Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Linux Rootkit Internals
@tkmru
December 23, 2017
Programming
1
1.2k
Linux Rootkit Internals
@tkmru
December 23, 2017
Tweet
Share
More Decks by @tkmru
See All by @tkmru
tkmru
2
410
tkmru
0
110
tkmru
0
2.7k
tkmru
19
9.5k
tkmru
0
150
tkmru
1
230
tkmru
0
170
tkmru
3
1.9k
Other Decks in Programming
See All in Programming
hkusu
0
260
emberconf
0
130
hr01
0
1.9k
manfredsteyer
PRO
0
140
orgachem
1
200
atamaplus
2
420
chimerast
0
320
tooppoo
1
440
tomoyanonymous
0
330
andpad
0
340
tom_uchida
0
130
chatii
2
260
Featured
See All Featured
colly
188
14k
danielanewman
201
20k
aarron
258
36k
bkeepers
PRO
54
4.3k
brad_frost
157
6.5k
lara
172
9.7k
rocio
155
11k
tmm1
61
9.9k
vanstee
117
4.9k
morganepeng
94
14k
shlominoach
176
7.6k
shpigford
165
19k
Transcript
Linux Rootkit Internals Cyber Wargame Christmas Party(େηΩϡϦςΟ) 12/23 @tkmru
ࣗݾհ • ͚ͨ·Δ(@tkmru) • CTFνʔϜ: TomoriNao • ಉਓࢽαʔΫϧ: TomoriNao •
ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ ͨωλΛൃද͠·͢
Rootkitͱ • ࡞ಈதͷϓϩηεϑΝΠϧɺϩάγες ϜσʔλΛӅ͢ϚϧΣΞ • ex) ps, topίϚϯυΛӅ͢ɺϚϧΣΞࣗମ ͷϑΝΠϧɺϓϩηεΛӅ͢ •
ࠓճͷLTͰରͱ͢ΔͷLinux͚ͷͷ
• GitHubʹOSSͱ͍ͯ͠Ζ͍Ζެ։͞Ε͍ͯΔ • ʢଟʣݚڀ༻ʁ • ϚϧΣΞͷίʔυ͕ಡΊΔʂʂ • ·ͱΊ: https://github.com/tkmru/awesome- linux-rootkits
GitHubʹίʔυ͕͋Δʂʂ
͍Ζ͍ΖͳLinux Rootkitͨͪ • LD_PRELOAD Rootkit • Kernel Module Rootkit •
Ramdisk based Rootkit
LD_PRELOAD Rootkit • ڥม LD_PRELOAD Λͬͯڞ༗ϥΠϒ ϥϦΛࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ͜ͱΛͬͨ rootkit • ex)
Jinx2, vlany, azazel
LD_PRELOADͱ • ಡΈࠐ·ͤΔڞ༗ϥΠϒϥϦ(.so)ͷύεΛઃఆͰ͖Δ ڥม • γϯϘϧͷ໊લղܾͷͱ͖ γϯϘϧ໊͕িಥ͍ͯ͠Δͱ LD_PRELOADʹઃఆ͍ͯ͠Δ .so ͷؔΛ༏ઌͯ͠ಡ
Έʹߦ͘ • ͜ΕʹΑͬͯؔΛ্ॻ͖Ͱ͖ɺrootkitʹ༻͍Δ͜ͱ͕ Ͱ͖Δ
LD_PRELOADͱ $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ linux-vdso.so.1 => (0x00007ffdc1b78000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fbe97fb5000) libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fbe977a5000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000) /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000) libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x00007fbe9739b000) $ LD_PRELOAD=./hook.so /bin/ls # lsͷؔΛϑοΫ!!
