29
May
2011
Hiding Sniffer From Rootkit Hunters
By IPSECS Admin. Posted in Exploitation, Forensics | No Comments »Several years ago, i create backdoor which sends root shell to attacker without opening TCP/UDP port. Reverse shell is sent to attacker based on packet sniffed by backdoor. I can easily hide the file and process created by rootkit with system call redirection. But wait, i remember some things, common mistakes which usually left by attacker, here are their mistakes:
- Mesh up with binary file hash checksum, since i use kernel based rootkit this is not my concern.
- Forget to hide files, directory, process, tcp/udp ports.
- Forget to hide kernel rootkit from detection command likes lsmod, modinfo, modstat, kldstat.
- Forget to hide interface promiscuous mode and network sniffers.
- Above mistake can be detected by common rootkit hunters like chkrootkit and rkhunters
So what should we do?! My kernel rootkit almost solve all that mistakes except hiding my sniffer from chkrootkit. Rkhunter shows no anomaly but chkrootkit shows my sniffer.
eth0: PACKET SNIFFER(/opt/_xhidex_/_xhidex_getraw[14848])
System administrator will aware that someone runs sniffer on their machine, i did some hack to solve this issue which finally i decide to hack chkrootkit. Some years ago, i found someone did rush trick by aliasing chkrootkit to ‘cat <some_static_file>’. I bet that system administrator can quickly detect this trick. Fortunately chkrootkit is just shell script so we can modify this file easily. Here, you can download freely chkrootkit patch to hide your sniffers.
After patch being applied on chkrootkit, below are chkrootkit output:
eth0: not promisc and no packet sniffer sockets
Lesson which can be taken is that people talk so much things about rootkit, backdoor, malware, worm, botnet but they ussually forget to secure their toys. Starting now, install your tool on your own system before install them on some else machine. Check if gnu standard utility, chkrootkit, and rkhunter can detect your tool. The other lesson is that rootkit hunters should check itself so it can check its integrity. This check can be based on hash or other secure method so self detection can be perform accurately. As workaround for system administrator, after doing rootkit hunter installation please save its hash checksum. Please save both MD5 and SHA checksum to guarantee rootkit hunter integrity.