A new Adore root kit
Adore is a kernel module which is intended to give a cracker the full run of a compromised system without detection. To that end, it installs itself into several key parts of the kernel and lurks until somebody comes along who knows the right "key," where a key is a special process ID. If you do not know this key, finding signs of an Adore installation will be difficult, to say the least.
The module starts by hooking itself into various filesystems. It digs up the inode for the root filesystem, and replaces that inode's readdir() function pointer with one of its own. The Adore version performs like the one it replaces, except that it hides any files owned by a specific user and group ID. If you are a Black Hat trying to keep installed files out of the eye of the system administrator, this is the way to do it.
Similarly, Adore hooks itself into the lookup function for /proc. An attempt to read /proc/KEY, where KEY is a predefined key value, will give the current process the ability to access other Adore functions. A process which has been "authenticated" in this way can then, by accessing other special /proc filenames, give itself full root privileges or tell Adore to hide other processes from view. The module keeps a list of such processes; once a process appears in that list, it will never appear in /proc, and thus it will not by displayed by utilities like ps or top. The only way to find such processes, it would seem, would be to dig through the entire kernel task list and check to see if any of them are not represented in /proc.
People who crack into systems may well want to run network services on those systems. To cater to their needs, Adore replaces the show() function for /proc/net/tcp; the new version edits out any connections involving ports that the person installing Adore would rather others didn't know about. A hidden server process, running from a hidden executable, and sitting behind a hidden port could be very hard for a system administrator to find.
For good measure, Adore will also filter out entries made into files like /var/log/utmp or syslog on behalf of hidden processes.
The one thing Adore does not do is hide itself; it will show up in the list of loaded kernel modules. To address that, a separate module called "cleanup" is provided. If cleanup is loaded immediately after Adore, it will patch Adore out of the list of loaded modules, thus hiding it altogether.
All of this functionality has been implemented in a kernel module which is
a mere 600 lines long. This module is scary; it is a living demonstration
of what an attacker can do once he gets root access on a system. A careful
attacker could, using this module, maintain undetected control of a
compromised system indefinitely.
| Index entries for this article | |
|---|---|
| Kernel | Adore root kit |
| Kernel | Security |
Posted Mar 18, 2004 2:13 UTC (Thu)
by mikeraz (guest, #155)
[Link] (7 responses)
Posted Mar 18, 2004 11:56 UTC (Thu)
by fergal (guest, #602)
[Link] (4 responses)
Posted Mar 18, 2004 17:28 UTC (Thu)
by RobSeace (subscriber, #4435)
[Link]
Perl isn't my strongest language (I usually write pure C code), but it seemed
like the best bet for such a quick and dirty task... But, any strong Perl
coders, forgive any obvious mistakes on my part... ;-)
Posted Mar 19, 2004 4:00 UTC (Fri)
by xorbe (guest, #3165)
[Link] (2 responses)
Posted Mar 24, 2004 6:38 UTC (Wed)
by jzbiciak (guest, #5246)
[Link] (1 responses)
Posted Apr 3, 2004 0:30 UTC (Sat)
by alterself (guest, #1746)
[Link]
On a normal tcp/ip stack... the stack sends a request denied on attempts to open closed ports. I would imagine that if the module tied into the tcp/ip stack, it could monitor for attempts to open a specific set of ports...
Posted Mar 19, 2004 1:24 UTC (Fri)
by AnswerGuy (guest, #1256)
[Link] (1 responses)
Of course they can run any service on any port using this technique, it's
Posted Mar 19, 2004 1:42 UTC (Fri)
by AnswerGuy (guest, #1256)
[Link]
This is one of the best reasons to run a tight SNORT Prelude Basically you have to be able to characterize, in detail the proper Inbound: ... and so on. Once done properly ANY traffic that doesn't fit these rules will Of course this sort of Draconian/totalitarian configuration is only I hope its clear why this works better than looking for bad traffic. JimD
Posted Mar 18, 2004 3:27 UTC (Thu)
by mattdm (subscriber, #18)
[Link] (13 responses)
In /etc somewhere, have a file containing checksums of modules which are allowed to be loaded in the kernel. Then, some kernel mechanism to read this file _once_ -- and once read, make it impossible to add to the list without a reboot. This would be far from perfect protection, but seems like it'd provide another layer of protection -- the attacker would have to reboot the system, which is at least noticable. It'd also be kind of a pain for third-party drivers, but....
