Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Linux Rootkit Internals

@tkmru
December 23, 2017

Linux Rootkit Internals

@tkmru

December 23, 2017
Tweet

More Decks by @tkmru

Other Decks in Programming

Transcript

  1. ࣗݾ঺հ • ͚ͨ·Δ(@tkmru) • CTFνʔϜ: TomoriNao • ಉਓࢽαʔΫϧ: TomoriNao •

    ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ ͨωλΛൃද͠·͢
  2. LD_PRELOADͱ͸ $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ linux-vdso.so.1 => (0x00007ffdc1b78000)

    libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fbe97fb5000) libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fbe977a5000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000) /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000) libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x00007fbe9739b000) $ LD_PRELOAD=./hook.so /bin/ls # ls಺ͷؔ਺ΛϑοΫ!!
  3. Kernel Module Rootkit • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel ͷػೳΛॻ͖׵͑Δrootkit • Kernel

    rootkitɺLKM(Loadable Kernel Module) rootkitͱ΋ݴΘΕΔ • ex) adore, suterusu, diamorphine, etc
  4. Kernel Module Rootkit • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛ௥Ճ͢Δ͜ͱͰ RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ • ҎԼಈ࡞ྫ •

    ௚઀֘౰͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮ ߦͤ͞Δɻ • ࠷ऴతʹग़ྗ͞ΕΔ৘ใͷΈΛมߋ͢Δɻ
  5. Ramdisk based Rootkit • initrd(ॳظRAMσΟεΫ)Λॻ͖׵͑Δ͜ͱʹΑΔ rootkit • ׂΓͱ৽͍͠λΠϓͷrootkit • ex)

    Horse Pill: black hat USA 2016 • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz- Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
  6. $ ls -l /boot (Ұ෦লུ) drwxr-xr-x 5 root root 4096

    Dec 9 06:40 grub -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80- generic kernelΑΓ৽͍͠ -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠ initrdΛݟͯΈΔ • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ੒͞ΕΔ • ͳͥʁ • ؀ڥͷࠩҟʢϋʔυ΢ΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ ϧΛม͑Δඞཁ͕͋Δ • ιϑτ΢ΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ
  7. $ file /boot/initrd.img-3.19.0-80-generic /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last

    modified: Sat Dec 9 06:40:55 2017 $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ) -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd • gzipͰѹॖ͞Ε͍ͯΔ • ίϚϯυͷόΠφϦɺϑΝʔϜ΢ΣΞͳͲ͕ ؚ·Ε͍ͯΔ initrdΛݟͯΈΔ
  8. ͓ΘΓʹ • ࠓ೔͸linux rootkit͕linuxͷͲΜͳ࢓૊ΈΛ࢖͍ͬͯΔ͔ ঺հ͠·ͨ͠ • ݕ஌͢Δʹ͸ɺOSSEC΍chkrootkit, rkhunterͱ͍ͬͨ πʔϧ͕͋Δ •

    OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕ஌Ͱ͖Δ ͔ࠓޙ΍͍ͬͯ͘ • ࣍ճ࡞ʹظ଴͍ͯͩ͘͠͞ʂʂʂ
  9. ࢀߟࢿྉ • The magic of LD_PRELOAD for Userland Rootkits |

    FlUxIuS' Blog (http:// fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland- rootkits/) • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/ enterprise/0306/10/epn12.html) • ˏITɿΠϯγσϯτϨεϙϯε͸͡ΊͷҰา ୈ4ճ ৵ೖऀ͕࢓ֻ͚ΔLKM rootkit ͷ࣮৘ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html) • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint- threat-protection-linux)
  10. ղੳʹ໾ཱͭࢿྉ Linux Rootkit Detection With OSSEC • https://www.sans.org/reading-room/whitepapers/detection/rootkit- detection-ossec-34555 •

    OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ Malware memory analysis of the Jynx2 Linux rootkit (Part 1) • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190 • VolatilityΛ࢖ͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(Χφμ๷Ӵݚڀ։ ൃ)ͷࢿྉ