|
|
A rootkit is sometimes referred to as an advanced Trojan horse program. A rootkit utility can be used not only to provide remote backdoor access to attackers, but it typically also attempts to hide the attacker's presence on the system. Finally, a loadable kernel module (LKM) is actually part of the system kernel. Therefore, LKMs are usually considered kernel extensions that contain dynamically loadable kernel components, typically used to load device drivers. In this section, we'll discuss rootkit utilities that exploit the use of LKMs to modify the running kernel for malicious purposes.
| Exam Watch |
For the exam, know that a rootkit utility is used to provide remote backdoor access to attackers and to hide the attacker's presence on the system. Also, some types of rootkit utilities exploit the use of loadable kernel modules. |
To understand rootkits and LKMs better, let's take a look at an actual "black-hat" hacking example that was detected and monitored using two different intrusion detection systems' (IDS) sensors, as well as a popular sniffer (EtherPeek NX by WildPackets). The target company name will be concealed for privacy, so therefore we'll refer to them in this example as TargetABC.
TargetABC headquarters is located in the United States Midwest region. Despite critical warnings from two separate third-party security auditors, TargetABC proceeded to ignore or nonprioritize alleviation recommendations with regard to a vulnerable Solaris system on a branch office network that connects to the headquarters via a virtual private network (VPN) over a broadband connection. The attack began with a series of port scans against the Solaris system, which, like so many secondhand or backburner systems, was not properly patched or updated. As you know by now, port scanning is among the first steps in the discovery process used to fingerprint potentially vulnerable systems.
After detecting this particular system, it appeared that various vulnerability scanners were also employed, potentially to map out any known weaknesses in the system. At that point, we believe the attacker effortlessly located a Remote Procedure Call (RPC) weakness in rpc.ttdbserverd (ToolTalk), rpc.cmsd (Calendar Manager), and rpc.statd that could allow immediate root compromise to the operating system. After gaining root access and accessing a shell, the attacker created a few backdoor user accounts, one with root privileges.
The next time the attacker logged in and switched to the backdoor root account, he downloaded, unpacked, and installed a few rootkits, all from his remote location. Among other things, the rootkits replaced the ps program, which can be used to list any processes running on the system (apparently to hide his presence by concealing processes used by the rootkit). In addition, device-specific files were also targeted for deploying backdoors on the system. Unfortunately for TargetABC, the attack didn't end there. A kernel-level rootkit was also employed to patch the kernel, likely in place of simply replacing other commands as with the ps program, to remap system functions to execute code without having to do any legwork on system programs themselves. This way, when a legitimate user logged in and ran an ordinarily normal program, the Trojaned kernel would instead execute malicious code.
In this section, we'll discuss ways that Sun advocates to defend against general rootkits and kernel-level rootkits.
As discussed previously in this chapter, frequently using integrity checking mechanisms such as checksums and the sfpDB can help detect maliciously altered programs. If a rootkit is detected, Sun recommends restoring the operating system from trusted sources, followed by reinstalling applications, and finally restoring data from secured backups. Unfortunately, however, kernel-level rootkits are not as easily detectable using integrity-checking mechanisms given that the kernel itself is involved in the process. Building a kernel that does not support loadable kernel modules, or a monolithic kernel, is not feasible with regard to the Solaris operating system. For this reason, Sun recommends building a kernel that monitors and controls the system's treatment of its loadable kernel modules, especially for perimeter security or outside systems operating as gateways, web, and mail agents. On the other hand, if restricting loadable kernel modules is not practical, Sun recommends taking advantage of the Solaris Cryptographic services. We'll revisit these techniques later in Parts V and VI of this book.
One final point about the Solaris system file should be considered here. The system kernel configuration file (/etc/system) contains commands that are read when the kernel is initialized. These commands can be used in particular to modify the system's operation concerning how to handle loadable kernel modules. Commands that modify the handling of LKMs require you to specify the module type by listing the module's namespace, thus giving you the ability to load a loadable kernel module or exclude one from being loaded.
Following is Sun's sample system file:
* Force the ELF exec kernel module to be loaded during kernel
* initialization. Execution type modules are in the exec namespace.
forceload: exec/elfexec
* Change the root device to /sbus@1,f8000000/esp@0,800000/sd@3,0:a.
* You can derive root device names from /devices.
* Root device names must be the fully expanded Open Boot Prom
* device name. This command is platform and configuration specific.
* This example uses the first partition (a) of the SCSI disk at
* SCSI target 3 on the esp host adapter in slot 0 (on board)
* of the SBus of the machine.
* Adapter unit-address 3,0 at sbus unit-address 0,800000.
rootdev: /sbus@1,f8000000/esp@0,800000/sd@3,0:a
* Set the filesystem type of the root to ufs. Note that
* the equal sign can be used instead of the colon.
rootfs:ufs
* Set the search path for kernel modules to look first in
* /usr/phil/mod_test for modules, then in /kernel/modules (the
* default) if not found. Useful for testing new modules.
* Note that you can delimit your module pathnames using
* colons instead of spaces: moddir:/newmodules:/kernel/modules
moddir:/usr/phil/mod_test /kernel/modules.