Posted Mar 18, 2004 3:32 UTC (Thu)
by corbet (editor, #1)
[Link] (10 responses)
In either case, however, you must contend with the fact that it is still possible to patch code into the kernel without loading a module via /dev/mem.
Posted Mar 18, 2004 4:12 UTC (Thu)
by mattdm (subscriber, #18)
[Link]
So, is some sort of hardware-based code signing really the only thing that can be done? Other than "don't let bad people get root", of course.
Posted Mar 18, 2004 4:19 UTC (Thu)
by mebrown (subscriber, #7960)
[Link]
or, Arjan has patches for 2.6 in the RH kernel that allow access through /dev/mem to only the first 1MB of memory (for tools that look at BIOS info, eg SMBIOS), and non-RAM memory (X drives PCI cards using IO through /dev/mem).
Posted Mar 18, 2004 7:01 UTC (Thu)
by sweikart (guest, #4276)
[Link]
Posted Mar 18, 2004 9:22 UTC (Thu)
by eru (subscriber, #2753)
[Link] (1 responses)
But I recall that some time ago LWN (or possibly some other Linux web page, not sure) reported discussions among kernel developers about deprecating the making of statical kernels altogether. Did that already happen with 2.6? Is it likely to happen?
Anyway, this solution is not quite feasible for most ordinary users: configuring the kernel with its hundreds of options is tedious, and I have found it can be difficult to decide what drivers or features can be disabled safely. The result is also less flexible when new hardware is installed. So I do not think the statical kernel a very practical solution for most users. Other alternatives are needed for securing against rootkit modules..
Posted Mar 18, 2004 11:31 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Mar 18, 2004 13:21 UTC (Thu)
by rankincj (guest, #4865)
[Link]
Posted Mar 18, 2004 22:24 UTC (Thu)
by LogicG8 (guest, #11076)
[Link] (2 responses)
For those interested in patching the kernel w/o LKM
Posted Mar 19, 2004 1:40 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
It would if you implemented the rest of the proposal, which was to make the kernel not allow updating of this list by anyone. It was, of course, left vague how you might design something like that.
With any *nix once
root is obtained the system is completely
compromised.
That's very on-point. It's why the best reaction to this type of threat is to make it harder to "obtain root," by making "root" far less pervasive in a system.
Linux took steps toward this long ago by replacing the traditional Unix concept of superuser/not superuser with a set of fine grained capabilities. As has been pointed out, if you had every one except CAP_SYS_MODULE, you would not be able to install Adore. And if only processes that needed CAP_SYS_MODULE had CAP_SYS_MODULE, it would be next to impossible for the cracker to find one that he can trick into loading Adore.
It isn't customary on Linux systems to manipulate individual capabilities, but it should be.
For that matter, there's still a whole lot of code running with full capabilities that doesn't need any of them at all. I.e. it should "drop root."
One thing I don't know the status of: capabilities assigned to executables. Last I saw, if you need a privileged program, you have to make it setuid/owner 0 and then whoever executes it gets ALL capabilities. We need to do better than that.
Posted Mar 19, 2004 1:51 UTC (Fri)
by AnswerGuy (guest, #1256)
[Link]
JimD
Posted Oct 25, 2004 0:44 UTC (Mon)
by jcm (subscriber, #18262)
[Link]
It's worth noting that the issue of signed modules has recently cropped up in a debate on lkml. It looks as though something will eventually go mainstream - but what form it'll take is still subject to list wrangling.
Cheers,
Jon.
