Linux Kernel 2.6.x /proc Rootkit Backdoor (Unix/Darbe-A)
Date:
=====
=====
2012-11-21
Introduction:
=============
=============
Unix/Darbe-A is a new kernel rootkit based /proc file system., modification is made in order to support kernel 2.6.x
Detected
========
========
Analysis
=========
=========
analiz@server:/tmp$ uname -a
Linux server 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:32:50 UTC 2012 i686 i686 i386 GNU/Linux
analiz@server:/tmp$ lsmod
Module Size Used by
security 13046 0 <--- Linux Kernel Module ??? What is the task?
vsock 47098 0
rfcomm 37291 4
bnep 17711 2
analiz@server:/tmp$ ./kontrol
Sistem yetki unitesi
Kullanim: ./kontrol
What is the meaning of the word "sifre"? - it is not an english word? ~ comes from the Turkish. In English it means "password"
analiz@server:/tmp$ gdb ./kontrol
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
(gdb) r sifre <- run
Starting program: /tmp/kontrol sifre
Bir Bulutla KI$ Gelmez! < -- Turkish sentence
[Inferior 1 (process 3314) exited with code 01] <-----------Anti debug ???
analiz@server:/tmp$ ./kontrol password
Sifre yanlis! <--? Wrong Password.
analiz@server:/tmp$ objdump -s ./kontrol | grep sifre
80c5b30 3c736966 72653e20 0a0a2000 66616272 .. .fabr <--??* fabr??
analiz@server:/tmp$ objdump --start-address=0x80c5b30 --stop-address=0x80c5b50 -s ./kontrol
./kontrol: file format elf32-i386
Contents of section .rodata:
80c5b30 3c736966 72653e20 0a0a2000 66616272 .. .fabr <---- fabrika ??
80c5b40 696b6100 0a536966 72652079 616e6c69 ika..Sifre yanli
analiz@server:/tmp:/tmp$ ./kontrol fabrika <--- pass is fabrika
# id <--- ?? upss.. #root#
uid=0(root) gid=0(root) groups=0(root)
Linux Kernel Module(security.ko) has been injected into the system, control program(./kontrol fabrika) makes a normal user to root.
Linux Kernel 2.6.x /proc Rootkit Backdoor (Unix/Darbe-A)
Reviewed by 0x000216
on
Saturday, November 24, 2012
Rating: 5