rootkits, backdoors, and trojans ece 4112 – lab 5 summary – spring 2006 group 9 greg sheridan...
TRANSCRIPT
Rootkits, Backdoors, and TrojansECE 4112 – Lab 5 Summary –
Spring 2006Group 9
Greg Sheridan
Terry Harvey
Group 10
Matthew Bowman
Laura Silaghi
Michael Sanders
Agenda• Rootkits• User space vs. Kernel Space• Detection• Prevention
• Backdoors• Different Implementations• Detection• Prevention
• Trojans
• Port & Web Knocking
Rootkits
“A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These
tools are intended to conceal running processes, files or system data, which helps
an intruder maintain access to a system without the user's knowledge.” -Wikipedia
RootkitsLrk4
• Linux user space• replaced system binaries
• /bin/login• Added user rewt• Added ‘global’ password satori
• /bin/ls• /dev/ptyr to hide files
RootkitsLrk4
• Detection• chkrootkit• matched “root”
• strace• # of system calls is dependent on location
• Prevention• Tripwire
RootkitsKnark
• Linux kernel space• redirected system calls
• Added /proc/knark/• Hiding Files• hidef/unhidef
• Redirecting Binaries• ered
• Other Knark functions?
RootkitsKnark• Detection• kern_check• Detected changes in SCT addresses
• rkhunter• Has a really bad aim
• chkrootkit• What trick could be used to detect Knark,
and how could this be avoided by Knark?
• Prevention• Tripwire• Disable LM
RootkitssucKIT
• Linux user space• Redirected pointer to the SCT• Attacks kernel via what user file?
RootkitssucKIT
• Detection• chkrootkitSearching for Suckit rootkit…
Warning: /sbin/init INFECTED
• chkprocPID 1443(/proc/1443): not in readdir output
PID 1443: not in ps output
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
• Prevention• Any ideas?
RootkitsHacker Defender
• Windows• Changed memory segments and all
running processes’ behaviors
• Hide files
• Hide processes
• Hide services
• All TCP ports become potential backdoors!
RootkitsHacker Defender• Detection• Any anti-virus software• Why is this so?
• Rootkit Revealer• Compares Windows API vs. Registry Hive
on disk
• IceSword• Found the hidden files/folders, processes,
and services
• Prevention• Any ideas?
RootkitsFU
• Windows • via Direct Kernel Object Manipulation
• Hide processes
• Elevate process privileges
• Fake out Windows Event Viewer
• Hide device drivers
RootkitsFU
• Detection• Rootkit Revealer can’t see a thing
• Prevention• Any ideas?
RootkitsPrevention/Detection Audits
• System binaries can’t be trusted
• BusyBox
• Other Linux bootable CD• Knoppix
Agenda• Backdoors and Trojans• Netcat• ICMP Backdoor• VNC• BO2K Backdoor• Backdoors in C• Backdoor Detection• ACK Tunneling • Trojans• Port/Web Knocking
Netcat• Netcat is a powerful TCP/IP protocol tool it
can be used as a backend tool that can be controlled by other programs or as a standalone server client.
• Server/Client• Program Control• File Transfer
• Relay• Tunneling• FIFO• Covering Tracks
ICMP Backdoor• Server installed on an infiltrated
machine
• Uses the ICMP packet to hide malicious network traffic
• Why was the server echoing the commands back to the client?
Virtual Network Connection (VNC)
• A legitimate tool used by network administrators
• Gives access to all operations for the user that is remotely logged in
• Bad it hackers can gain access to a running VNC server
BO2K Backdoor• Very well know windows backdoor• Server/Client• Many Predefined Functions• System Commands • Key Logging• GUI Commands • TCP/IP Commands • MS Networking • Process Control • Registry • Multimedia • File and Directory • File Compression
Backdoors in C
• Simple Linux telnet backdoor• 32 lines of code
• Intercepts the login • Look for backdoor password• If not entered goes to the original login
Backdoor Detection• Netcat, VNC, BO2K• Firewalls, Port scanning• Virus check• Process checking
• ICMP Detection• Packet Throughput• Turn off ICMP through gateways
• Backdoor in C• Checking for file integrity
Backdoor Dection Cont.. • TCPView• Scans for active ports • Provides info on process using the port• Path info/command used to start process
• Allows you to end running processes
ACK Tunneling• Used to gain access to a computer
behind a firewall• Most system admin setup firewalls in
a way that will block most illegitimate Traffic
• All stateless firewalls allow ACK messages to pass• Majority of firewalls are stateless• Statefull firewalls keep the state of the
connections
• Sets ACK flag to gain access
Trojans
“… A malicious program that is disguised as legitimate software. … They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.” ~Wikipedia
Trojans Cont…• eLitewrap• Wrapped a legitimate program with a
malicious program that is run in the background
• Don’t execute specious programs
• Look for specious processes running
• Explorer's Active X• Installed a backdoor from a webpage• Don’t allow Active X
Port/Web Knocking• Port Knocking• Blocks all ports but still allows access• Will open specified port when a correct Knock
sequence is preformed• Knock sequence
• Series of attempts to open certain ports
• Web Knocking• Is used where were web access is allowed
through the firewall• Invalid web Command are sent to the server
the are logged in the error log• A command script run intermittently runs to
execute the commands
Questions?