Linux is widely considered and appreciated as secure and reliable operating system. Especially for what concerns desktop users, the advantages of Linux in terms of security overwhelm the situation of other operating systems like, for example, Microsoft Windows. However malware like viruses and rootkits do exist for Linux as well, and they are especially dangerous for more tasty systems like those connected to large networks. In this article we will cover one particular set of malware: the rootkits.
A rootkit is essently a set of tools designed to set up an pathological environment inside the host’s operating system. It first needs to gain access to that system by means of various type of attacks. Having succeeded in doing so, the rootkit is designed to implement actions in order to take perform the fulfill the following objectives:
1- Establish a backdoor for future access to the host system
2- Perform malicious operations like gaining passwords or any kind of reserved and confidential information related to the compromised system (i.e. by means of keyloggers).
3- Using the compromised system to sniff communications within the network to which the system is connected
4- Attack other systems
5- Cover their tracks especially by deleting portions of log files
All these three objectives are related to the concept of the rootkit gaining superuser privileges within the infected system.
To assure future access to the system there are a few option.
- Connect via telnet. This method is a bit primitive and quite easy to be spot by the experienced administrator.
- Connection via SSH daemon. This method provides a higher level of stealth compared to the one above because the communication is encrypted and, by using a customized ssh daemon, it’s possible to avoid leaving traces of activities in log files. Provided that commands haven’t yet been replaced by the attacker’s customized ones, it is possible to spot ssh activity using the netstat command. This command is very useful to display inlet and outlet network connections as well as routing information and various network statistics.
- Other more subtle and advanced techniques like UDP listeners, backdoors on Internet Control Message Protocol (ICMP), backdoors opened through remote HTTP shells that mimic a regular browser connection to an internet website using a standard HTTP compliant protocol
My favourite one: covert channel backdoor. A covert channel attack is based on techniques that enable to transfer information using channels that aren’t normally meant for this operation. The advantage is clearly that of going stealth by creating a customized communication that will not be detected by the security systems. This method opens a world of creative ideas and suggestions about the creation of the protocol and the transmission method. For example I read (
http://www.invisiblethings.org/papers/joanna-passive_covert_channels-CCC04.ppt) that at least one method is to slightly change some fields in the packets generated by the HTTP communication. For more information check this (
http://www.fas.org/irp/nsa/rainbow/tg030.htm) book of the DoD Rainbow Series and these websites that are intereting resources in the fields of hacking and computer security. (
gray-world.net, http://invisiblethings.org)
In order to maintain the environment which enables the attacker to perform operations inside the victim’s system, part of the rootkit’s job is to acquire root privileges and substitute system administration commands with customized ones. For example an attacker could hack the netstat command in order to hide the unauthorized connections, killall to block administrators from killing rootkit processes or lsof to conceal open files from the list provided by this command.
Another task that rootkits must implement in order to maintain their stealth status is deleting log files. Rootkits can be more subtle and erase only part of log files or even change dates and references.
Rootkits that access the system as LKM can be even more malicious. LKM is an acronym of Loadable Kernel Module. This components represent a simple way to expand or add features to the kernel without the need of recompilation. Should a rootkit gain access to the system carried inside an LKM, it could modify the behavior of all a series of command without the need to replace them!
One funny (if ever) operation accomplished by rootkits is sometimes clearing the field from competition. Sophisticated rootkits have been found implemented with capability to remove pre existent malware on the target system.
From all this derives the best common sense advice agains rootkits: prevention. Despite the havoc they bring to a system once installed, rootkits aren’t designed as instrument for gaining access to the system. Therefore, after installing a new system, a good strategy is to concentrate all the efforts in the techniques for preventing attackers to gain access. Some common techniques include:
- firewall the networks
- avoid installation of LKM
- use strong passwords and change them routinely
- use secure encrypted communications like VPN and SSH
- avoid granting useless and potentially dangerous privileges to system users
Once having implemented the above mentioned techniques, there are techniques that can be used to harden the system to rootkit manipulation and tools that can be used to check for rootkits either by direct comparison or by deductive methods.
- keep an up to date list of the daemons and other services that are running in the system and monitor it for changes
- keep an up to date list of the modules loaded into the kernel by means of lsmod command. It shows the module name, size, use count and list of referring modules. Note that the same information can be found from /proc/modules.
- keep track of and install all the security patches that are released for the software installed in the system
- familiarize with netstat command to check the network connections. This command shows information as protocol name (TCP, UDP), IP address of the local computer as well as the port used, IP address of the remote computer to which the local computer is connected and state of the TCP connection. Another way to obtain the same data is to look at /proc/net/dev
- routinely run lsof command which is meant to list open files as well as the processes which opened them. By running lsof -i | grep
we can isolate a certain service / daemon and acquire information about the TCP port the file is listening. The option –i lists the IP sockets.
- remotely store log files to an external location so they can’t be manipulated directly on the system
- protect crucial files from modification by making them unchangeable. Typing $sudo chattr +i who will flag the who command as immutable. Note that although a superuser can’t delete a chattr +I flagged file, he can set mutable with chattr –i
Chkrootkit is a shell program designed to check for known rootkits activities like: system binaries modified by rootkits, promiscuous mode of the network interface, lastlog deletions, wtmp deletions, LKM Trojans, dirty strings replacement and utmp deletions. To run all the tests (which I consider wise) open the terminal and type sudo ./chkrootkit. A good idea would be to add chkrootkit to the system cron for routine checks and email the log report to the administrator. Chkrootkit can be found here (www.chkrootkit.org).
- Rootkit Hunter (rkhunter) is another tool to spot rootkits in your system. It will compare MD5 hash to spot files alterations, look for default files used by rootkits, wrong file permissions for binaries, suspected strings in LKM and KLD modules, hidden files, and optionally scan within plaintext and binary files. It’s an instrument similar to chkrootkit but I advise to use them bot for redundancy. The same advices regarding cron scheduling and remote reporting are valid also here. The common usage is sudo rkhunter –check. For more information chek the project website at http://www.rootkit.nl/projects/rootkit_hunter.html
- Tripwire and AIDE are two tools that perform useful checks on the files’ integrity. The rationale is simple: by comparing the MD5 values (http://en.wikipedia.org/wiki/MD5) of two versions of the the same file –a password protected sample and the in-use version in the system- they should find if a certain file was modified from the original version. Check the websites of the projects at http://www.tripwire.org and http://www.cs.tut.fi/~rammer/aide.html
If you’re a novice or an amateur administrator, I think that by reading this article you can have a better idea of some of the stuff that is involved in Linux systems security. If you’re a pro you’ll probably know all of this and maybe find me a bit retarded. In both cases I beg all of you to forgive all the mistakes and inaccuracies in the text.
Live long and prosperity and stay out of trouble.
