Brief introduction and analysis of RootKit in Linux

In my personal work, I simply divide RootKit into user-mode rootkit and kernel-level rootkit. Kernel-level rootkit can be divided into LKM-based rootkit (including system call table modification and VFS-layer rootkit) and non-LKM rootkit (such as system call table redirection ). In Linux, rootkit with more novel technologies, such as BIOS, PCI, Boot (NTLDR, BCD, and Grub), does not provide samples at the moment. As mentioned above, it is a personal analysis summary, for more information, see!

 

The following table uses a chart to analyze and compare data.

 

Serial number	Typical representatives	Control Mode	Applicable kernel version	Hidden/anti-detection features	Remarks
1	Lrk5	Active connection	2.6.X	Replace user State ls, ps, netstat, etc.	First generationUser RootKitThere are many codes. The installation is simple and easy to use.
2	Knark-0.59	Active connection	2.2.x	Knark0.59 has the following features: 1. Hiding or displaying files or directories; 2. Hiding processes; 3. Hiding TCP or UDP connections; 4. Program Execution redirection; 5. Change the UID/GID tool of a running process. 6. Run the daemon process remotely in an unauthorized place or a privileged program.	The Linux 2.2 Kernel has a powerful LKM (Loadable Kernel Modules) rootkit.Call table modification class rootkitModify the exported system call table to replace the system call related to the attack behavior to hide the attacker's whereabouts.
3	Sk-1.3b	Active connection and reverse connection	2.2.x, 2.4.x	1: The sk backdoor server is a static ELF file, which is dozens of KB after compression. 2: The Backdoor can be activated by sending specific data to any open TCP port of the zombie, port multiplexing; 3: sk uses dynamic hiding to hide specified content, including files, processes, and network connections; 4: sk2 can infect the elf file of the system for self-startup, you can also enable Automatic startup by replacing the system's init file.	The full name is suckit (super user control kit). It runs in the most classic Linux 2.4 kernelNon-LKM layer rootkit. Instead of modifying the content of the System Call jump table, the system call table is copied first, and then the copied system call table is modified according to the hacker's intention, the system that executes the rewrite of intruders calls the response function. Then, remove system_call from the old system call table and point to the new system call table.
4	Adore-ng-056-wztfix	Active connection and reverse connection	2.4.X-2.6.X	1: good stability of adore-ng; 2: dynamic compilation of the specific environment of the adore-ng backdoor server program; 3: The client must be used to manually hide the specified process, network, and file; 4: adore-ng can be automatically started by inserting or replacing the system module.	Linux 2.4-2.6 classic LKM;VFS layer rootkitInstead of modifying the content of the System Call layer, You can implement information hiding by modifying the specific processing functions of the VFS layer, such as replacing the file_ops function of the vfs layer.
5	WNPS	Active connection and reverse connection	2.6.X	1. Hide: Hide the specific content in a specified file. The hidden process dynamically hides network connections. The process hides its own modules to protect related modules, processes, and files from being tracked. 2. kernel rebound backdoor, to set timed automatic reconnection; 3. simple installation across kernel platforms with a wnps. ko can manage all 2.6 kernel machines. 4. Support for pseudo terminals and key record functions; 5. More stable module injection mode than adore-ng; 6. communication encryption.	Adore-ng enhanced version, encrypted communication, 2.6 kernel common, more concealed.
6	Ddrk	Active connection	2.6.X	1. Good hiding ability: Hiding process hidden network connection hiding Module 2. Anti-chkrootkit and rkhunter.	Is a Linux rootkit that combines the advantages of sk and adore-ng, kernel state + User State + kernel state.