Attack Phase 4: Consolidation

CS 493/693 Lecture, Dr. Lawlor, 2006/02/15

Once root or Administrator access is obtained, the tasks for an attacker include (in descending order of importance):

Ensure you can still access the machine later--install a "back door" or "rootkit".
Patch the machine, to ensure another hacker won't be able to get in to "your" machine the same way you did.
Cover your tracks--edit log files to hide evidence of the attack, and try to hide the illicit files, programs, and network activity you generate.

The backdoor is by far the most important thing for an attacker.

The simplest UNIX backdoor is just a setuid-root program that calls a shell. This is typically put somewhere difficult to discover by accident. The traditional name for a backdoor is "...", since that hides behind the current directory "." and the ascending directory "..". For example, "/..." (a directory at root level named "...") is common. The TeraGrid compromise of 2004 added a setuid executable named "..." to "/var/spool/mail/...". To make a remote backdoor, a common trick was to add a line to /etc/inetd.conf that read simply:

60000  stream nowait root /bin/sh

That is, when a TCP connection comes in on port 60000, connect it directly to a root shell!

Kernel Rootkits

Simple backdoors can be detected with the usual sysadmin tools, like the Windows Task Manager, or the UNIX "find" and "netstat" commands. So instead today's rootkits modify the operating system itself to hide files, processes, and network activity.

Here's a list of Linux Kernel Rootkits, and a current Linux Kernel Rootkit News Site. For example, most kernel rootkits can set it up so all programs (ls, find, etc.) deny the existence of the "/..." directory, but the directory is still accessible.

There are a variety of Windows rootkits (news site). Among the oldest is the Cult of the Dead Cow's "BackOriface", a non-kernel network utility package that disguises itself as a Windows "service". Sony is currently defending itself against a class-action lawsuit because Sony chose to include a rootkit-style copy prevention program on a variety of music CDs.

The most complete rootkit would be a whole-machine emulator like QEMU. It'd be easy enough to set up QEMU so the console and all the legitimate network services were forwarded to the emulated machine, while the real machine is still under the complete control of the attacker. Like a kernel module, this technique could trivially hide files, processes, and network activity, but also allow the attacker to install an entirely new operating system of his choice without changing anything for legitimate users!

The only sure way to avoid infection with a rootkit is to keep attackers from gaining root access on your system. But some limited immunity can be gained by:

Keeping a close watch on the system logs, filesystem, running processes, and network ports and activity. All of these can be faked, but faking them all consistently is difficult. The Linux chkrootkit program attempts to discover kernel rootkits by catching these inconsistencies, but is confused by (for example) threaded code.
Disabling kernel modules. The kernel can still be patched directly via the "/proc/kmem" interface, however.
Running network services from a virtual machine that can be stopped and inspected using trusted outside tools.
Rebooting the server from read-only media like a CD. A bootable run-from-CD version of Linux like Knoppix or UBUNTU Live.