Detecting the sebek rootkit

[Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>]

At the Laboratory for Dependable Distributed Systems at the Department 
of Computer Science at  Aachen University, Germany we were evaluating 
options for gathering information on hostile Internet activity.
While looking at the kernel based keylogger sebek (see 
http://www.honeynet.org/tools/sebek/) we found an easy way to detect 
the module deployable by any user on a system which uses sebek.

Sebek basically intercepts the sys_read syscall and transmits a copy of 
every piece of data passing through sebek to an other machine via UDP. 
Sebek also contains various measures to disguise this activity. One of 
them is decrementing the packet and byte counters for the network 
interface used to send the data.

from sebek.c
[...]
//------ decrement the counter
    stats = output_dev->get_stats(output_dev);
    if(stats){
      //--- "correct" the packet and byte counters
      stats->tx_packets--;
      stats->tx_bytes -= skb->len;
    }


The problem is that decrementing even takes place if the sending of 
data fails, e.g. to an overloaded network.
This makes the effects caused by sebek observable very easy: Just do 
something like 'dd if=/dev/zero of=/dev/null' and watch the TX-Bytes 
counter shown by ifconfig. If this counter was very low it probably 
will start to roll over to 2^32.

Maximillian Dornseif, Thorsten Holz

Attachment: _bin
Description: