Open source release takes Linux rootkits mainstream in All Things Unix

Open source release takes Linux rootkits mainstream in All Things Unix http://www.dslreports.com/forum/r21063115 en Wed, 11 Nov 2009 03:33:00 EDT Wed, 11 Nov 2009 03:33:00 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21077752 BeesTea : This is defendable, even from root, by removing the kernel module loader support from the kernel. Presumably this can be easily modified to allow insertion directly into kmem as well. For that, you'd need stricter access control on the kmem device. Using something like SELinux, GRSecurity, or RSBAC could allow you to protect yourself from that attack vector as well.
--
Overpower, overcome.]]> http://www.dslreports.com/forum/remark,21077752 Mon, 08 Sep 2008 17:53:25 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21077217 Maxo :

said by SUMware

:

It would also somehow need to be installed by root.

Anything is possible once you've given untrusted code root access, so I don't see myself fearing much.]]> http://www.dslreports.com/forum/remark,21077217 Mon, 08 Sep 2008 16:06:51 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21072547 a333 :

said by dave

:

I'm pretty sure that when Windows gets attacked, kernel developers and other security experts will analyze the code and will try to make future kernel more resistant against such rootkits.

Oh, I doubt my post was "vacuous" or irrevalent in any way. As per the above quote, you stated that you're sure that Windows developers would improve and secure their kernel in the event of new exploits. If that were the case, Windows would become more secure with each release/patch it released . However, we all have seen that security on Windows isn't something to be particularly proud about. That clearly raises questions as to Microsoft's priorities...
Thus, my post was quite on topic, as far as replying to yours was concerned.
]]> http://www.dslreports.com/forum/remark,21072547 Sun, 07 Sep 2008 18:52:29 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21072374 sporkme :

said by SUMware

:

o Get a remote MOSDEF Node (via hidden userland-backdoor)

What does he have to do with all this?
--
with every mistake we must surely be learning

I've got mad nodes...

]]> http://www.dslreports.com/forum/remark,21072374 Sun, 07 Sep 2008 18:22:27 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21071286 dave :

said by a333

:

If what you said actually played out in the real world, Windows wouldn't have created a multibillion-dollar antivirus software industry. By your logic, each release of Windows would be significantly safer, and by now, the need for AV S/W would be close to nil. Also, malware devs/ script kiddies would give up writing viruses for Windows, and move on to an easier platform...

Please read.

I'm commenting on what was actually written, which was solely about whether kernel developers and security experts will look at the kernel code.

Amongst the things not mentioned, and therefore not commented-on by me, were:

1) How many people

2) How skilled they might be

3) Whether the results would be better or worse

4) Which kernel is 'better'

5) Which development methodology is better

6) Anti-virus software in general

7) Whether A-V software is useful or snake oil

8) Whether script kiddies target 'easy' or 'ubiquitous' targets

9) Whether nil

is close to the need for A-V

You may have opinions on all these things, and so might I, but they were not mentioned in Brano

's post and therefore not relevant to my reply to that post. The point under discussion is whether kernel developers and security experts look at kernel code after hearing about a kernel rootkit affecting that code.

If you'd care to discuss what I actually wrote, we can carry on. Although this is certainly a tedious elaboration on what was essentially a flippant post by me, whose gist was intended to be 'you really ought to read what you wrote, because it is vacuous'. ]]> http://www.dslreports.com/forum/remark,21071286 Sun, 07 Sep 2008 14:15:29 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21071171 a333 : If what you said actually played out in the real world, Windows wouldn't have created a multibillion-dollar antivirus software industry. By your logic, each release of Windows would be significantly safer, and by now, the need for AV S/W would be close to nil. Also, malware devs/ script kiddies would give up writing viruses for Windows, and move on to an easier platform... ]]> http://www.dslreports.com/forum/remark,21071171 Sun, 07 Sep 2008 13:52:15 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21069693 Feral Kid : It sounds all scary and everything but how would I actually get this thing to infect me?

p.s. it's just a general reply, not specifically to SUMware (sorry first post)]]> http://www.dslreports.com/forum/remark,21069693 Sun, 07 Sep 2008 04:22:05 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21069008 dave : What has that got to do with anything? The subject was whether kernel programmers and security experts look at the affected kernel software after rootkits are published.]]> http://www.dslreports.com/forum/remark,21069008 Sat, 06 Sep 2008 23:20:13 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21068950 a333 : I'm quite sure that's why Windows has helped created a billion-dollar antivirus software market, and a wide array of exploits that grow by the 100's as we speak...]]> http://www.dslreports.com/forum/remark,21068950 Sat, 06 Sep 2008 23:07:36 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21068051 dave :

said by Brano

:

Not to undermine the seriousness of this, but since it's open source one can be sure that kernel developers and other security experts will analyze the code and will try to make future kernel more resistant against such rootkits.
Open source works both ways ;)

I'm pretty sure that when Windows gets attacked, kernel developers and other security experts will analyze the code and will try to make future kernel more resistant against such rootkits.]]> http://www.dslreports.com/forum/remark,21068051 Sat, 06 Sep 2008 12:40:06 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21068032 dave : The 'new thing' in this kit is used of the hardware debug registers.

