Two Linux kernel rootkit-Introduction

It has been said that, due to the built-in File Deletion mechanism in Linux, once malicious code is found to be easily cleared, even if the kernel itself is found to be infected, it is very easy to be cleared, however, this does not mean that Linux is absolutely secure. This only indicates that the remedy of Linux is very effective. Therefore, if you want to hack the Linux system, so the first thing is not how to prevent users from deleting malicious programs, but to hide malicious programs as strictly as possible. It is necessary to clarify the hidden meaning.

Consider what the user or administrator uses to discover the behavior of the system, which is nothing more than the current system snapshots and past records. We can cite many examples of snapshots, such as processes, ports, and files, users and so on, and records can be understood as log information. In addition to snapshots and records, there are some soft factors that can help users or administrators find out about the system. This is performance detection, if you find that the performance is poor for no reason but no additional process or port is detected, the system may be attacked. Therefore, as long as the process or port related to the malicious program is, the file and file content are hidden, and the log information related to the malicious program is blocked. During the malicious program running, the attack is successful and effective. Although such an attack is really cool, it cannot be said that the Linux system itself has vulnerabilities or that Linux itself is insecure. The security responsibilities of the Linux system are in two aspects: system, the other is the users who use the system. It is almost difficult to attack Linux from the system. If a complicated vulnerability scan process is required, the users who use the system must be hacked before the system is hacked, as long as you have the root permission to do anything in Linux, I mentioned in the previous article that it is cool to write a kernel Trojan, it only means that you have the basic knowledge of C language and you have the root permission of the system. If you can enter the kernel as a common user through the vulnerability, you are the master.

People who use the system are not in the technical category, so we will not discuss it. Now, assuming that the root permission has been obtained, let's consider the specific work to be done, first of all, the most basic, to hide the files related to the process, add the modules loaded into the kernel and the ports used, and then shield the log information. Specifically, it intercepts syslogd behavior, as long as logs are written by malicious programs, after filtering out, utmp and wtmp also need to be concerned, because the who command can read the above file to know the logon record. If a malicious program involves logon, it will be blocked, fortunately, all log behavior is implemented as writing files. In Linux, the file system is responsible for this. Refer to the rootkit file hiding method, we only need to intercept the system call of the file system. Here, there are two interception methods: one is to directly intercept the system call itself, and the other is to intercept the callback function of the file system, that is, the function in file_operations, the former is easy to detect, while the latter is very concealed. After all, the former is an institutional thing, which is generally relatively fixed and can be checked out by anti-Black software. The latter is a specific file system policy, it is not so fixed, so it is difficult for anti-Black software to start with. The two methods also represent two styles, which are quite difficult, but I still think it is easier to intercept File System callback functions. Well, the next two articles will explain two well-known and simple rootkits.