IV International Conference of Unix at Uninet
  • Presentation
  • Register
  • Program
  • Organizing Comittee
  • Listing of registered people
  • Translators team
Talk

20031219-3.en

_libra_iŽll made an study case about this
_libra_and youŽll learn why i did choose that trojan that iŽll comment later
_libra_later iŽll talk about simple solutions
_libra_but that will help us to stop the inserion of trojans into our system
_libra_about definions:
_libra_cracker, will be the person who only intrude into a system
_libra_hacker, the person who writes the code, no matter if its for bad things
_libra_lets start
_libra_like all in this world evolute
_libra_the technics used by the operating systems to improve its "rendimiento"
_libra_and presence
_libra_but also hackers evolve
_libra_that improve itss codes and the hide ways
_libra_in example
_libra_some thime ago
_libra_trojans were completly programed for a reason
_libra_it was a program that made something  while the user dont knew what
_libra_something like today viruses
_libra_and we also have backdoors
_libra_those made a user arrive quikly
_libra_i the ancient, 5 years ago more or less
_libra_system programers installed backdoors
_libra_in its programs to save time
_libra_but sacrifycing the security of their systems
_libra_some thime they forgot to erase its backdoors
_libra_which were dicovered by other people
_libra_in some time, simple backdoor were saw
_libra_they were simple to be detected
_libra_in example
_libra_in the file /etc/services some lines like this were put
_libra_" backdoor 31337/tcp"
_libra_and in the /etc/inet.conf file "backdoor stream tcp nowait root /bin/bash -i"
_libra_later, if you open a shell in the por 31337 in wich whoever could be connected, he/she would have root privileges
_libra_this kind of ancient backdoors were easy tobe detected
_libra_but no to the unexperienced administrators
_libra_and, in another example
_libra_adding a line to the /etc/passwd file whith root privileges like that: krocz:x:0:0:root:/root:/bin/bash
_libra_and if you were logged into with the krocz user you got root
_libra_now, it has changed
_libra_whith the techniques used by viruses
_libra_new backdoor have been made, mixing techniques used bny viruses have become trojans
_libra_because we execute programs without knowing wath theyŽre gonna do
_libra_that will be explained
_libra_now theres no diference within virus and trojan
_libra_talking about the linux context
_libra_tachniques like library redirections
_libra_explained at the Silvio Cesare phrack article http://www.phrack.org/phrack/56/p56-0x07
_libra_theres another interesting http://www.phrack.org/phrack/61/p61-0x0a_Infecting_Loadable_Kernel_Modules.txt
_libra_trojanization has change, and the technique will see talks about /dev/kmen infection
_libra_http://www.phrack.org/phrack/58/p58-0x07
_libra_ http://www.phrack.org/phrack/58/p58-0x07
_libra_those are some of the techniques used by trojans
_libra_to be installed in the system, more than trojan, rootkits
_libra_rootkits are programs installed in a system to hide the presence of an atacker in a system
_libra_like its said in #qc
_libra_there are some articles here
_libra_> http://www.est.cl/phrack/p61-0x0a.txt ( en castellano )
_libra_<krocz> <redyuck> http://www.est.cl/phrack/phrack58-0x07.txt
_libra_and like i said, the technique that ill talk about later and its very complicated is that of the kernel image infection
_libra_ http://www.phrack.org/phrack/60/p60-0x08.txt
_libra_when a atacker break into a system
_libra_what always try is to be hide for the administrator
_libra_a simple way of do it is by creating directories into the /dev directory
_libra_and installing there its tools
_libra_tools with suid root
_libra_that when are executed with root privileges
_libra_that kind of programs are simple detected
_libra_with a find / -perm +4000  command
_libra_youll find several programs with suid root
_libra_administrator must know what of this programs should have permises
_libra_ <redyuck> or with chkrootkit ) <- ill show why it isnt efficient several time