You're familiar with attacks such as hooking the system call table? This has heretofore been done by planting instructions in said table, to revector control to where we want it to go.

That's how we used to do software debugging.

However, a better approach (less fussing around rewriting pieces of the code under test) relies on hardware support. Instead of modifying the instruction at address N, for example, you set up debug registers to say 'issue a trap when you are about to execute the instruction at address N'.

You can also do things like 'trap when any instruction tries to read or write address N', which is a lot more convenient than doing the same thing by software manipulation of page tables.

OK, so here's some guesswork on my part about what this new approach does:

It substitutes 'patching dispatch tables' with 'setting up debug registers to achieve the same thing'. This is a good idea, since it's less invasive, and presumably therefore less easy to detect.

I imagine that the rest of it, while fearsome, is 'standard rootkit stuff'. You could do that with any method that allows you to grab control at suitably-chosen points in execution.

One can infer all this from, basically, this single paragraph:

quote:
DR features a reference implementation of a IA32 debug register based rootkit hooking engine. It does not modify IDT or syscall_table at all but still provides transparent syscall hooking on IA32 Linux 2.6.

Lest you misunderstand my first post, I was criticizing the reporter's use of garbage phrases like 'burrowing deep inside the processor'. This is not rocket science. It is (AFAIK) using documented processor facilities in the manner in which they were intended to be used. The new insight is that debugging and call-trapping for rootkits are the same thing.]]> http://www.dslreports.com/forum/remark,21068032 Sat, 06 Sep 2008 12:33:57 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21067387 SUMware :

said by dave

It's notable because it cloaks itself by burrowing deep inside a server's processor

Wow! Burrowing deep inside a server's processor! Sounds really hardcore. I wonder what they mean?

and availing itself of debugging mechanisms available in Intel's chip architecture.

Oh, you mean it 'executes instructions' and 'writes to registers'. Wow indeed!

Excerpted from: »seclists.org/dailydave/2008/q3/0215.html

From: Bas Alberts
Date: Wed, 03 Sep 2008 16:32:54 -0400

Currently the rootkit can:

o Hide processes
o Hide network sockets
o Hide files
o Get a remote MOSDEF Node (via hidden userland-backdoor)

The major benefit of the DR rootkit is that all this happens transparently to the end user. The children of a hidden process are also automatically hidden. The sockets a hidden process creates are also hidden. But if you are a hidden process, you can see hidden resources. This makes the DR rootkit nicely manageable.

DR loads via insmod - we've tested the rootkit on a number of Linux distributions including CentOS and Ubuntu.

About
=====

DR features a reference implementation of a IA32 debug register based rootkit hooking engine. It does not modify IDT or syscall_table at all but still provides transparent syscall hooking on IA32 Linux 2.6.

Features
========

SystemCall hooking without modifying IDT, or syscall_table, at all. Not even for a milisecond(tm). Using hardware execute and read breakpoints.

Details
=======

DR places a hardware breakpoint on the syscall handler, and the resulting trap places a memory watch on the syscall_table entry for the __NR_syscall of the intercepted syscall. It does this for both INT 0x80 and sysenter based system calls.

When the memory watch for the syscall_table entry kicks in, the trap handler then redirects execution for that syscall to a syscall hook.

Example Flow
============

Execute global breakpoint on syscall handler in dr0, syscall is called, breakpoint kicks in. Modified do_debug handler places global read watch on syscall_table[__NR_syscall]. When syscall is called, memory access breakpoint kicks in. Modified do_debug handler places function pointer to hooked syscall in task regs eip. Execution is redirected to hooked syscall. Repeat.

[ 864.447800] ******* LOADING IA32 DR HOOKING ENGINE *******
[ 864.447868] *** loader: handler for INT 128: C0104210
[ 864.447923] *** loader: syscall_table: C02FC540
[ 864.447934] *** loader: syscall_call call *table(,eax,4): C010424B
[ 864.447952] *** loader: handler for INT 1: C02F4360
[ 864.448085] *** loader: INT 1 handler patched to use __my_do_debug
[ 864.448165] *** loader: initialized hook_table
[ 864.448199] *** loader: systenter_entry call *table(,eax,4): C01041CB
[ 871.592214] *** dr0/dr1 trap: setting read watch on syscall_NR of 220 at C02FC8B0
[ 871.598191] *** got dr2 trap (syscall_table watch)
[ 871.598723] *** hooked __NR_220 to E0AC7350

Using the memory watch approach, one does not have to modify IDT or syscall_table ever. This is an original approach, but considering we _are_ the debugger .. one could dream up a million other viable and fruitful solutions to non-memory modifying DR rootkits.