Posted Mar 19, 2004 1:46 UTC (Fri)
by AnswerGuy (guest, #1256)
[Link]
There are many countermeasures to each of the steps that any
Posted Oct 4, 2004 13:25 UTC (Mon)
by arafel (subscriber, #18557)
[Link]
Posted Mar 18, 2004 10:24 UTC (Thu)
by ballombe (subscriber, #9523)
[Link] (1 responses)
Posted Sep 30, 2004 13:58 UTC (Thu)
by jhs (guest, #12429)
[Link]
Posted Mar 18, 2004 11:53 UTC (Thu)
by copsewood (subscriber, #199)
[Link] (2 responses)
So I guess other defences might have to involve virtualising the environment and running this within a sandbox continually monitored for known attack signatures. These precautions all put up the cost of running computing environments which retain similar levels of reasonable trust prior to discovery of this kind of technique.
Posted Mar 19, 2004 1:59 UTC (Fri)
by AnswerGuy (guest, #1256)
[Link]
However, that impinges on uptime for 24x7 servers. There should be It's possible, with hotswap capable mirror (RAID1) to yank a drive, (Put in a spare on the production system and let it re-integrate to If it's true hotswap hardware you can do this. If it's soft raid and I'm surprised I've never seen an article published on this technique, JimD
Posted Mar 21, 2004 1:07 UTC (Sun)
by shapr (subscriber, #9077)
[Link]
That would work for chkrootkit at least, and it would beat the "save to disk on shutdown" trick.
Posted Mar 18, 2004 14:09 UTC (Thu)
by freethinker (guest, #4397)
[Link] (1 responses)
Help, please. I have no idea what's going on! ;)
Posted Mar 18, 2004 23:17 UTC (Thu)
by rjamestaylor (guest, #339)
[Link]
Help, please. I have no idea what's going on!
Posted Mar 19, 2004 2:02 UTC (Fri)
by AnswerGuy (guest, #1256)
[Link]
It can detect many of them. Of course a clean boot is far more dependable
Posted Mar 25, 2004 10:11 UTC (Thu)
by Kstat (guest, #20442)
[Link] (2 responses)
I let you goole on how to easyly find adore :) Kstat <- check for this too, this is a good tool to detect adore :)
Posted Mar 26, 2004 10:57 UTC (Fri)
by trolldbois (guest, #20139)
[Link] (1 responses)
Posted Oct 17, 2005 18:07 UTC (Mon)
by xian1990@yahoo.com (guest, #33150)
[Link]
Posted May 23, 2006 7:14 UTC (Tue)
by duanjigang (guest, #37367)
[Link]
Posted Feb 4, 2007 10:16 UTC (Sun)
by X-Kernrootkit (guest, #43134)
[Link]
What can we look forward to? It seems the only way to detect an Adore compromised system would be through a Nessus, or other port scanning tool, port scan detecting open ports. But if the Adore designers were to implement port knocking they could hide from that detection method also. Detection of a compromise would be very difficult then.
A new Adore root kit
What would be needed is a "reverse port scanner". Something that runs on the machine and attempts to bind to address:port for every address and port on the machine. The secret port will show up as already in use.A new Adore root kit
I loved your idea so much, I whipped up just such a thing as a quick Perl
script: http://www.magrathea.com/~ras/misc/rpscan... ;-)
A new Adore root kit
Not if the module doesn't bind to the port until it sees the secret knock goes by. That's the whole point...
A new Adore root kit
Won't it at least have to bind to the first port of the "knocking" sequence?
A new Adore root kit
The idea is not that you bind to the port... but that you log attempts to open the port.A new Adore root kit
Port knocking
If the attacker wants to run a custom service (not some commodity like a warez FTP or IRC node) then he can use a "port knocker" to obscure it from scanning. Basically the ports appear closed but some magic sequence of packets (could be anything that the port knocker module will see, including DNS response packets from a magic source address, think of an ipchains rule that logs such packets and a tail -f script that monitors the logs for them, then opens the port for a limited time and possibly to a limited address. --- now just hide that a little better. Presto! port knocker!)
just that the clients have to have the right "knocker client" script (generally just something for netcat, socat, or perl's net libraries). They have to know the "secret knock" (Shave and a haircut ...)SNORT or Prelude NIDS
I hate to respond to my own post but I forgot something that I'd
intended to say (hit the preview/submit buttons a little too quick)
configuration. The default NIDS code is sort of like virus scanners
in that they only tell you about KNOWN attack signatures. However,
you can make a SNORT configuration that's more like a checksum
integrity tool (like Tripwire, AIDE or Samhain, only for net traffic).