Kernel Module Rootkit • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel ͷػೳΛॻ͖͑Δrootkit • Kernel
rootkitɺLKM(Loadable Kernel Module) rootkitͱݴΘΕΔ • ex) adore, suterusu, diamorphine, etc
Kernel Moduleͱ • ਖ਼໘͔Β KernelͷίʔυʹखΛೖΕɺػೳΛՃ͠Α ͏ͱ͢Δͱɺ࠶ίϯύΠϧͯ͠Ϧϒʔτ͢Δඞཁ͕͋ Δ • Kernel ModuleΛ͏ͱɺΧδϡΞϧʹKernelʹػೳ
ΛՃͰ͖Δ • ਖ਼͘͠NICͷσόΠευϥΠόΛՃ͢ΔͨΊʹ ΘΕΔ
Kernel Module Rootkit • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛՃ͢Δ͜ͱͰ RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ • ҎԼಈ࡞ྫ •
֘͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮ ߦͤ͞Δɻ • ࠷ऴతʹग़ྗ͞ΕΔใͷΈΛมߋ͢Δɻ
Ramdisk based Rootkit • initrd(ॳظRAMσΟεΫ)Λॻ͖͑Δ͜ͱʹΑΔ rootkit • ׂΓͱ৽͍͠λΠϓͷrootkit • ex)
Horse Pill: black hat USA 2016 • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz- Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
initrdͱ • ϑΝΠϧγεςϜΛϚϯτ͢ΔͨΊͷϑΝΠϧ Λѹॖͨ͠ͷ • ॳظͷϒʔτϓϩηεͰΘΕΔ • initrd ͕ϩʔυ͞ΕΔͱɺϑΝΠϧɾγεςϜΛ ༻Մೳʹ͢ΔͨΊͷkernel
moduleͳͲ͕ಡΈࠐ· Εɺ/ ҎԼͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕΔ
ϒʔτϓϩηεͷͲͷล͔ʁ • UEFI • shim • grub • linooks •
initrd • systemd • app
$ ls -l /boot (Ұ෦লུ) drwxr-xr-x 5 root root 4096
Dec 9 06:40 grub -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80- generic kernelΑΓ৽͍͠ -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠ initrdΛݟͯΈΔ • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ͞ΕΔ • ͳͥʁ • ڥͷࠩҟʢϋʔυΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ ϧΛม͑Δඞཁ͕͋Δ • ιϑτΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ
$ file /boot/initrd.img-3.19.0-80-generic /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last
modified: Sat Dec 9 06:40:55 2017 $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ) -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd • gzipͰѹॖ͞Ε͍ͯΔ • ίϚϯυͷόΠφϦɺϑΝʔϜΣΞͳͲ͕ ؚ·Ε͍ͯΔ initrdΛݟͯΈΔ
initrdΛͲ͏͏ͷ͔ • initrdͷதʹ͋Δ run-init Λॻ͖͑Δ • ϒʔτ࣌ʹrootkitͷϓϩηεΛੜ͢Δ • initrdಈతʹੜ͞ΕɺγεςϜͷߋ৽ʹ Α͕ͬͯ࣌มΘΔͷͰɺॻ͖͑ͯؾ͔ͮ
Εʹ͍͘
͓ΘΓʹ • ࠓlinux rootkit͕linuxͷͲΜͳΈΛ͍ͬͯΔ͔ հ͠·ͨ͠ • ݕ͢ΔʹɺOSSECchkrootkit, rkhunterͱ͍ͬͨ πʔϧ͕͋Δ •
OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕͰ͖Δ ͔ࠓޙ͍ͬͯ͘ • ࣍ճ࡞ʹظ͍ͯͩ͘͠͞ʂʂʂ
ࢀߟࢿྉ • The magic of LD_PRELOAD for Userland Rootkits |
FlUxIuS' Blog (http:// fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland- rootkits/) • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/ enterprise/0306/10/epn12.html) • ˏITɿΠϯγσϯτϨεϙϯε͡ΊͷҰา ୈ4ճ ৵ೖऀֻ͕͚ΔLKM rootkit ͷ࣮ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html) • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint- threat-protection-linux)
ղੳʹཱͭࢿྉ Linux Rootkit Detection With OSSEC • https://www.sans.org/reading-room/whitepapers/detection/rootkit- detection-ossec-34555 •
OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ Malware memory analysis of the Jynx2 Linux rootkit (Part 1) • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190 • VolatilityΛͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(ΧφμӴݚڀ։ ൃ)ͷࢿྉ
tkmru
hkusu
emberconf
hr01
manfredsteyer
orgachem
atamaplus
chimerast
tooppoo
tomoyanonymous
andpad
tom_uchida
chatii
colly
danielanewman
aarron
bkeepers
brad_frost
lara
rocio
tmm1
vanstee
morganepeng
shlominoach
shpigford
