Backdoor technology and rootkit tool-Knark Analysis and Prevention (1)
Source: Internet
Author: User
Article Title: backdoor technology and rootkit tool-Knark Analysis and Prevention (1 ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Abstract: This article discusses some backdoor technologies that are often used after successful intrusion by attackers in Linux, and analyzes knark, one of the most famous rootkit tools in detail, it also points out how to find out whether the system is kark and how to recover it after the system is intruded.
1. What is "rootkit "?
Intruders often clean up footprints and leave backdoors after intrusion. The most common backdoor creation tool is rootkit. Don't be confused by the name. This so-called "rootkit" is not used by the Super User root. It is an intruder after invading a too many hosts, A program used to create and disguise backdoors. This package usually contains the log cleaner, backdoor, and other programs. At the same time, the program package usually carries some spoofed ps, ls, who, w, netstat and other programs originally belonging to the system. In this case, when programmers try to query the system through these commands, they will not be able to detect the whereabouts of intruders through these fake system programs.
In some hacker organizations, rootkit (or backdoor) is a topic of great interest. Different rootkits are developed and published on the internet. Among these rootkits, LKM is particularly concerned because it uses the module technology of modern operating systems. As part of the kernel, such rootkit will become more powerful and less noticeable than traditional technologies. Once installed and run on the target machine, the system will be completely controlled in hacker's hands. Even the System Administrators cannot find any trace of security risks because they can no longer trust their operating systems. The purpose of the backdoor program is to grant the hacker system access permission even when the system administrator tries to make up for the system vulnerability.
Intruders use methods such as uid program, system Trojan program, and cron backdoor to enable non-privileged users to use root permissions.
1. Set the uid program. Hackers put uid script programs in some file systems. Whenever they execute this program, they will become root.
2. System Trojan program. The hacker replaces some system programs, such as the "login" program. Therefore, as long as certain conditions are met, those programs will give hackers the highest permissions.
3. Cron backdoor. A hacker adds or modifies some tasks in cron and runs the program at a specific time to obtain the highest permissions.
You can use the following methods to grant the remote user the highest access permission: ". rhost" file, ssh authentication key, bind shell, and Trojan service program.
1. ". rhosts" file. Once "++" is added to a user's. rhosts file, anyone can use this account to log in without a password.
2. ssh authentication key. A hacker puts his own public key in the target machine's ssh configuration file "authorized_keys". He can use this account to access the machine without a password.
3. Bind shell. A hacker binds a shell to a specific tcp port. Anyone can telnet this port to obtain the interactive shell. More sophisticated backdoors can be based on udp, unconnected tcp, or even icmp.
4. Trojaned service program. Any opened service can be used as a Trojan to provide remote users with access permissions. For example, use the inetd service to create a bind shell on a specific port, or use the ssh daemon to provide access.
After an intruder embeds and runs a backdoor program, he tries to hide his own evidence. This involves two problems: how to hide his file and how to hide his process.
To hide files, intruders need to do the following: replace some common system commands such as "ls", "du", "fsck ". At the underlying level, they mark some areas in the hard disk as bad blocks and place their files there. Or if he is crazy enough, he will put some files into the boot block.
To hide a process, he can replace the "ps" program, or modify argv [] to make the program look like a legal service program. Interestingly, if you change a program to an interrupt driver, it will not appear in the process table.
Ii. History of RootKit-Knark
Knark is a new rootkit tool of the Second Generation-based on the LJM (loadable kernel module) technology, which can effectively hide system information. The author adds a statement in the Code and README file that is not liable and declares that the Code cannot be used as an illegal activity. However, the software can be easily used for this purpose.
Knark is written by the creed@sekure.net, mainly based on the heroin. c code written by Jenkins. the design idea mainly comes from the Weakening the Linux Kernel published by plaguez in Phrack 52 ". After re-writing most of heroin. c's code, Creed decided to rename it as "Knark", which is a drug addict in Swedish. Other software written by Creed can be found at www.sekure.net /~ Happy-h.
The first public version of Knark is 0.41, which was released on June, 1999. You can refer to B4B0 #9 at http://packetstorm.securify.com/mag/b4b0/b4b0-09.txt. Later versions 0.50 and 0.59 were released. The current version is 0.59. You can download version 0.59 from here.
Iii. Knark features
Knark0.59 has the following features:
Hide or display files or directories
Hide TCP or UDP connections
Program Execution redirection
Increase the permissions of unauthorized users ("rootme ")
Change the UID/GID tool of a running process
Remote daemon execution by unauthorized and privileged programs
Kill? 31 to hide Running Processes
The combined use of program execution re-targeting and file hiding allow intruders to execute various Backdoor programs. Because the execution of redirection is performed at the kernel level, the file detection tool will not find that the program file is modified-the original execution program is not modified, therefore, the configuration detection tool does not detect any exceptions in the PATH environment.
If Knark is combined with another LKM tool modhide used to hide the module currently loaded by the system, the existence of knark may not be found even through the lsmod command.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.