_libra_the idea, is to be hidden for the administrator
_libra_ancient rootkits changed the more used commands
_libra_to hide conections, process, and that kind of things
_libra_they changed the /bin/login to detect the pass introduced by the users who were in the system
_libra_or changing the ps to hide process executed by the cracker
_libra_or commands like netstat
_libra_tripwire easy detected this rootkits
_libra_or with md5sum
_libra_to the files and comparing with others
_libra_we get the hash that wasnt the same than the origianl
_libra_like it has been said
_libra_chrootkit is a very commented tool
_libra_used to detect anomalies in the system
_libra_ http://www.chkrootkit.org
_libra_i think you can trust very much on this tool
_libra_youŽll see with this lines
_libra_             if ${egrep} -i adore < /proc/ksyms >/dev/null 2>&1; then
_libra_<krocz>                    echo "Warning: Adore LKM installed"
_libra_<krocz>                  fi
_libra_with this you see if there exist the LKM-rootkits adore
_libra_with could be false
_libra_what could be false
_libra_or this
_libra_${strings} ${ROOTDIR}sbin/init | ${egrep} HOME"
_libra_with this you try t search the string HOME in /sbin/init
_libra_the HOME string is used by the suckit rootkit
_libra_if it dont find that string, it will supose that the suckit trojan wasnt installed
_libra_if it dont find that string, it will supose that the suckit trojan wasnt installed
_libra_it dont know that you could detect some changes comparing the md5 hashes
_libra_chrootkit told me i has a trojan installed, jus because i has 4 hiden process
_libra_Checking `lkm'... You have     4 process hidden for ps command
_libra_later ill saw it wash a problem of the procfs installed in my debian
_libra_who has problems
_libra_now, we are gonna study how do rootkits works
_libra_i read the new about the intrusion into the debianŽs servers
_libra_i read the new about the intrusion into the debianŽs servers
_libra_i think you know how it was made
_libra_: D
_libra_but what is important is that intruders used trojans and suckit to hide its presence
_libra_some reason should be if their used this trojan
_libra_in http://www.exis.cl/present/umeet/pre.html
_libra_iŽve made a descrption of a probe that iŽve done
_libra_to demostrate what im exposing
_libra_weŽll see that the first step was execute an hash md5 into the /sbin/init
_libra_that is who modifies suckits when it is installed into the system
_libra_later, i become infected with the trojan-rootkit
_libra_executed the backdoor "./sk"
_libra_and i return to  made a hash md5 at /sbin/init
_libra_but, surprise, the hash hasent changed
_libra_this hide way made it also undetectable to tripwire
_libra_the trojan works by /dev/kmen
_libra_like has been said before
_libra_this file contains the kernel image in memory
_libra_the file has write permises
_libra_suckuit search the directions of the Syscall table
_libra_and modifies it
_libra_modifiing what it need
_libra_with this, it can avoid md5 compare
_libra_this technique is shown in the 7a69 ezine, in the article wrote by IReick
_libra_article number 9
_libra_suckit modifies /sbin/init
_libra_to be loaded if the machine is reset
_libra_this rootkit has a client used to be conected with the machine infected with suckit
_libra_avoiding log
_libra_sendind a binary package to an open port
_libra_and, beacuse the suckuit is at the kernel level, it is detected and compare the hash password to see if is like the one he has
_libra_installed
_libra_if they are equal, send a conection to a atacker listen mode port
_libra_this is also know as reverse telnet
_libra_is with this that firewalls are avoided
_libra_because the conection is made by the machine infected
_libra_and the package can go to every port, binary or ascii
_libra_or if it is bahind a nat
_libra_it is procesed in the kernel level
_libra_withou being logged
_libra_and without encription
_libra_the trafic isnt easy to detect with IDS
_libra_<redyuck> algun ids recomendado (snort) ? <- aun no he hecho pruebas pero de manera facil no podras detectar las conexiones de Suckit