and expected behavior of the protected system(s). A profile
of everything it should be allowed to do on the net. For example a
web server might need:
dst port 80 or 443 from anywhere,
dst port NTP from (list of three to give NTP peers),
dst port SSH from (list of two or three sysadmin workstations
and/or staging servers)
dst port SNMP from (list of NMS systems)
Outbound:
dst port any from port 80 or 443 (http and https)
dst port CVS (perhap for automated checkout of new changes
which are checked in by webmasters, web authors, programmers, etc.
dst port DNS to (list of internal name servers) (for reverse lookup?)
be an alert on the NIDS (network intrusion detection system).
(Unless it also exploits a bug in your NIDS, which is hopefully
pretty hard to do these days).
suitable for highly specialized servers. The more services running
on a machine the harder it is to characterize it's traffic. For most
client systems (workstations) ... FORGET IT!
Here we look for "not good traffic." (Similarly one of the first
rules of secure and robust programming for parsers is that it's better
to suppy a list of known innocuous characters, tokens whatever, then
to attempt to filter out a list of "suspects").
I'm no kernel hacker, but it seems like something like this would be a good thing:urgh
If you're really concerned, a better solution is to link everything you need into your kernel and disallow modules altogether. A weaker alternative is to load your modules at boot time, then disable module loading via the capability bounding set.
Allowed modules list
Hmmm, yeah, I vaguely remember reading about that. Allowed modules list
Compile out support for /dev/mem?Allowed modules list
Allowed modules list
>In either case, however, you must contend with the fact that it is still
>possible to patch code into the kernel without loading a module via /dev/mem.
To block access through /dev/mem, just drop the sys_rawio capability. [You
might even be able to drop sys_rawio after starting X; I've only dropped it
on servers.]
Some good references are:
http://lwn.net/1999/1202/kernel.php3
http://lwn.net/2000/0629/backpage.php3 # Subject: disabling module loading
If you're really concerned, a better solution is to link everything you need into your kernel and disallow modules altogether.
Allowed modules list
Allowed modules list
Anyway, this solution is not quite feasible for most ordinary users: configuring the kernel with its hundreds of options is tedious, and I have found it can be difficult to decide what drivers or features can be disabled safely. The result is also less flexible when new hardware is installed. So I do not think the statical kernel a very practical solution for most users.
This may well be true for general-purpose systems (although I haven't found it so), but firewalls, at least, can run with module support removed (no matter what their hardware: if necessary, run the firewall as a UML instance with no module support. UML's not *quite* secure, and won't be until lcall syscalls can be virtualized, but it's damned close.)
How would the attacker arrange for the module to get silently reloaded after a reboot? Wouldn't they need to hook something into your init scripts somehow? And what happens when you upgrade or recompile your kernel? You may be able to force an insmod of Adore's modules, but there's no guarantee that they would still work.
What protection does module versioning provide?
A list of allowed modules won't help much ifAllowed modules list
a user has root privileges. With any *nix once
root is obtained the system is completely
comprimised.
http://www.phrack.org/phrack/58/p58-0x07
A list of allowed modules won't help much if
a user has root privileges.
Allowed modules list
LIDS, SELinux, etc
It's not quite true that root-compromised systems *have* to be
inherently, persistenly compromised. It's CLOSE to true; but
some features in LIDS and SELinux could protect a well configured system
even from a rogue root process. These patches work by limiting root's
power and imposing additional authentication/authorization measures for
some operations.
Hi all,Allowed modules list
Signed modules, "Sealed" mode etc
There are various patches such as LIDS and (DSIGN?) that limit
allowed modules or "seal" the kernel after boot and refuse to let
modules load or do digital signature checks before linking into
loadable modules. (The capability bounding set is a coarse grained
measure in this direction --- but it's the only one in a stock
kernel).
rootkit takes. Of course they must be deployed before the
compromise! :(
Give someone sufficient privileges to load a kernel module, and I can guarantee that, if they really want, it will be loaded one way or the other. Bear in mind that any code which you can write to check for an 'allowed' module list can simply be changed to always return 'yes, that module is okay'.urgh
One of the caveats of disabling /dev/mem was that lsof disabling /dev/mem
did not work anymore. Is there any workaround available ?
