KILLING THE MONITORING SOFTWARE

Modifying the log files can hide what a hacker has done in the past, but hackers still need to hide their presence while they're logged on to a computer. So, after the log files, the second target that hackers go after are the programs that can help system administrators notice any changes on their computers. In the world of Unix and Linux, the most common commands that hackers try to alter include the following:

• find-Looks for groups of files

• ls-Lists the contents of the current directory

• netstat-Shows the network status, including information about ports

• ps-Displays the current processes that are running

• who-Displays the names of all the users currently logged on

• w-Prints system usage, currently logged-on users, and what each user is doing

Planting Trojaned programs

When they introduce malicious programs onto a computer, hackers simply substitute the computer's current programs or binaries with their own hacked or Trojaned versions. If an unsuspecting system administrator uses these hacked versions, the commands may appear to work normally, but they secretly hide the hacker's activities from view. The longer it takes system administrators to find the hacker, the more time the hacker has to cause damage or to open additional back doors to ensure that he can return at a later time.

Of course, when a hacker replaces the original programs or binaries with his own deceptive versions of those same programs, he risks giving away his presence. This danger occurs because every file contains two unique properties: a creation date and time, and a file size. If a system administrator notices that a program's creation date was yesterday, that's a sure sign that the programs have been altered.

To protect their files from alterations, system administrators use file integrity programs that calculate a number, called a checksum, based on the file's size. The moment someone changes a file's size, even by a small amount, the checksum changes.

To avoid being detected by a file integrity checker, a skilled hacker may run the file integrity checker program and recalculate new checksums for all the files, including the modified ones. Now, if a system administrator didn't keep track of the old checksum values, the file integrity checker won't notice any differences.

With a little bit of tweaking, hackers can make their altered versions of certain programs the exact same size as the files they're replacing. This means that if they just change the date and time of this altered file to match that of the real file, any checksum comparisons won't notice the substitution.

A system administrator using a file integrity checker must run it right after setting up a computer. The longer the system administrator waits, the more likely a hacker will have time to change files, and then the file integrity checker will think the changed files are actually the valid ones.

Even more importantly, system administrators need to calculate a cryptographic checksum using an algorithm such as MD5. Unlike ordinary checksums, a cryptographic checksum can be nearly impossible to fake, which means that hackers can't fake the checksum values for any files they modify.

To learn more about the various file integrity programs that system administrators use, visit these sites:

Loadable Kernel Module (LKM) rootkits

The simplest way a system administrator can defeat any altered or Trojaned programs is by storing unaltered copies of all the common programs that hackers try to modify, and just recopying them back on the computer. By using these clean copies of various monitoring programs, a system administrator can hunt around the computer and likely find new traces of a hacker that the Trojaned versions hid from sight.

To get around this problem, hackers have started exploiting loadable kernel modules, commonly found in Unix-like systems such as Linux. In the old days, if you wanted to add a feature to Linux, you had to modify and recompile the entire source code of your operating system. Loadable Kernel Modules (LKMs) eliminate this task by letting you attach new commands to the Linux kernel (the heart of the operating system) through an LKM. This means you don't have to recompile the kernel over and over again, and it also prevents any changes you made from keeping Linux from loading altogether-if you modified the Linux source code incorrectly, it might never work again. If you modify code as an LKM, the Linux kernel can still load, and if the code in your LKM fails, it won't crash the entire operating system.

Hackers can also take advantage of LKMs. Rather than replace any existing programs and risk detection, LKM rootkits simply load their programs into memory. If a system administrator checks the file integrity of the various monitoring tools, they appear untouched (because they are). But if the administrator tries to run these seemingly untouched programs, the hacker's LKM module intercepts the commands and runs its own commands, which mask the hacker's presence. As far as the system administrator can see, the monitoring programs are untouched and working fine.

Some popular LKM rootkits sport odd names like SuckIT, Knark, Rial, Adore, and Tuxkit. To learn more about various tools used to make up a rootkit, visit Rootkit (http://www.rootkit.com), shown in Figure 13-1.

Figure 13-1: Rootkit.com provides source code for various rootkit tools, including Trojan horses and patches to hide a hacker's activity.