Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Linux Rootkit Internals

@tkmru
December 23, 2017

Linux Rootkit Internals

@tkmru

December 23, 2017
Tweet

More Decks by @tkmru

Other Decks in Programming

Transcript

  1. Linux Rootkit
    Internals
    Cyber Wargame Christmas Party(େ࿨ηΩϡϦςΟ) 12/23
    @tkmru

    View full-size slide

  2. ࣗݾ঺հ
    • ͚ͨ·Δ(@tkmru)
    • CTFνʔϜ: TomoriNao
    • ಉਓࢽαʔΫϧ: TomoriNao
    • ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ
    ͨωλΛൃද͠·͢

    View full-size slide

  3. Rootkitͱ͸
    • ࡞ಈதͷϓϩηε΍ϑΝΠϧɺϩά΍γες
    ϜσʔλΛӅ͢Ϛϧ΢ΣΞ
    • ex) ps, topίϚϯυΛӅ͢ɺϚϧ΢ΣΞࣗମ
    ͷϑΝΠϧɺϓϩηεΛӅ͢
    • ࠓճͷLTͰର৅ͱ͢Δͷ͸Linux޲͚ͷ΋ͷ

    View full-size slide

  4. • GitHubʹOSSͱ͍ͯ͠Ζ͍Ζެ։͞Ε͍ͯΔ
    • ʢଟ෼ʣݚڀ༻ʁ
    • Ϛϧ΢ΣΞͷίʔυ͕ಡΊΔʂʂ
    • ·ͱΊ: https://github.com/tkmru/awesome-
    linux-rootkits
    GitHubʹίʔυ͕͋Δʂʂ

    View full-size slide

  5. ͍Ζ͍ΖͳLinux Rootkitͨͪ
    • LD_PRELOAD Rootkit
    • Kernel Module Rootkit
    • Ramdisk based Rootkit

    View full-size slide

  6. LD_PRELOAD Rootkit
    • ؀ڥม਺ LD_PRELOAD Λ࢖ͬͯڞ༗ϥΠϒ
    ϥϦΛࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ͜ͱΛ࢖ͬͨ
    rootkit
    • ex) Jinx2, vlany, azazel

    View full-size slide

  7. LD_PRELOADͱ͸
    • ಡΈࠐ·ͤΔڞ༗ϥΠϒϥϦ(.so)ͷύεΛઃఆͰ͖Δ؀
    ڥม਺
    • γϯϘϧͷ໊લղܾͷͱ͖ γϯϘϧ໊͕িಥ͍ͯ͠Δͱ
    LD_PRELOADʹઃఆ͍ͯ͠Δ .so ಺ͷؔ਺Λ༏ઌͯ͠ಡ
    Έʹߦ͘
    • ͜ΕʹΑͬͯؔ਺Λ্ॻ͖Ͱ͖ɺrootkitʹ༻͍Δ͜ͱ͕
    Ͱ͖Δ

    View full-size slide

  8. LD_PRELOADͱ͸
    $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ
    linux-vdso.so.1 => (0x00007ffdc1b78000)
    libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1
    (0x00007fbe97fb5000)
    libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3
    (0x00007fbe977a5000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000)
    /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000)
    libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1
    (0x00007fbe9739b000)
    $ LD_PRELOAD=./hook.so /bin/ls # ls಺ͷؔ਺ΛϑοΫ!!

    View full-size slide

  9. Kernel Module Rootkit
    • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel
    ͷػೳΛॻ͖׵͑Δrootkit
    • Kernel rootkitɺLKM(Loadable Kernel
    Module) rootkitͱ΋ݴΘΕΔ
    • ex) adore, suterusu, diamorphine, etc

    View full-size slide

  10. Kernel Moduleͱ͸
    • ਖ਼໘͔Β KernelͷίʔυʹखΛೖΕɺػೳΛ௥Ճ͠Α
    ͏ͱ͢Δͱɺ࠶ίϯύΠϧͯ͠Ϧϒʔτ͢Δඞཁ͕͋
    Δ
    • Kernel ModuleΛ࢖͏ͱɺΧδϡΞϧʹKernelʹػೳ
    Λ௥ՃͰ͖Δ
    • ਖ਼͘͠͸NIC౳ͷσόΠευϥΠόΛ௥Ճ͢ΔͨΊʹ
    ࢖ΘΕΔ

    View full-size slide

  11. Kernel Module Rootkit
    • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛ௥Ճ͢Δ͜ͱͰ
    RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ
    • ҎԼಈ࡞ྫ
    • ௚઀֘౰͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ
    • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮
    ߦͤ͞Δɻ
    • ࠷ऴతʹग़ྗ͞ΕΔ৘ใͷΈΛมߋ͢Δɻ

