System Security

10/14/2010
USER-MODE ROOKIT
Instructor: Nguyễn Nhật Thành – MMT5

1
 System Security

contents

10/17/10
 User-mode rookit overview.
 User-mode rookit UNIX
 LinuxRootkits Family.
 Universal Rootkits.
 RunEFS VÀ DEFLER’S TOOLKIT

2
 System Security

OVERVIEW

10/17/10
 Fundamental:Rootkits are toolkits used by
acttackers (hackers) to hide their process,
files, actions … from administrator on
target machine.
 Includes: trojans, backdoors, other tools.

 Infect: via e-mail, whole, vulnerability…

 Purpose: reconfig machine, acess with root-

level, control system, steal information…..

3
 System Security

Funny

10/17/10
=
4
 System Security

ROOTKIT’S COMPONENTS

10/17/10
 Binary replacements that provide backdoor
access.
 Binary replacements to hide the acttacker.

 Other tools for hiding don’t replace binary

programs.
 Additional odd and ends.

 Istallation script (scenario).

5
System Security

10/17/10
6
 System Security
LRK Family

10/17/10
7
 System Security

LRK FAMILY – binary replacements

10/17/10
8
 System Security

LRK FAMILY – replacement to hide

10/17/10
9
 System Security

LRK FAMILY – other tools

10/17/10
10
 System Security

URK - components
 RootKit Components
 Login: The familiar login program lets users log in to a

10/17/10
system. The URK login program includes a backdoor
password that is located in the urk.conf file.
 Sshd: This sshd backdoor is not included in all releases
of URK. For those versions that include it, the
backdoor sshd supports remote encrypted backdoor
access by the attacker.
 Ping: Normally the ping command is used to send an
Internet Control Message Protocol (ICMP) Echo
Request packet to another system to see if it is alive.
The ping program built into URK, on the other hand,
also includes a local backdoor. By typing the ping
command, followed by the backdoor password locally
on the system from a low-privileged account, an
attacker will be escalated to root privileges at the
command prompt.
 Passwd: This program, typically used to set a user's
password, is another local backdoor that works like
the ping backdoor just described. By typing  passwd 11
[backdoor_password], the attacker will get root
privileges.
 System Security
URK-components
 su: The su command, which normally is used
to alter a user's current login identity,
includes a backdoor that functions just like

10/17/10
the ping and passwd backdoors.
 Pidentd: This process offers a remote
command shell backdoor, listening on TCP
port 113. If the attacker connects to this
port, types the characters 23, 113, and then
the backdoor password, the system will
respond with a remote root-level command
shell.
 Ps: The ps program is used to show a list of
running processes. This URK version filters
out any processes that the attacker wants to
hide on the system. 12


URK-components System Security

 Top: Normally, top shows a continuously updated

list of running programs on the machine. Like the
URK version of ps, this program also filters out
hidden processes.

10/17/10
 Find: The URK alters the find command, typically
used to search for files, so that it filters the
attacker's files from its output.
 Ls: The ls command included with URK filters an
attacker's files from its output.
 Du: This command, which shows the disk usage of
files, has been modified to lie about any space
the attacker's files occupy.
 Netstat: The URK version of netstat shows all
listening TCP and UDP ports, except those in use
by the attacker.
 Sniffer: The sniffer program built into URK
gathers network traffic destined for various
services that use clear-text authentication, such
as Telnet and FTP. 13

 System Security

URK-methodology

10/17/10
14
 System Security

RunEFS AND DEFLER’S TOOLKIT

10/17/10
15
 System Security

10/17/10
 THANKS FOR ATTENTION!

16