Section 5.1 Rootkit Attacks (Script Kiddies)

5.1 Rootkit Attacks (Script Kiddies)

The NSA Glossary of Terms Used in Security and Intrusion Detection defines a Rootkit as:

A [cracker] security tool that captures passwords and message traffic to and from a computer. A collection of tools that allows a [cracker] to provide a backdoor into a system, collect information on other systems on the network, mask the fact that the system is compromised, and much more. Rootkit is a classic example of Trojan horse software.

The second definition, a set of tools to maintain a backdoor and hide the compromise, is the one most commonly used. In other words, these tools allow a cracker to hide his continuing compromise of your system from you. Installing the Rootkit is the second phase. The first phase, obviously, is to break in. Commonly, this is the work of a "script kiddie."

This is someone who is not talented enough or motivated enough to create his own attack program to take advantage of a buffer overflow bug, race condition, other bug, configuration error, weak password, etc. Rather, a script kiddie is someone who uses a prepackaged attack program and simply runs it against various systems until a vulnerable one is found and compromised. Among crackers, their status is only one step above the bottom, that of those that do brute force DoS attacks that simply flood a system with garbage packets.

A Rootkit is not, strictly speaking, an attack but some of these Rootkits are sophisticated and cannot be detected, except by comparing the Trojaned programs and configuration files with the correct ones. The comparison typically is done with the use of an MD5 checksum (more accurately called a hash), using md5sum, or the cmp program. The cmp program does a byte-by-byte comparison, which is time-consuming. Be alert for false clues. I have investigated compromised systems where the Rootkit tarball, which listed the trojaned programs I needed to restore, was a decoy. The real Trojan was in almost every executable program and spread by sshd to binaries I copied to the system.

The Tripwire utility does an MD5 checksum and so runs twice as fast as cmp because it only needs to read the suspected file as it already knows the correct checksum. Note that the sum program is not reliable because some of these Trojans are designed to have the same checksum as the correct program. See "Tripwire" on page 649 for a discussion on the use of Tripwire.

It is important to recognize that if you have a suspicion that your system has been compromised, it is like having spies in your organization. You cannot know who to trust. Any program could have been modified to give false results. The ls, ps, login, and inetd programs are all commonly Trojaned. It is possible that sum, mount, or an on-disk copy of Tripwire also is Trojaned. This means that it is not even 100 percent safe to mount a floppy containing Tripwire to check your system, because the mount command could have been compromised. In reality, for routine nightly checking, invoking Tripwire will detect most compromises, and if it is invoked from Read/Only media, such as floppy or CD-ROM, this makes it even safer.

How common are Rootkits? They are used in a very significant percentage of intrusions to allow crackers to stay in your system, perhaps between 20 percent and 70 percent of intrusions where root access is obtained. How do they get one? They browse www.rootkit.com/.^[1] There are many other sites too.

^[1] This Web site seems to be no more. Pity. Perhaps its sponsors are cracking rocks now. Still, there are many others, including www.thenewbiesarea.com.

The large number of cracker Web sites and the power of the software found on them is scary. Although the common "wisdom" is to reinstall from scratch, this is not necessary. Parts III and IV of this book cover detecting and recovering from an intrusion that might have left Trojans.