Nexus

Home
Science
Politics
Technology
Space
News
Health

Linux Kernel 2.6.x /proc Rootkit Backdoor (Unix/Darbe-A)

Read

Linux Kernel 2.6.x /proc rootkit(Unix/Darbe-A)

Date:
=====

2012-11-21

Introduction:
=============

Unix/Darbe-A is a new kernel rootkit based /proc file system., modification is made in order to support kernel 2.6.x

Detected
========

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Unix~Darbe-A/detailed-analysis.aspx

Analysis
=========

analiz@server:/tmp$ uname -a

Linux server 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:32:50 UTC 2012 i686 i686 i386 GNU/Linux

analiz@server:/tmp$ lsmod

Module Size Used by

security 13046 0 <--- Linux Kernel Module ??? What is the task?

vsock 47098 0

rfcomm 37291 4

bnep 17711 2

analiz@server:/tmp$ ./kontrol

Sistem yetki unitesi

Kullanim: ./kontrol

What is the meaning of the word "sifre"? - it is not an english word? ~ comes from the Turkish. In English it means "password"

analiz@server:/tmp$ gdb ./kontrol

GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04

(gdb) r sifre <- run

Starting program: /tmp/kontrol sifre

Bir Bulutla KI$ Gelmez! < -- Turkish sentence

[Inferior 1 (process 3314) exited with code 01] <-----------Anti debug ???

analiz@server:/tmp$ ./kontrol password

Sifre yanlis! <--? Wrong Password.

analiz@server:/tmp$ objdump -s ./kontrol | grep sifre

80c5b30 3c736966 72653e20 0a0a2000 66616272 .. .fabr <--??* fabr??

analiz@server:/tmp$ objdump --start-address=0x80c5b30 --stop-address=0x80c5b50 -s ./kontrol

./kontrol: file format elf32-i386

Contents of section .rodata:

80c5b30 3c736966 72653e20 0a0a2000 66616272 .. .fabr <---- fabrika ??

80c5b40 696b6100 0a536966 72652079 616e6c69 ika..Sifre yanli

analiz@server:/tmp:/tmp$ ./kontrol fabrika <--- pass is fabrika

# id <--- ?? upss.. #root#

uid=0(root) gid=0(root) groups=0(root)

Linux Kernel Module(security.ko) has been injected into the system, control program(./kontrol fabrika) makes a normal user to root.

DOWNLOAD Linux Kernel 2.6.x /proc Rootkit Backdoor (Unix/Darbe-A)

Read More Add comment

Linux Kernel 2.6.x /proc Rootkit Backdoor (Unix/Darbe-A)

Linux Kernel 2.6.x /proc Rootkit Backdoor (Unix/Darbe-A)

Reviewed by 0x000216 on Saturday, November 24, 2012 Rating: 5

Restore Point Forensics

Read

I was doing some digging around the other day, researching System Restore points in XP...they're only in XP (and ME, but we're only concerned with the NT-style Windows OSs), and not something you'll find in 2000 or 2003.

So, what is "System Restore"? SR is a function of XP that creates "restore points" or limited backups of certain important files, depending upon certain triggers. For example, by default, a restore point will be created every calendar day. Also, restore points are created whenever the user installs software. This, of course, means that you could technically have multiple restore points created during a single day. Restore points can be used in case something goes wrong with the installation and the system is affected...the user can select a previous restore point, and "roll back" the system to that point. This is a very cool thing, and I've used it more than once myself. Keep in mind, though, restore points do not affect certain things, such as login passwords or a user's data, so don't be afraid to select a restore point from 3 days ago because you think you might loose that spreadsheet you built yesterday.

So what do restore points mean to us? Well, they're full of a wealth of information about the system. I've presented on the topic of "the Registry as a logfile" in the past, and this is a great example of that. Important files are backed up, but so are portions of the Registry, such as the System and Software files, the user's profile(s), and portions of the SAM. These Registry files have keys in them, and the keys have LastWrite times.

Where do these come into play? I've seen several questions in some of the lists lately, asking about things like "was this user account on the system", or "did the user change their name", as well as other questions where, on the face, would best be answered if there were some way to take a glimpse into the past. Restore points let you do that.

