LINUX ROOTKITS

1
LINUX ROOTKITS
Chirk Chu Chief Security Officer University of
Alaska Statewide System Information Technology
Services
2
Definition

• Rootkit Software toolkit designed to hide the
  presence of a intruder inside a compromised
  system.
• Two types of rootkits User mode and Kernel mode.
• Rootkits may contain trojans, backdoors,
  sniffers, scanners, rootshell exploits, attack
  bots, IRC bots, keystroke loggers, log scrubbers
  and other hacking tools.

3
Rootkits found on UA systems

• T0rn
• MYRK
• Bobkit
• EPY
• Diablow
• Knark KLM
• RVDA - KLM

4
Uncovering Rootkits

• Use chkrootkit. (http//www.chkrootkit.org)
• Image system drive and examine rootkit on a
  secure system of the same or similar OS.
• If not possible, then import original system
  binaries and/or libraries to perform the
  examination.
• Do not trust anything on the compromised system
• Look for hidden files and directories.
• Look for trojans in boot-up scripts.
• Compare system binaries with distribution copies.

5
Preventing Rootkits

• Use network and host based firewalls (ipchains or
  iptables) and TCP Wrappers.
• Disable unused and unnecessary network services.
• Remove unused and unnecessary software packages.
• Patch OS and applications on a regular basis.
• Stay current on security vulnerabilities.
• Compile and use statistic kernel without KLM
  support.
• Use host based IDS like Tripwire.

6
Live Demonstration

• T0rn Rootkit
• Author Surrey, 21 year old from Surbiton,
  England arrested by Scotland Yard in September,
  2002.
• Analysis available at
• http//www.securityfocus.com/infocus/1230

7
Live Demonstration

• RVDA Rootkit
• It is a KLM rootkit.
• Found on a UAF CS test server running RH 7.2.
• Functions only on a unpatched kernel.
• Source code is very small.
• Romanian in origin?