LINUX ROOTKITS Chirk Chu Chief Security Officer University

  • Slides: 7
Download presentation
LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology

LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services

Definition ● Rootkit – Software toolkit designed to hide the presence of a intruder

Definition ● Rootkit – Software toolkit designed to hide the presence of a intruder inside a compromised system. ● Two types of rootkits: User mode and Kernel mode. ● Rootkits may contain trojans, backdoors, sniffers, scanners, rootshell exploits, attack bots, IRC bots, keystroke loggers, log scrubbers and other hacking tools.

Rootkits found on UA systems ● T 0 rn ● MYRK ● Bobkit ●

Rootkits found on UA systems ● T 0 rn ● MYRK ● Bobkit ● EPY ● Diablow ● Knark – KLM ● RVDA - KLM

Uncovering Rootkits ● Use chkrootkit. (http: //www. chkrootkit. org) ● Image system drive and

Uncovering Rootkits ● Use chkrootkit. (http: //www. chkrootkit. org) ● Image system drive and examine rootkit on a secure system of the same or similar OS. ● If not possible, then import original system binaries and/or libraries to perform the examination. ● Do not trust anything on the compromised system ● Look for hidden files and directories. ● Look for trojans in boot-up scripts. ● Compare system binaries with distribution copies.

Preventing Rootkits ● Use network and host based firewalls (ipchains or iptables) and TCP

Preventing Rootkits ● Use network and host based firewalls (ipchains or iptables) and TCP Wrappers. ● Disable unused and unnecessary network services. ● Remove unused and unnecessary software packages. ● Patch OS and applications on a regular basis. ● Stay current on security vulnerabilities. ● Compile and use statistic kernel without KLM support. ● Use host based IDS like Tripwire.

Live Demonstration ● T 0 rn Rootkit ● Author: Surrey, 21 year old from

Live Demonstration ● T 0 rn Rootkit ● Author: Surrey, 21 year old from Surbiton, England; arrested by Scotland Yard in September, 2002. ● Analysis available at: ● http: //www. securityfocus. com/infocus/1230

Live Demonstration ● RVDA Rootkit ● It is a KLM rootkit. ● Found on

Live Demonstration ● RVDA Rootkit ● It is a KLM rootkit. ● Found on a UAF CS test server running RH 7. 2. ● Functions only on a unpatched kernel. ● Source code is very small. ● Romanian in origin?