_libra_an idea recomended by a work companion
_libra_is that suckit used a fixed hash
_libra_to send autentification
_libra_im refering to fixed package size
_libra_maybe you could detect the size and start having suspictions of your infection
_libra_like i have said, it is only infected trafic, you wont see any /bin/sh
_libra_in your network
_libra_once we connect to an infected machine and list the process weŽll see something like that
_libra_http://www.exis.cl/present/umeet/pre2.html
_libra_the backdors, and a user conected as normally
_libra_<krocz> root      2349  0.0  0.0   208  148 ?        S    20:39   0:00 ./sk
_libra_<krocz> root      2647  0.0  0.0   208  148 ?        S    20:48   0:00 ./sk
_libra_<krocz> root      2688  0.0  0.0   208  148 ?        S    20:51   0:00 ./sk
_libra_<krocz> root      2782  0.0  0.0   208  148 ?        S    21:01   0:00 ./sk
_libra_<krocz> root      2783  0.0  0.5  2052 1104 ttyp0    S    21:01   0:00 sh -i
_libra_will see that http://www.exis.cl/present/umeet/pre3.html
_libra_like you see, in the second presentation, the trojans are hidden
_libra_you wont see if there are trojans, including if you get the hash md5
_libra_of the init file
_libra_you couldnt see if it is suckit
_libra_tripwire dont detect it
_libra_is beacause this that you cannot trust in chrootkit
_libra_now weŽll see how to detect a bug in the suckit version i tested
_libra_is that it dont hide the conections (but this bug will be solved)
_libra_with a netstat -anet
_libra_youŽll see something like that
_libra_http://www.exis.cl/present/umeet/pre4.html
_libra_is thhis
_libra_ tcp        0      0 127.0.0.1:1030          127.0.0.1:1028          ESTABLISHED 0          5946       -  
_libra_that hashnt file name or pid
_libra_but it is stablished
_libra_now weŽll see some code installation
_libra_ if [ ! -f /sbin/init${H} ];  then cp -f /sbin/init /sbin/init${H}
_libra_<krocz> ; fi; rm -f /sbin/init; cp sk /sbin/init
_libra_like you see, it copy /sbin/init to sk
_libra_ perdon like you see, it copy sk to /sbin/init
_libra_ans the original /sbin/init is copied to /sbin/initsk12
_libra_you wont see nothig
_libra_it know how to hide
_libra_but if we made a  file /bin/initsk12
_libra_it will be find
_libra_if you find it, you are infected
_libra_this rootkit is waiting
_libra_i theres noone connected theres nothing to do
_libra_to find what is the HOME were it is installed
_libra_is for that that chrootkit search the HOME string in sbin/init
_libra_one way of detecting the HOME is when someone is connected
_libra_go to /proc
_libra_and youŽll see some directories with numbers
_libra_with the pid of every process
_libra_running in the pc
_libra_if theres someone conected to the pid usedby the hacker, it wont be saw
_libra_so youŽll have to find out what pidŽs are
_libra_i e cd 1 - cd 2 .... cd 179
_libra_when the pid exist, enter to the directory, if it dont exist youŽll be given a error
_libra_and youŽll find the hidden pid
_libra_beacuse if it exist, youŽll enter to it directory
_libra_i. e.  :/proc# ls 15252
_libra_there youŽll find and environ file
_libra_that will helpyou to detect your HOME
_libra_there, you go to the directory were trçhe trojan is installed and execute ./sk u
_libra_wich unistall the trojan and show the process and directories hidden
_libra_move /sbin/initsk12 to /sbin/init
_libra_and you wont have suckit installed
_libra_starting ending
_libra_some solutions to increase the dificult of installing a backdoor
_libra_tools like  http://la-samhna.de/samhain/
_libra_will help you to maintain the fileŽs integrity
_libra_to avoid LKM rootkits
_libra_i personally compile the kernel without LKM support
_libra_and, in the articles i have told about, there are some codes to patch /dev/kmen to be read only
_libra_before the end, i want to give thanks to Felipe Molina for the help given to make the proves and the ideas for the topics
_libra_END!!

Generated by irclog2html.pl by Jeff Waugh - find it at freshmeat.net!

email usmore information


© 2003 - www.uninet.edu - contact organizing comittee - valid xhtml - valid css - design by raul pérez justicia