The workaround is, lsof is a troubleshooting tool, like tcpdump. It should not be on a production system. If you have a problem, use lsof on your test environment until you fix the bug.disabling /dev/mem
Presumably hidden files would show up if the system is booted using a trusted kernel and the file system scanned with a scanner that knows where to look for them and what to look for ? I seem to remember having to do this reliably to detect MSDOS infection by certain viruses a few years ago. The problems with this approach are a bit of routine downtime while you run this kind of thing, maintaining separation between the potentially compromised and trusted scanning environments, and keeping malware scanning software up to date. Alternatively if the evidence is on the disk and the same disk can be simultaneously mounted read-only using another otherwise isolated system a similar security scan could be done without downtime. This will probably be followed by versions which remove themselves from disk when they load themselves into memory, and resave themselves to disk when the systems shut down.A new Adore root kit
Of course running chkrootkit and/or AIDE or other checksum scanners fromClean boot scans, chkrootkit, and RAID Hotswap For FIDS
a clean boot will help find compromised files and *known* rootkits.
scheduled downtime and such clean boot scanning should be routine during
those downtime windows.
insert it into a scan system, force it to come up in degraded mode
as a mountable (non-system) drive and then scan that.
preserve the array and performance).
you try commands like raidsetfaulty, etc. then you risk the attacker
hooking into that and covering his traces.
I've been describing it for years and tested it a couple times. (I'm
not maintaining any production systems in this configuration).
You could put the trusted kernel on a bootable cdimage, and set the BIOS to boot from CDROM, where the trusted kernel would only start the system on the hard disk after all checks passed.A new Adore root kit
Is something wrong with this article? I tried to read it, and as soon as the browser window opened, it closed again. I tried using wget to get the source, and it gave me a weird error. Then I tried googling for "adore rootkit" and it came up empty. I tried emailing someone about it, and as soon as I typed "Adore", my email client crashed.A new Adore root kit
A new Adore root kit
Is something wrong with this article? I tried to read it, and as soon as the browser window opened, it closed again. I tried using wget to get the source, and it gave me a weird error. Then I tried googling for "adore rootkit" and it came up empty. I tried emailing someone about it, and as soon as I typed "Adore", my email client crashed.
Warning! You must act quickly! Someone has surruptiously installed Microsoft Windows on your computer!
Chkrootkit on Live system???
I will find this out for myself later, but I really wish the author had
reported whether chkrootkit detects this new Adore on a live/compromised
system.
but chkrootkit is cheap to run from cron (suitable obscured from the
cracker's scripts, of course).
Sorry to kill the myth, but adore is very easy to detect (at least 3 differents ways). Of course, If the adore rk is sligly modified it will be more difficult to find :).A new Adore root kit
And why doesn't adore prevent kstat from reading useful information from /dev/kmem ? ;)
A new Adore root kit
What version of Linux kernel does Adore affect?A new Adore root kit
like hacking technologies, thoughts more than codes, but codes areA new Adore root kit
the proof of what the author said Thank you!
I AM TRYING TO INSTALL adore-ng0.54 on fedora core6 its giving me lots of errorsA new Adore root kit
such as
adore-ng-2.6.c:546: error: current undeclared (first use in this function)
adore-ng-2.6.c:550: error: dereferencing pointer to incomplete type
adore-ng-2.6.c:550: error: dereferencing pointer to incomplete type
adore-ng-2.6.c: In function patch_syslog:
adore-ng-2.6.c:565: warning: implicit declaration of function sock_create
adore-ng-2.6.c:568: error: dereferencing pointer to incomplete type
adore-ng-2.6.c:569: error: dereferencing pointer to incomplete type
adore-ng-2.6.c:570: error: dereferencing pointer to incomplete type
adore-ng-2.6.c:571: warning: implicit declaration of function sock_release
adore-ng-2.6.c: At top level:
adore-ng-2.6.c:583: error: expected =, ,, ;, asm or __attribute__
etc
please help