Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: can't seem to find these tools/rootkit anywhere ..

From: zeno <bugtraq () cgisecurity net>
Date: Wed, 10 Jul 2002 12:25:37 -0400 (EDT)
chkrootkir is the best I've found.

www.chkrootkit.org

Detects quite a few and is updated monthly/bi-monthly. Includes lkm detection and
sniffer log finding ability.

- zeno () cgisecurity com





Henti,

here is a link for a scanner for Adore, although you seem to have a newer version than what's mentioned 
below.

Stuart

------- Forwarded message follows -------
Date sent:            Wed, 25 Oct 2000 09:30:09 +0200
Send reply to:        Stephane.Aubert () HSC FR
From:                 Stephane Aubert <Stephane.Aubert () HSC FR>
Organization:         Herve Schauer Consultants
Subject:              Announce: rkscan, a kernel-based rootkit scanner.
To:                   INCIDENTS () SECURITYFOCUS COM

========================================================

  Rootkit Scanner for loadable kernel-module rootkits

   (Analysis and detection tool for KNARK and ADORE)

========================================================

Stephane Aubert <Stephane.Aubert () hsc fr>
Herv? Schauer Consultants (http://www.hsc.fr)

rkscan is a kernel-based module rootkit scanner for Linux,
it detects Adore (v0.14, v0.2b and v0.24) and knark (v0.59).

rkscan.c is available at the end of this mail.


Introduction
============

When running on a computer, rootkits allows an unprivileged user
to hide files, hide process, run commands as root ...
that's why they are called rootkits !

krk (Kernel-based RootKits) are still rootkits but now they don't
need to change the ls, ps or find binaries because they are
intercepting system calls.

krk seem to be very difficult to detect while running on
a rooted computer.

rkscan is a small scanner to help sysadmins to detect infected
computers by:

   . KNARK version 0.59
     knarf is written by Creed <creed () sekure net>
     and can be found on packetstrom.securify.com

   . ADORE versions 0.14, 0.2b and 0.24
     Adore is written by Stealth
     and can be found on http://spider.scorpions.net/~stealth/


rkscan.c is given at the end of the mail and will be available on
  <URL: http://www.hsc.fr/ressources/outils/>

( Only in a few days ... I am at SANS NS2000 in Monterey :)
  I have written this first version during Dave Dittrich's course
  on DDOS, thanx Dave for this course !)

Don't forget :
  There are differents technics to protect yourself against krk,
  the best one is certainly to disable the kernel-module support.


Usage
=====

Just run : ./rkscan

Example:

!! Don't run the following command unless you know what you are doing.
# insmod adore.o
# exit

% ./rkscan
-=-      Rootkit Scanner      -=-
-=- by Stephane.Aubert () hsc fr -=-

  Scanning for ADORE version 0.14, 0.2b and 0.24 ...
  #ADORE rootkit is running with ELITE_CMD=50666 !

  Scanning for KNARK version 0.59 ...
  KNARK rootkit NOT DETECTED on this system.

Done.
% ./ava U U
Checking for adore  0.12 or higher ...
Adore 0.14 installed. Good luck.
Adore 0.14 de-installed.


How it works
============

Adore v0.14 uses a setuid call to detect if its module is loaded:

  #define ELITE_CMD 31337
  int adore_installed() {
      return setuid(ELITE_CMD+2);
  }
  ...
  printf("Checking for adore  0.12 or higher ...\n");
  if ((version = adore_installed()) <= 0) {
      printf("Adore NOT installed. Exiting.\n");
      exit(1);
  }

Adore v0.24 uses a setuid call to detect if its module is loaded:
  (ELITE_CMD is fixed in the Makefile to 61855)

  adore_t *adore_init()
  {
     adore_t *ret = calloc(1, sizeof(adore_t));
     ret->version = setuid(ELITE_CMD+2);
     return ret;
  }

Knark uses a settimeofday call to detect if its module is loaded:

  #define KNARK_GIMME_ROOT 9000
  ...
  if(settimeofday((struct timeval *)KNARK_GIMME_ROOT,
                      (struct timezone *)NULL) == -1) {
      perror("settimeofday");
      fprintf(stderr, "Have you really loaded knark.o?!\n");
      exit(-1);
  }

So the main problem is to find the ELITE_CMD or KNARK_GIMME_ROOT values
that can have been changed.

