Shrax: The Ultimate Rootkit

Sendai looks at the platforms identified by Nmap. This is critical information in determining what type of rootkit he will have to prepare. Rootkits are very platform-specific as they integrate tightly with an OS kernel to hide processes and files, open backdoors, and capture keystrokes. Knuth s demands are far more elaborate than any existing public rootkit, so Sendai must write his own. He is pleased that these systems run Linux and Solaris, two of the systems he knows best.

Rather than start over from scratch, Sendai bases his rootkit on existing code. He downloads the latest Sebek Linux and Solaris clients from www.honeynet.org/tools/sebek. Sebek is a product of the Honeynet Project, ^[3] a group of security professionals who attempt to learn the tools, tactics, and motives of the blackhat community by placing honeypot computers on the Internet and studying how they are exploited. Sebek is a kernel module used to monitor activity on honeypots while hiding its own existence. Sendai revels in the delicious irony of this white hat tool fitting his evil purposes perfectly . A major plus is that it is available for Linux and Solaris.

Although Sebek serves as a useful foundation, turning it into a proper rootkit requires substantial work. Sebek already includes a cleaner that hides it from the kernel module list, but Sendai must add features for hiding files/directories, processes, sockets, packets, and users from everyone else (including legitimate administrators). The syslog functionality is also compromised to prevent intruder activity from being logged. Sendai adds several fun features for dealing with any other users on the system. A TTY sniffer allows him to secretly watch selected user terminal sessions and even actively insert keystrokes or hijack the hapless user s session.

The TTY sniffer makes Sendai smile, thinking back to those youthful days when he would hack university machines just to pester students and professors. Watching someone type rapidly at a terminal, Sendai would sometimes enter a keystroke or backspace , causing the command to fail. Thinking they made a typo, the user would try again. Yet the typos continued ! While the user was wondering why she was having so much trouble typing and starting to suspect that the keyboard was broken, phantom keystrokes would start appearing on the screen. That is quite disturbing in itself, but induces panic when the keystrokes are typing out commands like rm -rf ~ or composing a nasty e-mail to the user s boss! Sendai never actually took these damaging actions, but derived a perverse pleasure from alarming the poor users. He wondered what tech support would say when these users would call and declare that their systems were possessed. Sendai now considers himself too mature for such antics, but implements the terminal reading capability to spy on administrators that he suspects are on to him.

Sendai adds another user manipulation feature he calls capability stripping. Linux process privileges are more granular than just superuser (uid 0) or not. Root s privileges are divided into several dozen capabilities, such as CAP_KILL to kill any process and CAP_NET_RAW to write raw packets to the wire. Sendai s feature removes all these capabilities from a logged-in administrator s shell. He may still appear to be root from the id command, but has been secretly neutered. Attempts to execute privileged operations are rejected, leaving the administrator more frustrated and confused than if Sendai had terminated the session by killing his shell.

The infection vector is another pressing issue. Sebek hides itself in the kernel module list, but the module itself is not hidden on disk. Worse, the system startup process must be modified to load the module, or a system reboot will foil the whole plan. This is acceptable on a honeynet, because there is no other legitimate administrator who would notice changes to the start-up process. It does not meet Sendai s requirements so well. Yet Knuth was very clear that the system must be resilient in the face of reboots. Sendai s solution is to inject his evil kernel module (which he has taken to calling Shrax) into a legitimate kernel module such as an Ethernet driver. ^[4] This avoids having an extra suspicious binary around and modifying startup files. Additionally, Sendai adds an inode redirection system so that the module appears unmolested once loaded. This should protect Shrax from file integrity checkers such as Tripwire, Aide, and Radmind. Of course it is possible that the Linux targets compiled their kernels without module support, as many administrators still believe that will stop kernel root kits. No problem! Sendai has tools for both forcing a module into a running kernel using just /dev/mem, and for injecting a module into a static kernel image so that it will be executed silently during the next reboot.

There is also the backdoor issue. One option is to simply compile and run an ssh server on some obscure port number like 31,337. A trivial patch will bypass the authentication and give root access when a secret username is given. Shrax is capable of hiding the ssh process (and its children) from other users, as well as hiding the socket so it isn t disclosed by netstat and the like. Despite this, Sendai finds the option unacceptable. Even though hidden within the system, an outsider could find the open backdoor port with Nmap. More importantly, Knuth insisted that he be able to activate the backdoor using a wide variety of protocols and subtle packets. Ssh would require that the target network firewalls permit TCP connections to the chosen port. Such permissive firewalls are unlikely at some of the sensitive organizations Knuth wants to attack.

After further brainstorming, Sendai decides on an in-kernel backdoor rather than relying on external programs such as ssh. For backdoors, this one is pretty advanced. Knuth will be happy that its activation interface is the epitome of flexibility. It puts the system interfaces in promiscuous mode (hiding that fact, of course) and examines every IP packet that comes in, regardless of the destination IP address or protocol. The first data bytes are then compared to an identification string. At first Sendai sets that string to My crime is that of curiosity , but then he smartly decides to be more subtle and chooses a random-looking string. If the string matches, the remainder of the packet is decrypted using AES and a configurable key. The result is interpreted as a response method description followed by a series of shell commands to be executed as root. There are also a few special configuration commands for tasks like changing encryption keys, activating the TTY and network password sniffers, and disabling Shrax and removing every trace of it. Sendai is particularly proud of the response method description. This tells Shrax how to send back command responses, which are always encrypted with the shared key. Sendai is quite proud of all the transport methods supported. Of course, straightforward TCP and UDP to a given IP and port is offered . Or the user can have responses sent via ICMP echo request, echo response, timestamp, or netmask messages. ICMP time-to-live exceeded messages are supported, too. The data can be marshaled into a web request and even sent through a socks or http proxy. Sendai s favorite Shrax technique is to use a series of DNS requests falling under a domain controlled by the attacker. Shrax can even be set to poll a nameserver frequently for new commands. Unless the system is completely unplugged, Knuth should be able to find a way to tunnel his data back. Of course, one can choose to execute a command without returning a response. This allows the intruder to do so completely anonymously with a spoofed IP packet.

Yet another unique Shrax feature is that it can transparently pass commands through a chain of rootkits. An attacker can configure the client to go through an initial rooted machine in Romania, then to one in China, then to a web server on the target corporation s DMZ, and finally to an internal database machine. The first hops help the attacker cover his or her tracks, whereas the final one may be necessary because the DB is accessible only from the web server.

Sendai goes all out working on Shrax because he plans to use it for several years to come and to share it with his buddies . If it had been written only for this specific task, he would have likely hacked the targets first and written only the most critical features.

After all this work on Shrax, Sendai is itching to deploy his new baby. He wants to start hacking immediately, but knows better. Considering that military and government sites are involved, attacking from his neighbor s wireless connection would be foolish. Sendai remembers how the authorities tracked down Kevin Mitnick based on a wireless connection from his apartment. And if the police ever show up at Sendai s apartment complex, he will be a prime suspect. Sendai suddenly regrets ordering the license plate HACKME for his vehicle. The police might not even notice a more subtle plate such as SYNACK. Sendai has a number of compromised boxes all over the Internet, but he really wants some machine that is unconnected to him, which he can use once and then discard.