The structure of the restore points is pretty simple. On the root of the system drive, you'll find a "System Volume Information" directory, and beneath that a directory named "_restore{GUID}". Beneath that, you'll have numbered restore points...RP35, RP36, RP37, etc. You get the idea. Within each of these "RP**" directories, you'll have some backed up files (depends on the nature of the restore point), and a file called 'rp.log'. This is a binary file that contains the description string (null terminated string starting at offset 0x10) for the restore point, as well as the FILETIME object of when it was created (QWORD starting at offset 0x210). Finally, there is a snapshot directory holding all of the Registry file backups.

If you're interested in peering into these restore points, but don't have an image available, you can look at them on your own XP system. One way to get some information is through WMI. Using the SystemRestore and SystemRestoreConfig objects, you can get information about each restore point, as well as configuration settings about the System Restore, respectively. I wrote a Perl script to do this...here's an excerpt of what I got on my system:

64 13:28:07 09/27/2006 Installed Windows Live Messenger
65 15:07:48 09/28/2006 System Checkpoint
.
.
.
73 12:45:41 10/09/2006 System Checkpoint
74 14:03:53 10/09/2006 Installed QuickTime
75 19:25:09 10/09/2006 Installed Microsoft .NET Framework 1.1
76 20:21:54 10/10/2006 System Checkpoint
77 20:52:59 10/11/2006 System Checkpoint
78 22:00:48 10/12/2006 System Checkpoint
79 22:20:18 10/12/2006 Installed Windows Media Player 11
80 22:20:41 10/12/2006 Installed Windows XP Wudf01000.
81 10:45:08 10/14/2006 Software Distribution Service 2.0
82 12:35:54 10/18/2006 System Checkpoint
83 18:29:09 10/19/2006 System Checkpoint
84 20:38:49 10/19/2006 Removed ProDiscover IR 4.8a
85 20:43:48 10/19/2006 Installed ProDiscover IR 4.84

Kind of cool. This gives me something of a view of the activity of the system, not only when it was online, but also what was going on. Notice that on 19 Oct, three restore points were created. Not only was the normal System Checkpoint created, but there was a software removal and an installation. This script is very useful, not only for incident response (include it with the FRU and FSP), but also for general system administration. It works remotely as well as locally, and gives the admin some good visibility into the system.

The other interesting thing about this is the order of the restore points. Notice that as the restore point indexes increase, so do the timestamps. If I were to have modified my system time several days ago, things might not appear to be in order...so this is a good little sanity check to see if maybe the system time was modified. It's not definitive, mind you, but a good check.

If you just want to take a look around, go to SysInternals and get a copy of psexec. Once it's on your system, type:

psexec -s cmd

and a command prompt will open, but you'll have SYSTEM level privileges. Then type:

cd \Sys*
cd _restor*

Now, select one of the restore points and cd to that directory, then to the snapshot directory. If you do a 'dir' at this point, you'll see all of the various Registry files that are backed up, each one beginning with "_REGISTRY_MACHINE_*". At this point, you can copy any of these files out to a "normal" directory, and either open the file in a hex editor, or run it through the Offline Registry Parser and see the contents in ASCII. I tried this and dumped out one of the SAM files I found, and saw that I could see the C values that hold group membership information, as well as the F and V values for user's account information. One of the things I've got in the works is a set of scripts that will parse through these files (and the "normal" Registry files), reporting on what it finds...but in a way that's readable to an investigator. So, rather than spewing out binary data for the F and V values for a user account, translate that into something readable, like my UserDump ProScript. Something like this could be used to 'diff' the various files from restore points.

I've developed a ProDiscover ProScript for sorting through the restore points on an XP system, and I'll make it available when the next version is released.

Additional Resources:
Steve Bunting's site (he uses EnCase)
Bobbie Harder's site (links to KB articles)
Windows XP System Restore
Wang's Blog (tells you how to open the RP** Registry files in RegEdit)
Restore Point Log Format

Read More Add comment

Restore Point Forensics

Restore Point Forensics

Reviewed by 0x000216 on Friday, October 20, 2006 Rating: 5

Older Posts Home

Recent Posts

Facebook

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us