    View full-size slide

  12. Ramdisk based Rootkit
    • initrd(ॳظRAMσΟεΫ)Λॻ͖׵͑Δ͜ͱʹΑΔ
    rootkit
    • ׂΓͱ৽͍͠λΠϓͷrootkit
    • ex) Horse Pill: black hat USA 2016
    • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-
    Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf

    View full-size slide

  13. initrdͱ͸
    • ϑΝΠϧγεςϜΛϚ΢ϯτ͢ΔͨΊͷϑΝΠϧ
    Λѹॖͨ͠΋ͷ
    • ॳظͷϒʔτϓϩηεͰ࢖ΘΕΔ
    • initrd ͕ϩʔυ͞ΕΔͱɺϑΝΠϧɾγεςϜΛ࢖
    ༻Մೳʹ͢ΔͨΊͷkernel moduleͳͲ͕ಡΈࠐ·
    Εɺ/ ҎԼͷϑΝΠϧγεςϜ͕Ϛ΢ϯτ͞ΕΔ

    View full-size slide

  14. ϒʔτϓϩηεͷͲͷล͔ʁ
    • UEFI
    • shim
    • grub
    • linooks
    • initrd
    • systemd
    • app

    View full-size slide

  15. $ ls -l /boot (Ұ෦লུ)
    drwxr-xr-x 5 root root 4096 Dec 9 06:40 grub
    -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80-
    generic kernelΑΓ৽͍͠
    -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic
    ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠
    initrdΛݟͯΈΔ
    • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ੒͞ΕΔ
    • ͳͥʁ
    • ؀ڥͷࠩҟʢϋʔυ΢ΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ
    ϧΛม͑Δඞཁ͕͋Δ
    • ιϑτ΢ΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ

    View full-size slide

  16. $ file /boot/initrd.img-3.19.0-80-generic
    /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last modified: Sat Dec 9
    06:40:55 2017
    $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ)
    -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod
    -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg
    -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init
    -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd
    • gzipͰѹॖ͞Ε͍ͯΔ
    • ίϚϯυͷόΠφϦɺϑΝʔϜ΢ΣΞͳͲ͕
    ؚ·Ε͍ͯΔ
    initrdΛݟͯΈΔ

    View full-size slide

  17. initrdΛͲ͏࢖͏ͷ͔
    • initrdͷதʹ͋Δ run-init Λॻ͖׵͑Δ
    • ϒʔτ࣌ʹrootkitͷϓϩηεΛੜ੒͢Δ
    • initrd͸ಈతʹੜ੒͞ΕɺγεςϜͷߋ৽ʹ
    Αͬͯ೔͕࣌มΘΔͷͰɺॻ͖׵͑ͯ΋ؾ͔ͮ
    Εʹ͍͘

    View full-size slide

  18. ͓ΘΓʹ
    • ࠓ೔͸linux rootkit͕linuxͷͲΜͳ࢓૊ΈΛ࢖͍ͬͯΔ͔
    ঺հ͠·ͨ͠
    • ݕ஌͢Δʹ͸ɺOSSEC΍chkrootkit, rkhunterͱ͍ͬͨ
    πʔϧ͕͋Δ
    • OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕ஌Ͱ͖Δ
    ͔ࠓޙ΍͍ͬͯ͘
    • ࣍ճ࡞ʹظ଴͍ͯͩ͘͠͞ʂʂʂ

    View full-size slide

  19. ࢀߟࢿྉ
    • The magic of LD_PRELOAD for Userland Rootkits | FlUxIuS' Blog (http://
    fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland-
    rootkits/)
    • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/
    enterprise/0306/10/epn12.html)
    • ˏITɿΠϯγσϯτϨεϙϯε͸͡ΊͷҰา ୈ4ճ ৵ೖऀ͕࢓ֻ͚ΔLKM rootkit
    ͷ࣮৘ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html)
    • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint
    (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint-
    threat-protection-linux)

    View full-size slide

  20. ղੳʹ໾ཱͭࢿྉ
    Linux Rootkit Detection With OSSEC
    • https://www.sans.org/reading-room/whitepapers/detection/rootkit-
    detection-ossec-34555
    • OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ
    Malware memory analysis of the Jynx2 Linux
    rootkit (Part 1)
    • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190
    • VolatilityΛ࢖ͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(Χφμ๷Ӵݚڀ։
    ൃ)ͷࢿྉ

    View full-size slide