and other software from being discovered. It can achieve this goal by preventing users from identifying and deleting the attacker's software. Rootkit can hide almost any software, including file servers, keyloggers, botnets and Remailer. Many Rootkit can even hide a large number of files and allow attackers to save many files on your computer, but you can't see them.
Rootkit itself will not affect the operation of the computer like viruses and worms. Attackers can identify existing vulnerabilities on the target system. Vulnerabilities may include: open network ports, unpatched systems or systems with weak administrator passwords. After gaining access to vulnerable systems, attackers can manually install Rootkit. This sneaky attack usually does not trigger automatic network security control functions, such as intrusion detection system.
It's hard to find Rootkit. There are some software packages that can detect Rootkit. These software packages can be divided into two categories: signature-based checker and behavior-based checker. Signature-based checking programs, such as most virus scanners, check whether the binary file is a known Rootkit. The behavior-based checker tries to find the Rootkit by looking for some hidden elements that represent its main behavior. A popular behavior-based Rootkit checker is Rootkit Revealer.
After the Rootkit is found in the system, the remedial measures that can be taken are also limited. Because Rootkit can hide themselves, you may not know how long they have existed in the system. And you don't know what information Rootkit destroyed. The best way to deal with the found Rootkit is to clean and reinstall the system. Although this method is harsh, it is the only method that has been proved to completely delete Rootkit.
Preventing Rootkit from entering your system is the best way to use it To achieve this goal, we can use the same defense-in-depth strategy as all malware that attacks computers. The elements of defense in depth include virus scanner, updating software regularly, installing firewall on host and network, and strong password strategy.