Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Linux Rootkit Internals
@tkmru
December 23, 2017
Programming
1
1.3k
Linux Rootkit Internals
@tkmru
December 23, 2017
Tweet
Share
More Decks by @tkmru
See All by @tkmru
tkmru
0
750
tkmru
1
140
tkmru
3
470
tkmru
0
130
tkmru
0
2.9k
tkmru
20
9.7k
tkmru
0
160
tkmru
1
240
tkmru
0
170
Other Decks in Programming
See All in Programming
hschwentner
1
540
banjun
PRO
0
130
treastrain
5
470
kurumai
1
670
hexarf
2
220
saten
5
700
d_date
8
980
sonatard
24
3.3k
suzukiot
0
190
koike91
1
310
inamiy
7
940
tatsuya4451
0
480
Featured
See All Featured
62gerente
593
210k
jacobian
260
20k
colly
190
14k
bryan
105
11k
sstephenson
149
12k
schacon
152
6.8k
mza
82
4.4k
jrom
119
7.4k
smashingmag
287
47k
roundedbygravity
85
8.1k
trishagee
37
4.6k
bryan
35
3.8k
Transcript
Linux Rootkit Internals Cyber Wargame Christmas Party(େηΩϡϦςΟ) 12/23 @tkmru
ࣗݾհ • ͚ͨ·Δ(@tkmru) • CTFνʔϜ: TomoriNao • ಉਓࢽαʔΫϧ: TomoriNao •
ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ ͨωλΛൃද͠·͢
Rootkitͱ • ࡞ಈதͷϓϩηεϑΝΠϧɺϩάγες ϜσʔλΛӅ͢ϚϧΣΞ • ex) ps, topίϚϯυΛӅ͢ɺϚϧΣΞࣗମ ͷϑΝΠϧɺϓϩηεΛӅ͢ •
ࠓճͷLTͰରͱ͢ΔͷLinux͚ͷͷ
• GitHubʹOSSͱ͍ͯ͠Ζ͍Ζެ։͞Ε͍ͯΔ • ʢଟʣݚڀ༻ʁ • ϚϧΣΞͷίʔυ͕ಡΊΔʂʂ • ·ͱΊ: https://github.com/tkmru/awesome- linux-rootkits
GitHubʹίʔυ͕͋Δʂʂ
͍Ζ͍ΖͳLinux Rootkitͨͪ • LD_PRELOAD Rootkit • Kernel Module Rootkit •
Ramdisk based Rootkit
LD_PRELOAD Rootkit • ڥม LD_PRELOAD Λͬͯڞ༗ϥΠϒ ϥϦΛࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ͜ͱΛͬͨ rootkit • ex)
Jinx2, vlany, azazel
LD_PRELOADͱ • ಡΈࠐ·ͤΔڞ༗ϥΠϒϥϦ(.so)ͷύεΛઃఆͰ͖Δ ڥม • γϯϘϧͷ໊લղܾͷͱ͖ γϯϘϧ໊͕িಥ͍ͯ͠Δͱ LD_PRELOADʹઃఆ͍ͯ͠Δ .so ͷؔΛ༏ઌͯ͠ಡ
Έʹߦ͘ • ͜ΕʹΑͬͯؔΛ্ॻ͖Ͱ͖ɺrootkitʹ༻͍Δ͜ͱ͕ Ͱ͖Δ
LD_PRELOADͱ $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ linux-vdso.so.1 => (0x00007ffdc1b78000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fbe97fb5000) libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fbe977a5000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000) /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000) libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x00007fbe9739b000) $ LD_PRELOAD=./hook.so /bin/ls # lsͷؔΛϑοΫ!!