Limitations
===========

This is a reference implementation. A lot more can be done to actually be hidden. Production code will include kmalloc based non-LKM code handling. Full Global Detect debug register access detection support, and additional memory watching for the debug ENTRY call offset patch.

Additional testing is required to check for scheduler issues and other racy problems. This reference implementation is intended as a case study into the general rootkit approach now that the cat is out of the bag.

The provided example hooks serve as a basic example rootkit known to suffer the following limitations:

Detection
=========

In it's current form there is no prevention of someone else accessing the debug registers. This could be easily added with GD access flag control, however this is left as an exercise to the reader.

Furthermore this module behaves like a normal LKM in that is has symbols and is resident in memory like a normal LKM. This can be bypassed by porting the module init to a kmalloc based loading logic. To be added in v0.2.

- - Detection via module based symbols
- - Detection via granted access to hardware debug registers
- - Detection via timing logic
- - Detection via open("/proc/hiddenpid/stat"); success

Adding/Changing hooks
=====================

All hooks are defined in hooktable.h. A good example template is the hook_example_exit function. Once a hook is added to the global hook table, it will be automagically used by the hooking engine.

10 asmlinkage static void hook_example_exit(int status);

...

149 asmlinkage /* required: args passed on stack to syscall */
150 static void hook_example_exit(int status)
151 {
152 /* standard hook prologue */
153 asmlinkage int (*orig_exit)(int status);
154 void **sys_p = (void **)sys_table_global;
155 orig_exit = (int (*)())sys_p[__NR_exit];

...

167 else
168 return orig_exit(status);
169 }

You then initialize this function in the global hook_table as such:
121 hook_table[__NR_exit] = (void *)hook_example_exit;

The hooking engine was designed to be very friendly and open to modification/extension. It was designed to provide a more current hooking engine for existing sycall_table based rootkit logic. All rootkit specific logic lives in hooktable.h.

Todo
====

- - move to kmalloc based init loader, -EINVAL return
- - improve hooks to do proper '/proc' and getdents handling
- - move /proc handling to inode based checks
- - instruction emulation for outside debug register access GD stylee

Credits
=======

The debug register based hooking engine was written by Bas Alberts, all additional hooks contained in hooktable.h, besides the example hook_exit were written by Daniel Palacio.
**************
Edit:
Pierre Falda posted additional comments here.
Joanna Rutkowska posted additional comments here.]]> http://www.dslreports.com/forum/remark,21067387 Sat, 06 Sep 2008 09:43:22 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21067293 Brano : Not to undermine the seriousness of this, but since it's open source one can be sure that kernel developers and other security experts will analyze the code and will try to make future kernel more resistant against such rootkits.
Open source works both ways ;)]]> http://www.dslreports.com/forum/remark,21067293 Sat, 06 Sep 2008 09:12:57 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21066881 KodiacZiller : There's nothing to be afraid of as an average desktop user. As I'm sure you all know, all rootkits do, by definition, is allow someone to cover their tracks once the machine is ALREADY cracked. It isn't like you can accidentally download one (a la trojans on Windows). And even if you did, it wouldn't execute unless you explicitly give it permission.

Turn off unneeded services, update often, and run a firewall, and the chances of a desktop user being cracked are next to nil. Security 101 is all you need.

Now "high value" servers on the other hand... They might have a problem with this, but I doubt it will be epidemic.]]> http://www.dslreports.com/forum/remark,21066881 Sat, 06 Sep 2008 04:55:13 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21066347 JohnInSJ :

said by dave

It's notable because it cloaks itself by burrowing deep inside a server's processor

Wow! Burrowing deep inside a server's processor! Sounds really hardcore. I wonder what they mean?

and availing itself of debugging mechanisms available in Intel's chip architecture.

Oh, you mean it 'executes instructions' and 'writes to registers'. Wow indeed!

LOL... Yeah. It uses machine code and everything. Be afraid.]]> http://www.dslreports.com/forum/remark,21066347 Sat, 06 Sep 2008 00:14:23 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21066273 dave :

said by happylurk :

Ten again on rereading I noted that it seems to be specific to Intel architecture. Does that mean I've bought myself some extra time by running an All-AMD shop?

If the AMD doesn't have equivalent debug registers, it's useless for OS development. Therefore we can conclude AMD has debug registers.

