Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Linux Rootkit Internals

@tkmru
December 23, 2017
Programming
1
1.6k

Linux Rootkit Internals

@tkmru

December 23, 2017
Tweet

More Decks by @tkmru

See All by @tkmru
ipa-medit: Memory search and patch tool for IPA without Jailbreaking/ipa-medit-bh2022-europe
tkmru
0
150
Ipa-medit: Memory modification tool for iOS apps without Jailbreaking/ipa-medit-codeblue2022
tkmru
0
73
趣味と実益のための著名なOSSライブラリ起因の脆弱性の探求/seccamp2021-b5
tkmru
0
3.7k
Ipa-medit: Memory Search and Patch Tool for IPA Without Jailbreaking @Black Hat USA 2021 Arsenal/ipa-medit-bh2021-usa
tkmru
1
3.6k
Learn the essential way of thinking about vulnerabilities through post-exploitation on middlewares (MySQL/PostgreSQL編)/seccamp2020-b8
tkmru
3
640
apk-medit: memory search and patch tool for debuggable APK @CODE BLUE 2020 Bluebox
tkmru
0
160
apk-medit: memory search and patch tool for debuggable APK @Black Hat USA 2020 Arsenal/apk-medit-bh2020-usa
tkmru
0
3.6k
めんどうくさいゲームセキュリティ
tkmru
20
10k
Unicornを用いたDead Code除去
tkmru
0
170

Other Decks in Programming

See All in Programming
改めて整理するWebアプリのビルド・デプロイの基本
os1ma
3
520
230307北海道オープンデータ推進セミナー
furukawayasuto
1
180
ChatGPTで見えてきたクローンデジタルエンジニア構想 ~ポスト・エンジニア戦略~
en2zo
0
180
ChatGPTによるデータ変換がもたらすインパクト
masahiro_nishimi
2
900
Flaky Tests - Fighting Nightmares
leichteckig
0
200
DevRel/Japan 2023 - 1つの事業部だけで行う DevRel とは
hcrane
0
280
LayerXにおける ChatGPTを活用したPoC事例 / layerx-poc-with-chatgpt
yuya4
2
1.7k
NOT A HOTEL
AIコンシェルジュ「Kevin」の開発秘話
codehex
2
2.3k
CSC308 Lecture 23
javiergs
PRO
0
140
macのunicode正規化.pdf
mski_iksm
0
760
kotlin-resultを用いて鉄道志向なエラーハンドリングを試みる
blackbracken
1
160
CSC309 Lecture 19
javiergs
PRO
0
130

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
A Philosophy of Restraint
colly
193
15k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Gamification - CAS2011
davidbonilla
75
4.2k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
The Brand Is Dead. Long Live the Brand.
mthomps
48
3k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
WebSockets: Embracing the real-time Web
robhawkes
58
6.1k
How GitHub Uses GitHub to Build GitHub
holman
466
280k

Transcript

  1. Linux Rootkit
    Internals
    Cyber Wargame Christmas Party(େ࿨ηΩϡϦςΟ) 12/23
    @tkmru

    View Slide

  2. ࣗݾ঺հ
    • ͚ͨ·Δ(@tkmru)
    • CTFνʔϜ: TomoriNao
    • ಉਓࢽαʔΫϧ: TomoriNao
    • ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ
    ͨωλΛൃද͠·͢

    View Slide

  3. Rootkitͱ͸
    • ࡞ಈதͷϓϩηε΍ϑΝΠϧɺϩά΍γες
    ϜσʔλΛӅ͢Ϛϧ΢ΣΞ
    • ex) ps, topίϚϯυΛӅ͢ɺϚϧ΢ΣΞࣗମ
    ͷϑΝΠϧɺϓϩηεΛӅ͢
    • ࠓճͷLTͰର৅ͱ͢Δͷ͸Linux޲͚ͷ΋ͷ

