Wonder Walk in Rootkit

LandHimanshu Khokhar

$ whoami

A computer security enthusiast

Currently doing graduation :p

Highly interested in malwares, OS related stuff

Find me here

Twitter : @rinne_parad0x

Rootkits…What are they and why should you care ?

According to Wikipedia

A rootkit is a collection of computer software,

typically malicious, designed to enable access to a computer or

areas of its software that would not otherwise be allowed (for

example, to an unauthorized user) and often masks its existence

or the existence of other software. The term rootkit is

a concatenation of "root" (the traditional name of the privileged

account on Unix-like operating systems) and the word "kit"

(which refers to the software components that implement the

tool). The term "rootkit" has negative connotations through its

association with malware.

Types

User Mode

Kernel Mode

Hypervisor Level

Firmware Based

Protection Rings

User Mode Rootkits

Operates in User Land (Ring 3)

Can only control/manipulate user land data

Gives limited power

This is the focus of this talk.

Kernel Mode Rootkits

Operates in Kernel land (Ring 0)

Can control everything in an OS

Very Powerful

Diving into the user mode

rootkits

Basically, two types :

LD_PRELOAD based

ptrace() based

LD_PRELOAD Based Rootkits

LD_PRELOAD : An environment variable in Unix based

systems that allows the loading of shared objects before

loading any other shared objects.

Abuses the dynamic library loading functionality of

dynamically linked binaries.

FAILS against statically linked binaries.

Demo time

Compile it. Once statically and once dynamically (the default way)

Static vs Dynamic Compilation

What happens when we try to load it in

statically compiled binary?

Moving onto the advanced part

Adding code to the hijacked function

What we saw in the previous slides was that we can write custom

function to achieve what we want but most of the time, we just

want to filter out specific data or we want something to be done

when specific data is encountered.

In the last example, we provided our code for the function strcmpbut it is neither possible for us to write whole functionality of the

function to be hijacked/hooked so, now we will see how to call the

original function with desired arguments.

A better version :p

Compile and test it

Hijacking rand()

About rand() :

rand() is a function in C library that is used to generate

pseudo-random numbers for various uses.

Seems a good target

ptrace based rootkits

About ptrace()

man ptrace says, “The ptrace() system call provides a

means by which one process (the "tracer") may observe

and control the execution of another process (the

"tracee"), and examine and change the tracee's

memory and registers. It is primarily used to implement

breakpoint debugging and system call tracing. “

About ptrace based rootkit

Pros :Works on statically compiled binaries too

Cons : Need to attach to the binary, cannot ptrace anything

while it is running. Big FAIL.

Too frustrating to write one :p Even writing a kernel mode rootkit to achieve the same is easier

Not worth the efforts. Seriously.

Thank you