I think they've been in the architecture since the 386, so AMD has had plenty of time to copy them!]]> http://www.dslreports.com/forum/remark,21066273 Fri, 05 Sep 2008 23:51:05 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21066234 dave :

It's notable because it cloaks itself by burrowing deep inside a server's processor

Wow! Burrowing deep inside a server's processor! Sounds really hardcore. I wonder what they mean?

and availing itself of debugging mechanisms available in Intel's chip architecture.

Oh, you mean it 'executes instructions' and 'writes to registers'. Wow indeed!]]> http://www.dslreports.com/forum/remark,21066234 Fri, 05 Sep 2008 23:40:21 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21065378 BeesTea :

said by TSI Gabe

:

Something tells me that a lot of Rootkits will derive from this one and probably very soon...

I believe there's a few in the wild behaving this way today. This just happens to be a company releasing it rather than a miscreant. Unless I'm missing something, the part that's new is the license. There's even been "commercially supported" rootkits in the past.

Ugly, but not worse than where we were I suspect.
--
Overpower, overcome.]]> http://www.dslreports.com/forum/remark,21065378 Fri, 05 Sep 2008 20:53:50 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21065226 TSI Gabe : This just shows that tools like chkrootkit can be useless if you know what you are doing. While it is a good thing that they released this under GPL and that I'm sure that they will add some sort of detection in the tool for this technique.

Something tells me that a lot of Rootkits will derive from this one and probably very soon...
--
TSI Gabe - TekSavvy Solutions Inc.]]> http://www.dslreports.com/forum/remark,21065226 Fri, 05 Sep 2008 20:21:46 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21063622 SUMware : An open source rootkit kit September 5th, 2008

said by Dana Blankenhorn :
The Register is convinced that former NSA programmer Dave Aitel has gone over to the dark side by making his DR Rootkit open source under GPL 2.

While it’s true that the program can make rootkits, I don’t see it as a net loss for Linux security.

I think it may be more of a honeypot.

]]> http://www.dslreports.com/forum/remark,21063622 Fri, 05 Sep 2008 15:51:51 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21063373 SUMware : Yep, not a "feel-good"...
More info: »seclists.org/dailydave/2008/q3/0215.html

Edit: At this time I could find no information that this would affect any other product except Intel. It would also somehow need to be installed by root.]]> http://www.dslreports.com/forum/remark,21063373 Fri, 05 Sep 2008 15:16:08 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21063265 anon : Ten again on rereading I noted that it seems to be specific to Intel architecture. Does that mean I've bought myself some extra time by running an All-AMD shop?]]> http://www.dslreports.com/forum/remark,21063265 Fri, 05 Sep 2008 14:55:37 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21063234 drjim : You're not the only one.....]]> http://www.dslreports.com/forum/remark,21063234 Fri, 05 Sep 2008 14:50:07 EDT Re: Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21063206 anon : Why did I just feel my sphincter clench up when I read that? :p]]> http://www.dslreports.com/forum/remark,21063206 Fri, 05 Sep 2008 14:45:02 EDT Open source release takes Linux rootkits mainstream http://www.dslreports.com/forum/remark,21063115 SUMware : From The Register
4th September 2008 -

quote:
The art of burying invisible malware deep inside a Linux machine is about to go mainstream, thanks to a new open-source rootkit released Thursday by Immunity Inc., a firm that supplies tools for penetration testers.

When implemented, Immunity's DR, or Debug Register, makes backdoors and other types of malware extremely difficult to detect or eradicate. It's notable because it cloaks itself by burrowing deep inside a server's processor and availing itself of debugging mechanisms available in Intel's chip architecture. The rootkit, in other words, mimics a kernel debugger.

By exploiting a CPU's native ability to generate interrupts, DR escapes some of the pitfalls that have visited more traditional types of rootkits, which modify an operating system's system call table. That's of increasing importance as more and more Linux distributions make it harder to make changes to the syscall table and rootkit detection programs such as chkrootkit and rkhunter actively check for such modifications.

Over the past few years, a growing body of malware has incorporated rootkits, making detection much harder. Until now, the benefit of using a rootkit was counterbalanced by the difficulty of building one. DR, which is available here under version 2 of the general public license, will make it profoundly easier.

"In the old days, to attack a computer, you needed to 1) find a bug, 2) write an exploit, 3) run the exploit 4) hide yourself," Charlie Miller, principal security analyst for Independent Security Evaluators, said in an email. "The gap between a script kiddie and a hacker just got a little smaller."

While DR simplifies the task of cloaking nasty malware on Linux boxes, it doesn't support symmetric multiprocessing or actively hide itself at the kernel level. The good news is that those are shortcomings that limit the rootkit's functionality and make it easier to detect.

The bad news: these features could be added with about a week's worth of development time. Indeed, Immunity is offering commercial support for DR as part of its Canvas toolkit

]]> http://www.dslreports.com/forum/remark,21063115 Fri, 05 Sep 2008 14:31:01 EDT