HSC
Cabinet de consultants en sécurité informatique depuis 1989 - Spécialisé sur Unix, Windows, TCP/IP et Internet
Mode texte : accès au contenu de la page
Hervé Schauer Consultants
Vous êtes ici : Accueil > Ressources > Brèves > RKSCAN : Scanner for loadable kernel-module rootkits
Accéder au : Site HSC des formations
Télécharger le catalogue des formations
Recherche :  
English version
   Services   
o Domaines de compétences
o Conseil & Expertise
o Prestations ISO 27001
o Audit & Évaluation
o Tests d'intrusion
o Tests de vulnérabilités (TSAR)
o Analyse Forensique
o Certification ARJEL
o Formations
o E-learning
   Conférences   
o Agenda
o Interventions passées
o Tutoriels
   Ressources   
o Index thématique
o Brèves
o Présentations
o Cours
o Articles
o Outils (téléchargement)
o Veille en vulnérabilité
   Société   
o Hervé Schauer
o Equipe
o Offres d'emploi
o Références
o Historique
o Partenariats
o Associations
   Presse et
 communication
 
 
o Newsletter HSC
o Bulletin juridique HSC
o Revue de presse
o Communiqués de presse
o Publications
   Contacts   
o Coordonnées
o Requêtes particulières
o Accès à nos locaux
o Hôtels proches de nos locaux
|>|RKSCAN : Scanner for loadable kernel-module rootkits  

par Stéphane Aubert (25/10/2000)




========================================================

      Scanner for loadable kernel-module rootkits 

   (Analysis and detection tool for KNARK and ADORE)

========================================================

Stephane Aubert <Stephane.Aubert@hsc.fr>
Hervé Schauer Consultants (http://www.hsc.fr)

rkscan is a kernel-based module rootkit scanner for Linux,
it detects Adore (v0.14, v0.2b and v0.24) and knark (v0.59). 

rkscan.c is available at the end of this mail.


Introduction
============

When running on a computer, rootkits allows an unprivileged user
to hide files, hide process, run commands as root ... 
that's why they are called rootkits !

krk (Kernel-based RootKits) are still rootkits but now they don't 
need to change the ls, ps or find binaries because they are 
intercepting system calls.

krk seem to be very difficult to detect while running on 
a rooted computer.

rkscan is a small scanner to help sysadmins to detect infected 
computers by:

   . KNARK version 0.59 
     knarf is written by Creed <creed@sekure.net>
     and can be found on packetstrom.securify.com

   . ADORE versions 0.14, 0.2b and 0.24
     Adore is written by Stealth
     and can be found on http://spider.scorpions.net/~stealth/


rkscan.c is given at the end of the mail and will be available on 
  <URL: http://www.hsc.fr/ressources/outils/>

( Only in a few days ... I am at SANS NS2000 in Monterey :)
  I have written this first version during Dave Dittrich's course 
  on DDOS, thanx Dave for this course !)

Don't forget :
  There are differents technics to protect yourself against krk, 
  the best one is certainly to disable the kernel-module support.


Usage
=====

Just run : ./rkscan

Example:

!! Don't run the following command unless you know what you are doing.
# insmod adore.o 
# exit 

% ./rkscan                   
-=-      Rootkit Scanner      -=-
-=- by Stephane.Aubert@hsc.fr -=-

  Scanning for ADORE version 0.14, 0.2b and 0.24 ...
  #ADORE rootkit is running with ELITE_CMD=50666 !

  Scanning for KNARK version 0.59 ...
  KNARK rootkit NOT DETECTED on this system.

Done.
% ./ava U U
Checking for adore  0.12 or higher ...
Adore 0.14 installed. Good luck.
Adore 0.14 de-installed.