That why we need a scanner to test each possible values.


Bad news
========

Future version of these rootkits will certainly use crypto or just
something like the following lines in oder to hide themself more and more.

  #define ELITE_CMD 31337
  #define KEY_1 42843
  #define KEY_2 89843
  #define KEY_3 11343
  #define KEY_4 17323
  #define KEY_5 64543
  /* may be more */

  int ItIsMe() {
    setuid(KEY_1);   /* put a global var to the first state (state=1;)  */
    setuid(KEY_2);   /* action: state=(state==1?2:0);                   */
    setuid(KEY_3);   /* and so on ...                                   */
    setuid(KEY_4);   /* and so on ...                                   */
    setuid(KEY_5);   /* and so on ...                                   */
  }
  int adore_installed() {
    ItIsMe();
    return setuid(ELITE_CMD+2); /* ok if state==5 and ELITE_CMD is good */
  }

And it will be more and more difficult to scan these krk :(

It's time to rebuild you kernel and disable module support !


The scanner
===========

/** rkscan.c (C) 2000 by Stephane Aubert
 ** <Stephane.Aubert () hsc fr>
 **
 ** Rootkit Scanner for:
 **   . KNARK version 0.59
 **     (kernel-based rootkit)
 **     knarf was written by Creed <creed () sekure net>
 **     and can be found on packetstrom.securify.com
 **
 **   . ADORE version : 0.14, 0.24 and 2.0b
 **     (kernel-based rootkit)
 **     Adore was written by Stealth
 **     and can be found on http://spider.scorpions.net/~stealth/
 **/

#include <sys/types.h>
#include <values.h>
#include <unistd.h>
#include <stdio.h>
#include <time.h>

// Use MAXINT for a fullscan
#define UPSCAN 65535

int knark_scan( void ) {
    int command;
    printf("  Scanning for KNARK version 0.59 ...\n");
    for( command=UPSCAN; command>=0; command-- ) {
      if(settimeofday((struct timeval *)command,
                      (struct timezone *)NULL) == 0) {
          printf("  #KNARK rootkit is running (settimeofday command=%d) !\n\n",
                 command );
        return 1;
      }
    }
    printf("  KNARK rootkit NOT DETECTED on this system.\n\n");
    return 0;
}

int adore_scan( void ) {
    int version;
    uid_t uid;
    printf("  Scanning for ADORE version 0.14, 0.24 and 2.0b ...\n");
    // for all possible UIDs
    for( uid=UPSCAN; uid>=2; uid-- ) {
      if( getpwuid(uid) == NULL ) { // if UID is not in /etc/passwd
        if(  (version=setuid( uid )) >0 ) {
          printf("  #ADORE rootkit is running with ELITE_CMD=%d !\n\n", uid-2 );
          return 1;
        }
      }
    }
    printf("  ADORE rootkit NOT DETECTED on this system.\n\n");
    return 0;
}

int main( int argc, char *argv[] ) {
    int retval=0;
    printf("-=-      Rootkit Scanner      -=-\n"
           "-=- by Stephane.Aubert () hsc fr -=-\n\n");

    if( getuid()==0 ) {
      printf("  *** Don't run this scanner as root ! ***\n\n");
      exit( 0 );
    }

    retval += adore_scan();
    retval += knark_scan();

    printf("Done.\n");
    exit( retval );
}

==EOF===================================================


------- End of forwarded message -------
-- 
Stuart Udall
stuart () cyberdelix net - http://www.cyberdelix.net/
..revolution through evolution

want to make some cash? check out http://cyberdelix.net/affiliates.htm


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: