1 / 18

Rootkits Backdoors

2. Topics. RootkitsUser-mode RootkitsKernel RootkitsDetecting RootkitsExample: LRKBackdoorsNetcat Backdoors.Reverse Telnet.. 3. Definition of a Rootkit. Rootkit is developed by hackers to conceal their activitiesRemove log and audit file entries.Modify system programs to hide attacker file

persephone
Download Presentation

Rootkits Backdoors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. 1 Rootkits & Backdoors SCSC 455 Spring 2009

    2. 2 Topics Rootkits User-mode Rootkits Kernel Rootkits Detecting Rootkits Example: LRK Backdoors Netcat Backdoors. Reverse Telnet.

    3. 3 Definition of a Rootkit Rootkit is developed by hackers to conceal their activities Remove log and audit file entries. Modify system programs to hide attacker files, network connections, and processes. Modify logging system to not log attacker activities. Modify OS kernel system calls to hide attacker activities. Installing a Rootkit on a Target System Hacker MUST already have root level access on target system Gain root level access by compromising system via buffer overflow, password attack, social engineering

    4. 4 Rootkit Behavior Remove evidence of original attack and activity that led to rootkit installation. Hide future attacker activity (files, network connections, processes) and prevent it from being logged. Enable future access to system by attacker. Install tools to widen scope of penetration. Secure system so other attackers can’t take control of system from original attacker.

    5. 5 Rootkit Types User-mode Rootkits Binary Rootkits replace user programs. Trojans: ls, netstat, ps Trojan backdoors: login, sshd. Library Rootkits replace system libraries. Intercept lib calls to hide activities Kernel Rootkits Modify system calls/structures that all user-mode programs rely on to list users, processes, and sockets. Add backdoors to kernel itself.

    6. 6 Library Rootkits Library Rootkits Intercept system call data returning from kernel, stripping out evidence of attacker activities. Alternately, ensure that rootkit library providing system calls is called instead of libc by placing it in /etc/ld.so.preload Example: t0rn rootkit uses special system library libproc.a to intercept process information requested by user utilities.

    7. 7 Kernel Rootkits Kernel runs in supervisor processor mode Complete control over machine. modify kernel system calls Advantage—Stealth Runtime integrity checkers cannot see rootkit changes. All programs impacted by kernel Trojan horse. Open backdoors/sniff network without running processes.

    8. 8 Binary Rootkits Example: LRK4 chsh Trojaned! User->r00t crontab Trojaned! Hidden Crontab Entries du Trojaned! Hide files fix File fixer! ifconfig Trojaned! Hide sniffing inetd Trojaned! Remote access linsniffer Packet sniffer! login Trojaned! Remote access ls Trojaned! Hide files netstat Trojaned! Hide connections passwd Trojaned! User->r00t ps Trojaned! Hide processes rshd Trojaned! Remote access sniffchk Program to check if sniffer is up and running syslogd Trojaned! Hide logs tcpd Trojaned! Hide connections, avoid denies top Trojaned! Hide processes wted wtmp/utmp editor! z2 Zap2 utmp/wtmp/lastlog eraser! Some of the trojans have been removed to make the list fit on the slide.Some of the trojans have been removed to make the list fit on the slide.

    9. 9 Example: LRK4 ifconfig – Doesn’t display PROMISC flag when sniffing. login – Allows login to any account with the rootkit password. If root login is refused on your terminal login as "rewt". Disables history logging when backdoor is used. ls – Hides files listed in /dev/ptyr. All files shown with 'ls -/' if SHOWFLAG enabled. passwd – Enter your rootkit password instead of old password to become root. ps – Hides processes listed in /dev/ptyp. rshd – Execute remote commands as root: rsh -l rootkitpassword host command syslogd – Removes log entries matching strings listed in /dev/ptys.

    10. 10 Detecting lrk4 The corrupted login only links to three libraries while the normal login links to six libraries a clear indication that the binary has been changed Notice that the corrupted login does not use the Password Authentication Module (PAM) Hence, no link to the PAM library. Otherwise the PAM module would have to be modified

    11. 11

More Related