Honeypots mailing list archives
Detecting the sebek rootkit
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Thu, 05 Feb 2004 09:06:14 +0100
At the Laboratory for Dependable Distributed Systems at the Department of Computer Science at Aachen University, Germany we were evaluating options for gathering information on hostile Internet activity. While looking at the kernel based keylogger sebek (see http://www.honeynet.org/tools/sebek/) we found an easy way to detect the module deployable by any user on a system which uses sebek. Sebek basically intercepts the sys_read syscall and transmits a copy of every piece of data passing through sebek to an other machine via UDP. Sebek also contains various measures to disguise this activity. One of them is decrementing the packet and byte counters for the network interface used to send the data. from sebek.c [...] //------ decrement the counter stats = output_dev->get_stats(output_dev); if(stats){ //--- "correct" the packet and byte counters stats->tx_packets--; stats->tx_bytes -= skb->len; } The problem is that decrementing even takes place if the sending of data fails, e.g. to an overloaded network. This makes the effects caused by sebek observable very easy: Just do something like 'dd if=/dev/zero of=/dev/null' and watch the TX-Bytes counter shown by ifconfig. If this counter was very low it probably will start to roll over to 2^32. Maximillian Dornseif, Thorsten Holz
Attachment:
_bin
Description:
Current thread:
- Detecting the sebek rootkit Thorsten Holz (Feb 05)