Phalanx – A Self-injecting Rootkit
Download
Report
Transcript Phalanx – A Self-injecting Rootkit
Phalanx – A Self-injecting
Rootkit
Instructor: Dr. Harold C. Grossman
Students: Jinwei Liu & Subhra S. Sarkar
Agenda
•
•
•
•
•
•
•
•
•
Introduction
History
Objectives
Phalanx’s standing in Rootkit classification
Features
Notable infections
Detection mechanisms
Prevention mechanisms
Availability
© 2011 Jinwei Liu & Subhra S. Sarkar
Introduction
Phalanx is a self-injecting kernel rootkit designed for
sniffing into user SSH credentials for Linux 2.6 branches.
This rootkit uses /dev/mem/ interface to inject hostile code
into kernel memory and hijack system calls. Moreover,
Phalanx allows continued privileged access to the
compromised system while hiding its presence from
administrators by subverting standard OS functionality.
© 2011 Jinwei Liu & Subhra S. Sarkar
History
1. First surfaced in 2005
2. Originally developed by rebel ([email protected])
3. Beta 1: Backdoor, file hiding, process hiding
4. Beta 2: Socket hiding, improved process hiding
5. Beta 3: TTY-Sniffer, improved obfuscation
6. Current version: Beta 6 (with additional functionalities)
© 2011 Jinwei Liu & Subhra S. Sarkar
Objectives
The objectives of Phalanx fall into the following categories
1. HID: User space object hiding
2. PE: Privilege escalation
3. REE: Re-entry/backdoor
4. REC: Reconnaissance
5. NEU: Defense neutralization
© 2011 Jinwei Liu & Subhra S. Sarkar
Phalanx’s standing in rootkit
classification
Rootkits can be broadly
classified into the
following categories
1. Type 0 rootkit
2. Type 1 rootkit
(a) Hooking lookup
Tables
(b) Code patching
(c) Hooking CPU registers
© 2011 Jinwei Liu & Subhra S. Sarkar
Phalanx’s standing in rootkit classification
contd.
3. Type 2 rootkit
(a) Kernel object hooking
(b) Direct kernel object manipulation
4. Type 3 rootkit
(a) Virtual machine based
(b) Hardware assisted virtual machine based
From the above classification, its clear that Phalanx falls in
Type 1 rootkit category.
© 2011 Jinwei Liu & Subhra S. Sarkar
Features
1. Harvest SSH keys and other credentials
2. Creates hidden directory /etc/khubd.p2 or by some other
name for collecting user information. Sometimes the
directory name might be different to hide detection.
3. Uses methods to hide its running processes
4. Doesn’t show up in process listing using “ps” or ls /proc.
However, it’s directory on /proc is accessible.
© 2011 Jinwei Liu & Subhra S. Sarkar
Notable infections
1. Linux servers of kernel.org for distributing Linux Kernel
Image were compromised in July, 2011
2. SRFC breach at University of Cambridge in April, 2009
3. Several attacks were launched in August, 2008 on servers
running on Linux
© 2011 Jinwei Liu & Subhra S. Sarkar
Detection mechanisms
1. Try doing “cd” inside /etc/khubd.p2 even though running
“ls” command won’t list it.
2. “/dev/shm/” may contain files from attack.
3. Any directory by name “khubd.p2” is not displayed in
“ls” directory listing, but the directory can be accessed
using “cd” command.
4. Checking reference count in /etc/ against the number of
directories shown by “ls” command.
© 2011 Jinwei Liu & Subhra S. Sarkar
Prevention mechanisms
1. Proactively identify and examine systems where SSH
keys are used as part of automated processes.
2. Encourage users to use keys with passphrases
3. Review access paths to Internet facing systems and
ensure that the systems are fully patched.
© 2011 Jinwei Liu & Subhra S. Sarkar
Availability
Phalanx can be downloaded for free for educational
purposes from the following URL
http://packetstormsecurity.org/search/?q=phalanx
Author: rebel ([email protected])
Current version available for download: beta 6
Release date: Nov 17, 2005
© 2011 Jinwei Liu & Subhra S. Sarkar
References
Below is the list of references 1. http://www.phrack.org/issues.html?issue=66&id=16
2. http://www.sophos.com/en-us/threat-center/threat-analyses/virusesand-spyware/Troj~Phalanx2-A.aspx
3. http://www.madirish.net/?article=353
4. http://hep.uchicago.edu/admin/report_072808.html
5. http://www.uscert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac
ks
6. http://www.linuxquestions.org/questions/linux-security-4/ssh-keybased-attacks-phalanx2-rootkit-665891/
7. http://smartech.gatech.edu/handle/1853/34844
8. http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.html
© 2011 Jinwei Liu & Subhra S. Sarkar
Thank You
© 2011 Jinwei Liu & Subhra S. Sarkar