Escolar Documentos
Profissional Documentos
Cultura Documentos
10/14/2010
USER-MODE ROOKIT
Instructor: Nguyễn Nhật Thành – MMT5
1
System Security
contents
10/17/10
User-mode rookit overview.
User-mode rookit UNIX
LinuxRootkits Family.
Universal Rootkits.
RunEFS VÀ DEFLER’S TOOLKIT
2
System Security
OVERVIEW
10/17/10
Fundamental:Rootkits are toolkits used by
acttackers (hackers) to hide their process,
files, actions … from administrator on
target machine.
Includes: trojans, backdoors, other tools.
3
System Security
Funny
10/17/10
=
4
System Security
ROOTKIT’S COMPONENTS
10/17/10
Binary replacements that provide backdoor
access.
Binary replacements to hide the acttacker.
5
System Security
10/17/10
6
System Security
LRK Family
10/17/10
7
System Security
10/17/10
8
System Security
10/17/10
9
System Security
10/17/10
10
System Security
URK - components
RootKit Components
Login: The familiar login program lets users log in to a
10/17/10
system. The URK login program includes a backdoor
password that is located in the urk.conf file.
Sshd: This sshd backdoor is not included in all releases
of URK. For those versions that include it, the
backdoor sshd supports remote encrypted backdoor
access by the attacker.
Ping: Normally the ping command is used to send an
Internet Control Message Protocol (ICMP) Echo
Request packet to another system to see if it is alive.
The ping program built into URK, on the other hand,
also includes a local backdoor. By typing the ping
command, followed by the backdoor password locally
on the system from a low-privileged account, an
attacker will be escalated to root privileges at the
command prompt.
Passwd: This program, typically used to set a user's
password, is another local backdoor that works like
the ping backdoor just described. By typing passwd 11
[backdoor_password], the attacker will get root
privileges.
System Security
URK-components
su: The su command, which normally is used
to alter a user's current login identity,
includes a backdoor that functions just like
10/17/10
the ping and passwd backdoors.
Pidentd: This process offers a remote
command shell backdoor, listening on TCP
port 113. If the attacker connects to this
port, types the characters 23, 113, and then
the backdoor password, the system will
respond with a remote root-level command
shell.
Ps: The ps program is used to show a list of
running processes. This URK version filters
out any processes that the attacker wants to
hide on the system. 12
URK-components System Security
10/17/10
Find: The URK alters the find command, typically
used to search for files, so that it filters the
attacker's files from its output.
Ls: The ls command included with URK filters an
attacker's files from its output.
Du: This command, which shows the disk usage of
files, has been modified to lie about any space
the attacker's files occupy.
Netstat: The URK version of netstat shows all
listening TCP and UDP ports, except those in use
by the attacker.
Sniffer: The sniffer program built into URK
gathers network traffic destined for various
services that use clear-text authentication, such
as Telnet and FTP. 13
System Security
URK-methodology
10/17/10
14
System Security
10/17/10
15
System Security
10/17/10
THANKS FOR ATTENTION!
16