    View Slide

  4. • GitHubʹOSSͱ͍ͯ͠Ζ͍Ζެ։͞Ε͍ͯΔ
    • ʢଟ෼ʣݚڀ༻ʁ
    • Ϛϧ΢ΣΞͷίʔυ͕ಡΊΔʂʂ
    • ·ͱΊ: https://github.com/tkmru/awesome-
    linux-rootkits
    GitHubʹίʔυ͕͋Δʂʂ

    View Slide

  5. ͍Ζ͍ΖͳLinux Rootkitͨͪ
    • LD_PRELOAD Rootkit
    • Kernel Module Rootkit
    • Ramdisk based Rootkit

    View Slide

  6. LD_PRELOAD Rootkit
    • ؀ڥม਺ LD_PRELOAD Λ࢖ͬͯڞ༗ϥΠϒ
    ϥϦΛࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ͜ͱΛ࢖ͬͨ
    rootkit
    • ex) Jinx2, vlany, azazel

    View Slide

  7. LD_PRELOADͱ͸
    • ಡΈࠐ·ͤΔڞ༗ϥΠϒϥϦ(.so)ͷύεΛઃఆͰ͖Δ؀
    ڥม਺
    • γϯϘϧͷ໊લղܾͷͱ͖ γϯϘϧ໊͕িಥ͍ͯ͠Δͱ
    LD_PRELOADʹઃఆ͍ͯ͠Δ .so ಺ͷؔ਺Λ༏ઌͯ͠ಡ
    Έʹߦ͘
    • ͜ΕʹΑͬͯؔ਺Λ্ॻ͖Ͱ͖ɺrootkitʹ༻͍Δ͜ͱ͕
    Ͱ͖Δ

    View Slide

  8. LD_PRELOADͱ͸
    $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ
    linux-vdso.so.1 => (0x00007ffdc1b78000)
    libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1
    (0x00007fbe97fb5000)
    libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3
    (0x00007fbe977a5000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000)
    /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000)
    libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1
    (0x00007fbe9739b000)
    $ LD_PRELOAD=./hook.so /bin/ls # ls಺ͷؔ਺ΛϑοΫ!!

    View Slide

  9. Kernel Module Rootkit
    • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel
    ͷػೳΛॻ͖׵͑Δrootkit
    • Kernel rootkitɺLKM(Loadable Kernel
    Module) rootkitͱ΋ݴΘΕΔ
    • ex) adore, suterusu, diamorphine, etc

    View Slide

  10. Kernel Moduleͱ͸
    • ਖ਼໘͔Β KernelͷίʔυʹखΛೖΕɺػೳΛ௥Ճ͠Α
    ͏ͱ͢Δͱɺ࠶ίϯύΠϧͯ͠Ϧϒʔτ͢Δඞཁ͕͋
    Δ
    • Kernel ModuleΛ࢖͏ͱɺΧδϡΞϧʹKernelʹػೳ
    Λ௥ՃͰ͖Δ
    • ਖ਼͘͠͸NIC౳ͷσόΠευϥΠόΛ௥Ճ͢ΔͨΊʹ
    ࢖ΘΕΔ

    View Slide

  11. Kernel Module Rootkit
    • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛ௥Ճ͢Δ͜ͱͰ
    RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ
    • ҎԼಈ࡞ྫ
    • ௚઀֘౰͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ
    • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮
    ߦͤ͞Δɻ
    • ࠷ऴతʹग़ྗ͞ΕΔ৘ใͷΈΛมߋ͢Δɻ

    View Slide

  12. Ramdisk based Rootkit
    • initrd(ॳظRAMσΟεΫ)Λॻ͖׵͑Δ͜ͱʹΑΔ
    rootkit
    • ׂΓͱ৽͍͠λΠϓͷrootkit
    • ex) Horse Pill: black hat USA 2016
    • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-
    Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf

