CIS 450 – Network Security

Chapter 15 – Preserving Access

Backdoor – a way for an attacker to get back into a network or system without being detected

Common ways to install backdoors By opening a port and using a listening agent

Vision Port Scanner http://linuxpr.com/releases/5354.html Netcat Tini – When I went to download the file I received a

message from my virus scanner that the .exe file has a virus which was cured

Through the use of a Trojan program Contains overt and covert programs QAZ

Rootkits

What is it http://www.linuxdevcenter.com/pub/a/linux/2001/12/14/rootkit.html

Trojanize key system files on the operating system File-Level Rootkits

The legitimate program is replaced with the Trojan version The legitimate program becomes the overt program and the backdoor

becomes the covert function Programs replaced are the ones that a UNIX administrator would use –

page 548 Attacker can get back into system and hide his tracks Operate at the application (user) level Defending against

File-level rootkits can be discovered by looking for changes in binary programs

Tripwire Aide

Rootkits

Kernel-Level Rootkits Operate at the kernel (operating system level) By altering the heart of the operating system, kernel-level

rootkits enable attackers to create a system that appears normal to users and administrators. In reality, the underlying kernel is riddled with attacker modifications, all masked by the manipulated kernel. Kernel-level rootkits usually include the ability to redirect system calls, so when a user wants to run one program--say, ps, netstat or ifconfig--a Trojanized version is executed. These tools can also hide processes, files, sniffer usage and network port usage by altering the kernel so that it "lies" to you. Attackers are using numerous kernel-level rootkits for Linux, Solaris and Windows, among others.

Rootkits

Kernel-level rootkits – continued Defending Against

Techniques used to defend against file-level rootkits don't work as well on a system with a kernel-level rootkit, as all requests for information go through the rotten kernel itself

While AIDE may show you that your login binary is intact, the kernel-level rootkit redirects execution to the attacker's backdoor

Defeating kernel-level rootkits requires hardening the kernels of critical systems

Saint Jude Project monitors the integrity of a Linux kernel by looking for modifications of the system call table

Can deploy machines with monolithic kernels created by building a kernel that doesn't support loadable kernel modules

Hardening the kernel itself Pittbull

Hardened versions of Unix and Unix-like OSes such as such as SELinux3 and Sun Microsystems Trusted Solaris include additional kernel protections

Note: Kernel-hardening solutions can be unwieldy if widely deployed, because they alter the fundamental operation of the kernel, complicating system administration and possibly breaking third-party tools

UNIX Rootkits

File-level Rootkits TrojanIT -

http://www.rishabhdara.com/link.php?currentgrp=30 Lrk5 - http://www.ossec.net/rootkits/lrk.php Ark, Rootkit (This has a Trojan embedded in it, received

message from anti-virus software even though I did not download it or open it), and Tk - http://www.antiserver.it/Backdoor-Rootkit/

Kernel-level rootkits Knark - http://www.rishabhdara.com/link.php?

currentgrp=30

Wrappers

A tool that combines two or more files into a single file, usually for the purpose of hiding one of them.

Examples SilkRope 2000 -

http://www.pestpatrol.com/pestinfo/s/silk_rope.asp Saran Wrap -

http://pestpatrol.com/zks/pestinfo/s/saran_wrap_1_0.asp