Rootkits, Backdoors, and TrojansECE 4112 – Lab 5 Summary –

Spring 2006Group 9

Greg Sheridan

Terry Harvey

Group 10

Matthew Bowman

Laura Silaghi

Michael Sanders

Agenda• Rootkits• User space vs. Kernel Space• Detection• Prevention

• Backdoors• Different Implementations• Detection• Prevention

• Trojans

• Port & Web Knocking

Rootkits

“A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These

tools are intended to conceal running processes, files or system data, which helps

an intruder maintain access to a system without the user's knowledge.” -Wikipedia

RootkitsLrk4

• Linux user space• replaced system binaries

• /bin/login• Added user rewt• Added ‘global’ password satori

• /bin/ls• /dev/ptyr to hide files

RootkitsLrk4

• Detection• chkrootkit• matched “root”

• strace• # of system calls is dependent on location

• Prevention• Tripwire

RootkitsKnark

• Linux kernel space• redirected system calls

• Added /proc/knark/• Hiding Files• hidef/unhidef

• Redirecting Binaries• ered

• Other Knark functions?

RootkitsKnark• Detection• kern_check• Detected changes in SCT addresses

• rkhunter• Has a really bad aim

• chkrootkit• What trick could be used to detect Knark,

and how could this be avoided by Knark?

• Prevention• Tripwire• Disable LM

RootkitssucKIT

• Linux user space• Redirected pointer to the SCT• Attacks kernel via what user file?

RootkitssucKIT

• Detection• chkrootkitSearching for Suckit rootkit…

Warning: /sbin/init INFECTED

• chkprocPID 1443(/proc/1443): not in readdir output

PID 1443: not in ps output

You have 1 process hidden for readdir command

You have 1 process hidden for ps command

• Prevention• Any ideas?

RootkitsHacker Defender

• Windows• Changed memory segments and all

running processes’ behaviors

• Hide files

• Hide processes

• Hide services

• All TCP ports become potential backdoors!

RootkitsHacker Defender• Detection• Any anti-virus software• Why is this so?

• Rootkit Revealer• Compares Windows API vs. Registry Hive

on disk

• IceSword• Found the hidden files/folders, processes,

and services

• Prevention• Any ideas?

RootkitsFU

• Windows • via Direct Kernel Object Manipulation

• Hide processes

• Elevate process privileges

• Fake out Windows Event Viewer

• Hide device drivers

RootkitsFU

• Detection• Rootkit Revealer can’t see a thing

• Prevention• Any ideas?

RootkitsPrevention/Detection Audits

• System binaries can’t be trusted

• BusyBox

• Other Linux bootable CD• Knoppix

Agenda• Backdoors and Trojans• Netcat• ICMP Backdoor• VNC• BO2K Backdoor• Backdoors in C• Backdoor Detection• ACK Tunneling • Trojans• Port/Web Knocking

Netcat• Netcat is a powerful TCP/IP protocol tool it

can be used as a backend tool that can be controlled by other programs or as a standalone server client.

• Server/Client• Program Control• File Transfer

• Relay• Tunneling• FIFO• Covering Tracks

ICMP Backdoor• Server installed on an infiltrated

machine

• Uses the ICMP packet to hide malicious network traffic

• Why was the server echoing the commands back to the client?

Virtual Network Connection (VNC)

• A legitimate tool used by network administrators

• Gives access to all operations for the user that is remotely logged in

• Bad it hackers can gain access to a running VNC server

BO2K Backdoor• Very well know windows backdoor• Server/Client• Many Predefined Functions• System Commands • Key Logging• GUI Commands • TCP/IP Commands • MS Networking • Process Control • Registry • Multimedia • File and Directory • File Compression

Backdoors in C

• Simple Linux telnet backdoor• 32 lines of code

• Intercepts the login • Look for backdoor password• If not entered goes to the original login

Backdoor Detection• Netcat, VNC, BO2K• Firewalls, Port scanning• Virus check• Process checking

• ICMP Detection• Packet Throughput• Turn off ICMP through gateways

• Backdoor in C• Checking for file integrity

Backdoor Dection Cont.. • TCPView• Scans for active ports • Provides info on process using the port• Path info/command used to start process

• Allows you to end running processes

ACK Tunneling• Used to gain access to a computer

behind a firewall• Most system admin setup firewalls in

a way that will block most illegitimate Traffic

• All stateless firewalls allow ACK messages to pass• Majority of firewalls are stateless• Statefull firewalls keep the state of the

connections

• Sets ACK flag to gain access

Trojans

“… A malicious program that is disguised as legitimate software. … They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.” ~Wikipedia

Trojans Cont…• eLitewrap• Wrapped a legitimate program with a

malicious program that is run in the background

• Don’t execute specious programs

• Look for specious processes running

• Explorer's Active X• Installed a backdoor from a webpage• Don’t allow Active X

Port/Web Knocking• Port Knocking• Blocks all ports but still allows access• Will open specified port when a correct Knock

sequence is preformed• Knock sequence

• Series of attempts to open certain ports

• Web Knocking• Is used where were web access is allowed

through the firewall• Invalid web Command are sent to the server

the are logged in the error log• A command script run intermittently runs to

execute the commands

Questions?