    View Slide

  13. initrdͱ͸
    • ϑΝΠϧγεςϜΛϚ΢ϯτ͢ΔͨΊͷϑΝΠϧ
    Λѹॖͨ͠΋ͷ
    • ॳظͷϒʔτϓϩηεͰ࢖ΘΕΔ
    • initrd ͕ϩʔυ͞ΕΔͱɺϑΝΠϧɾγεςϜΛ࢖
    ༻Մೳʹ͢ΔͨΊͷkernel moduleͳͲ͕ಡΈࠐ·
    Εɺ/ ҎԼͷϑΝΠϧγεςϜ͕Ϛ΢ϯτ͞ΕΔ

    View Slide

  14. ϒʔτϓϩηεͷͲͷล͔ʁ
    • UEFI
    • shim
    • grub
    • linooks
    • initrd
    • systemd
    • app

    View Slide

  15. $ ls -l /boot (Ұ෦লུ)
    drwxr-xr-x 5 root root 4096 Dec 9 06:40 grub
    -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80-
    generic kernelΑΓ৽͍͠
    -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic
    ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠
    initrdΛݟͯΈΔ
    • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ੒͞ΕΔ
    • ͳͥʁ
    • ؀ڥͷࠩҟʢϋʔυ΢ΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ
    ϧΛม͑Δඞཁ͕͋Δ
    • ιϑτ΢ΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ

    View Slide

  16. $ file /boot/initrd.img-3.19.0-80-generic
    /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last modified: Sat Dec 9
    06:40:55 2017
    $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ)
    -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod
    -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg
    -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init
    -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd
    • gzipͰѹॖ͞Ε͍ͯΔ
    • ίϚϯυͷόΠφϦɺϑΝʔϜ΢ΣΞͳͲ͕
    ؚ·Ε͍ͯΔ
    initrdΛݟͯΈΔ

    View Slide

  17. initrdΛͲ͏࢖͏ͷ͔
    • initrdͷதʹ͋Δ run-init Λॻ͖׵͑Δ
    • ϒʔτ࣌ʹrootkitͷϓϩηεΛੜ੒͢Δ
    • initrd͸ಈతʹੜ੒͞ΕɺγεςϜͷߋ৽ʹ
    Αͬͯ೔͕࣌มΘΔͷͰɺॻ͖׵͑ͯ΋ؾ͔ͮ
    Εʹ͍͘

    View Slide

  18. ͓ΘΓʹ
    • ࠓ೔͸linux rootkit͕linuxͷͲΜͳ࢓૊ΈΛ࢖͍ͬͯΔ͔
    ঺հ͠·ͨ͠
    • ݕ஌͢Δʹ͸ɺOSSEC΍chkrootkit, rkhunterͱ͍ͬͨ
    πʔϧ͕͋Δ
    • OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕ஌Ͱ͖Δ
    ͔ࠓޙ΍͍ͬͯ͘
    • ࣍ճ࡞ʹظ଴͍ͯͩ͘͠͞ʂʂʂ

    View Slide

  19. ࢀߟࢿྉ
    • The magic of LD_PRELOAD for Userland Rootkits | FlUxIuS' Blog (http://
    fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland-
    rootkits/)
    • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/
    enterprise/0306/10/epn12.html)
    • ˏITɿΠϯγσϯτϨεϙϯε͸͡ΊͷҰา ୈ4ճ ৵ೖऀ͕࢓ֻ͚ΔLKM rootkit
    ͷ࣮৘ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html)
    • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint
    (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint-
    threat-protection-linux)

    View Slide

  20. ղੳʹ໾ཱͭࢿྉ
    Linux Rootkit Detection With OSSEC
    • https://www.sans.org/reading-room/whitepapers/detection/rootkit-
    detection-ossec-34555
    • OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ
    Malware memory analysis of the Jynx2 Linux
    rootkit (Part 1)
    • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190
    • VolatilityΛ࢖ͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(Χφμ๷Ӵݚڀ։
    ൃ)ͷࢿྉ

    View Slide