How it works
============

Adore v0.14 uses a setuid call to detect if its module is loaded:

  #define ELITE_CMD 31337
  int adore_installed() {
      return setuid(ELITE_CMD+2);
  }
  ...
  printf("Checking for adore  0.12 or higher ...\n");
  if ((version = adore_installed()) <= 0) {
      printf("Adore NOT installed. Exiting.\n");
      exit(1);
  }

Adore v0.24 uses a setuid call to detect if its module is loaded:
  (ELITE_CMD is fixed in the Makefile to 61855)

  adore_t *adore_init()
  {
     adore_t *ret = calloc(1, sizeof(adore_t));
     ret->version = setuid(ELITE_CMD+2);
     return ret;
  }

Knark uses a settimeofday call to detect if its module is loaded:

  #define KNARK_GIMME_ROOT 9000
  ...
  if(settimeofday((struct timeval *)KNARK_GIMME_ROOT,
                      (struct timezone *)NULL) == -1) {
      perror("settimeofday");
      fprintf(stderr, "Have you really loaded knark.o?!\n");
      exit(-1);
  }

So the main problem is to find the ELITE_CMD or KNARK_GIMME_ROOT values
that can have been changed.

That's why we need a scanner to test each possible values.


Bad news
========

Future versions of these rootkits will certainly use crypto or just
something like the following lines in oder to hide themself more and more.

  #define ELITE_CMD 31337
  #define KEY_1 42843
  #define KEY_2 89843
  #define KEY_3 11343
  #define KEY_4 17323
  #define KEY_5 64543
  /* may be more */

  int ItIsMe() {
    setuid(KEY_1);   /* put a global var to the first state (state=1;)  */
    setuid(KEY_2);   /* action: state=(state==1?2:0);                   */
    setuid(KEY_3);   /* and so on ...                                   */
    setuid(KEY_4);   /* and so on ...                                   */
    setuid(KEY_5);   /* and so on ...                                   */
  }
  int adore_installed() {
    ItIsMe();
    return setuid(ELITE_CMD+2); /* ok if state==5 and ELITE_CMD is good */
  }

And it will be more and more difficult to scan these krk :(

It's time to rebuild you kernel and disable module support !


The scanner
===========

/** rkscan.c (C) 2000 by Stephane Aubert
 ** <Stephane.Aubert@hsc.fr>
 **
 ** Rootkit Scanner for: 
 **   . KNARK version 0.59 
 **     (kernel-based rootkit)
 **     knarf was written by Creed <creed@sekure.net>
 **     and can be found on packetstrom.securify.com
 **
 **   . ADORE version : 0.14, 0.24 and 2.0b
 **     (kernel-based rootkit)
 **     Adore was written by Stealth
 **     and can be found on http://spider.scorpions.net/~stealth/
 **/

#include <sys/types.h>
#include <values.h>
#include <unistd.h>
#include <stdio.h>
#include <time.h>

// Use MAXINT for a fullscan
#define UPSCAN 65535 

int knark_scan( void ) {
    int command;
    printf("  Scanning for KNARK version 0.59 ...\n");
    for( command=UPSCAN; command>=0; command-- ) {
      if(settimeofday((struct timeval *)command,
                      (struct timezone *)NULL) == 0) {
          printf("  #KNARK rootkit is running (settimeofday command=%d) !\n\n",
                 command );
	  return 1;
      }
    }
    printf("  KNARK rootkit NOT DETECTED on this system.\n\n");
    return 0;
}

int adore_scan( void ) {
    int version;
    uid_t uid;
    printf("  Scanning for ADORE version 0.14, 0.24 and 2.0b ...\n");
    // for all possible UIDs
    for( uid=UPSCAN; uid>=2; uid-- ) {
      if( getpwuid(uid) == NULL ) { // if UID is not in /etc/passwd
        if(  (version=setuid( uid )) >0 ) {
          printf("  #ADORE rootkit is running with ELITE_CMD=%d !\n\n", uid-2 );
          return 1;
        }
      }
    }
    printf("  ADORE rootkit NOT DETECTED on this system.\n\n");
    return 0;
}

int main( int argc, char *argv[] ) {
    int retval=0;
    printf("-=-      Rootkit Scanner      -=-\n"
           "-=- by Stephane.Aubert@hsc.fr -=-\n\n");

    if( getuid()==0 ) {
      printf("  *** Don't run this scanner as root ! ***\n\n");
      exit( 0 );
    }

    retval += adore_scan();
    retval += knark_scan();

    printf("Done.\n");    
    exit( retval );
}

==EOF===================================================




Dernière modification le 30 mars 2006 à 19:13:52 CET - webmaster@hsc.fr
Mentions légales - Informations sur ce serveur - © 1989-2013 Hervé Schauer Consultants