Kernel Module Rootkit • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel ͷػೳΛॻ͖͑Δrootkit • Kernel
rootkitɺLKM(Loadable Kernel Module) rootkitͱݴΘΕΔ • ex) adore, suterusu, diamorphine, etc
Kernel Moduleͱ • ਖ਼໘͔Β KernelͷίʔυʹखΛೖΕɺػೳΛՃ͠Α ͏ͱ͢Δͱɺ࠶ίϯύΠϧͯ͠Ϧϒʔτ͢Δඞཁ͕͋ Δ • Kernel ModuleΛ͏ͱɺΧδϡΞϧʹKernelʹػೳ
ΛՃͰ͖Δ • ਖ਼͘͠NICͷσόΠευϥΠόΛՃ͢ΔͨΊʹ ΘΕΔ
Kernel Module Rootkit • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛՃ͢Δ͜ͱͰ RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ • ҎԼಈ࡞ྫ •
֘͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮ ߦͤ͞Δɻ • ࠷ऴతʹग़ྗ͞ΕΔใͷΈΛมߋ͢Δɻ
Ramdisk based Rootkit • initrd(ॳظRAMσΟεΫ)Λॻ͖͑Δ͜ͱʹΑΔ rootkit • ׂΓͱ৽͍͠λΠϓͷrootkit • ex)
Horse Pill: black hat USA 2016 • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz- Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
initrdͱ • ϑΝΠϧγεςϜΛϚϯτ͢ΔͨΊͷϑΝΠϧ Λѹॖͨ͠ͷ • ॳظͷϒʔτϓϩηεͰΘΕΔ • initrd ͕ϩʔυ͞ΕΔͱɺϑΝΠϧɾγεςϜΛ ༻Մೳʹ͢ΔͨΊͷkernel
moduleͳͲ͕ಡΈࠐ· Εɺ/ ҎԼͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕΔ
ϒʔτϓϩηεͷͲͷล͔ʁ • UEFI • shim • grub • linooks •
initrd • systemd • app
$ ls -l /boot (Ұ෦লུ) drwxr-xr-x 5 root root 4096
Dec 9 06:40 grub -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80- generic kernelΑΓ৽͍͠ -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠ initrdΛݟͯΈΔ • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ͞ΕΔ • ͳͥʁ • ڥͷࠩҟʢϋʔυΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ ϧΛม͑Δඞཁ͕͋Δ • ιϑτΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ
$ file /boot/initrd.img-3.19.0-80-generic /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last
modified: Sat Dec 9 06:40:55 2017 $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ) -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd • gzipͰѹॖ͞Ε͍ͯΔ • ίϚϯυͷόΠφϦɺϑΝʔϜΣΞͳͲ͕ ؚ·Ε͍ͯΔ initrdΛݟͯΈΔ
initrdΛͲ͏͏ͷ͔ • initrdͷதʹ͋Δ run-init Λॻ͖͑Δ • ϒʔτ࣌ʹrootkitͷϓϩηεΛੜ͢Δ • initrdಈతʹੜ͞ΕɺγεςϜͷߋ৽ʹ Α͕ͬͯ࣌มΘΔͷͰɺॻ͖͑ͯؾ͔ͮ
Εʹ͍͘
͓ΘΓʹ • ࠓlinux rootkit͕linuxͷͲΜͳΈΛ͍ͬͯΔ͔ հ͠·ͨ͠ • ݕ͢ΔʹɺOSSECchkrootkit, rkhunterͱ͍ͬͨ πʔϧ͕͋Δ •
OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕͰ͖Δ ͔ࠓޙ͍ͬͯ͘ • ࣍ճ࡞ʹظ͍ͯͩ͘͠͞ʂʂʂ
ࢀߟࢿྉ • The magic of LD_PRELOAD for Userland Rootkits |
FlUxIuS' Blog (http:// fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland- rootkits/) • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/ enterprise/0306/10/epn12.html) • ˏITɿΠϯγσϯτϨεϙϯε͡ΊͷҰา ୈ4ճ ৵ೖऀֻ͕͚ΔLKM rootkit ͷ࣮ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html) • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint- threat-protection-linux)
ղੳʹཱͭࢿྉ Linux Rootkit Detection With OSSEC • https://www.sans.org/reading-room/whitepapers/detection/rootkit- detection-ossec-34555 •
OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ Malware memory analysis of the Jynx2 Linux rootkit (Part 1) • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190 • VolatilityΛͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(ΧφμӴݚڀ։ ൃ)ͷࢿྉ
tkmru
hschwentner
banjun
treastrain
kurumai
hexarf
saten
d_date
sonatard
suzukiot
koike91
inamiy
tatsuya4451
62gerente
jacobian
colly
bryan
sstephenson
schacon
mza
jrom
smashingmag
roundedbygravity
trishagee
