[ale] New Backdoor App

Michael H. Warfield mhw at wittsend.com
Sun Jul 15 14:32:08 EDT 2001 

On Sun, Jul 15, 2001 at 02:18:23PM -0400, Transam at cavu.com wrote:
> SAngell at nan.net wrote:
> > Has anybody seen this little gem hands on? Looks like this may cause a
> > new round of headaches for all security folks out there. Is supposed to
> > be unvieled on the 18th of this month at DefCon. It's a loadable kernal
> > module for Linux, almost completely undetectable from what I have read. It
> > can send a packet from a spoofed address to the system of choice on ANY
> > port that is available. Its name KIS (Kernal Intrusion System)

> I wonder how it manages to hide from lsmod.  Perhaps lsmod uses a different
> piece of data in the kernel (that this hack stomps on) than is used by the
> kernel to actually find the code.

	Standard trick with Adore (another stealth kernel module) or
this one or a couple of others is to simply unlink itself from the
kernel module chain once it initialized.  The kernel no longer finds
it on the module chain so lsmod no longer shows it and rmmod won't
remove it.  It's still in the device tables and proc tables and all that
other good stuff, it just appears to be part of the core kernel and
not a module, now.

> After thinking about it a few minutes, I could not come up with a good
> simple defense or detection.  (While certainly the executable could be
> spotted, a cracker just has to encrypt it for long term storage on disk.)

	Only defense is to prevent it from loading.  Once loaded, it's
running in kernel space and can do ANYTHING.

> Since it only modifies the running kernel, not even a Trojan sweep of the
> disk using a trusted path (booted from a trusted floppy/CD-ROM) will detect
> a modified kernel on disk.

	But you can spot the module binary.  Even encrypted, it has to be
decrypted by SOMETHING in order to get loaded.  Adore is pretty easy
to spot using something like the LinuxCare BBC.  LIDS is also a good
way to deal with this.  Load all of your required modules early and then
seal the kernel to prevent any further modules being loaded.

> I see the need now, as part of building the kernel and loadable modules at
> each Linux site for the following.  The SysAdmin building them signs each
> one cryptographically (GPG or PGP) and the running kernel verifies itself
> and each module upon loading and rejects those with bad signatures.

	Been discussed and there are packages and patches out there for
doing it.

> The mechanism used to avoid lsmod detection (whatever it is) should be
> fairly easy to block in the next revision of 2.2 and 2.4.

	I don't see how...  Once a kernel module is loaded, it can tamper
with the kernel structures.  It can modify those structures so that it no
longer looks like a module.  I don't see how you can block that.  You
have to prevent it from being loaded.  Once a kernel module is loaded, it's
game over.  It can violate rules that even root can not violate.  What ever
detection trick you come up with, they can come up with something to
circumvent it.  Best just to stop them from loading in the first place.

> > Read more at:

> > http://www.uberhax0r.net/kis/

> > Also, note the logo! Being a fan of KISS for many years I loved the obvious
> > influence.
> 
> > Steve Angell,  MCSE, CCNA
> > MIS Operations Manager
> > TSYS Total Debt Management
> > Phone 770-409-5570
> > Fax      770-416-1752
> 
> Bob Toxen
> transam at cavu.com                       [Bob's ALE Bulk email]
> bob at cavu.com                           [Please use for email to me]
> http://www.cavu.com
> http://www.realworldlinuxsecurity.com/ [My book: "Real World Linux Security"]
> Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
> Quality Linux & UNIX security and software consulting since 1990.
> 
> GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
> pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
>      Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
> sub  2048g/03FFCCB9 2000-06-21
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list