* Set the configuration option {_POSIX_CHOWN_RESTRICTED} :
* This configuration option is enabled by default.
set rstchown = 1
* Disable the configuration option {_POSIX_CHOWN_RESTRICTED} :
set rstchown = 0
* Turn on debugging messages in the modules mydriver. This is useful
* during driver development.
set mydriver:debug = 1
* Bitwise AND the kernel variable "moddebug" with the
* one's complement of the hex value 0x880, and set
* "moddebug" to this new value.
set moddebug & ~0x880
* Demonstrate the cumulative effect of the SET
* bitwise AND/OR operations by further modifying "moddebug"
* by ORing it with 0x40.
set moddebug | 0x40
Refer to the system—system configuration information file—man page in your Solaris Reference Manual Collection or online at http://docs.sun.com for supported namespaces and syntax. Although monolithic kernels are not feasible in the Solaris operating environment, you can at least control which LKMs should be loaded.
Here are some of the key points from the certification objectives in Chapter 8.
A Trojan horse program is a malicious program that is disguised as some useful software. Trojan examples include a shell script that spoofs the login program and a malicious substitute switch user (su) program.
Device-specific files in the /etc and /devices directories are common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system.
A worm is a self-replicating program that will copy itself from system to system, sometimes using up all available resources on infected systems or installing a backdoor on the system.
A logic bomb is code that is inserted into programming code and is designed to execute under specific circumstances.
A fork bomb is a process that replicates itself until it consumes the maximum number of allowable processes.
A rootkit utility can be used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent.
To harden your system and help protect against Trojan horse programs, Sun recommends user awareness education, installing and updating anti- virus software, removing unnecessary compilers, securing file and directory permissions, and monitoring path variables.
Path variables should not contain a parameter indicated with a dot (.) that could cause the system to search for executables or libraries within that path, as well as a search path for root that contains the current directory.
To monitor and help prevent unauthorized changes from being made to system files, Sun recommends using the Automated Security Enhancement Tool (ASET), the Basic Security Module (BSM), Tripwire, and the Solaris cryptographic framework.
ASET enables you to monitor and restrict access to system files and directories with automated administration governed by a preset security level (low, medium, or high). The seven tasks that ASET can regularly perform include system files permissions tuning, system files checks, user and group checks, system configuration files check, environment variables check, EEPROM check, and firewall setup.
To run ASET at any given time, simply log in as root or become superuser, and then issue the /usr/aset/aset -l level -d pathname command; where level is the security level value (low, medium, or high), and pathname is the working directory for ASET (the default is /usr/asset).
To avoid resource encumbrance, ASET tasks should be run during off-peak hours or when system activities are low.
Verify whether files were maliciously altered by using message digest algorithms. A message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. The MD5 and the Secure Hashing Algorithm (SHA1) are among the most popular message digest algorithms.
Using the digest command, you can compute a message digest for one or more files. In the Solaris cryptographic framework environment, you can perform digest computations using the syntax digest -v -a algorithm input-file > digest-listing; where -v displays the output with file information, -a algorithm is the algorithm used to compute a digest (that is, MD5 or SHA1), input-file is the input file for the digest to be computed, and digest-listing is the output file for the digest command.
The Solaris Fingerprint Database (sfpDB) is a free tool from Sun that allows you to check the integrity of system files through cryptographic checksums online. By doing so, you can determine whether system binaries and patches are safe in accordance with their original checksums stored at Sun, which includes files distributed with Solaris OE media kits, unbundled software, and patches.
Frequently using integrity checking mechanisms such as checksums and the sfpDB can help detect maliciously altered programs.
If a rootkit is detected, Sun recommends restoring the operating system from trusted sources, followed by the reinstallation of applications, and finally data restoration from secured backups.
Kernel-level rootkits are not as easily detectable using integrity checking mechanisms given that the kernel itself is involved in the process. Sun recommends building a kernel that monitors and controls the system's treatment of its loadable kernel modules, especially for perimeter security or outside systems operating as gateways, web, and mail agents. If restricting loadable kernel modules is not practical, Sun recommends taking advantage of the Solaris Cryptographic services.
The system file (/etc/system) contains commands that are read when the kernel is initialized. These commands can be used to modify the system's operation concerning how to handle loadable kernel modules. Commands that modify the handling of LKMs require you to specify the module type by listing the module's namespace, thus giving you the ability to load a loadable kernel module or exclude one from being loaded.
The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.
|
Which of the following is a self-replicating program that will copy itself from system-to-system?
|
|
|
|
Which of the following is a form of denial of service acting as a system process that replicates itself until it exceeds the maximum number of allowable processes?
|
|
|
|
Which of these is code that is inserted into programming code that is designed to execute under specific circumstances?
|
|
|
|
A backdoor can be a legitimate remote access portal to perform debugging and troubleshooting tasks.
|
|
|
|
Which of the following does Sun recommend for hardening your system and helping to protect against Trojan horse programs?
|
|
|
|
To harden your system and help protect against Trojan horse programs, Sun recommends that path variables do not contain which of these?
|
|
|
|
Which of the following directories are the most common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system?
|
|
Answers
|
þ B. A worm is a self-replicating program that will copy itself from system-to-system, sometimes using up all available resources on a target or installing a backdoor on the system. ý A is incorrect because a Trojan horse program is a malicious program that is disguised as some useful software. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. D is incorrect because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent. |
|
|
þ D. A fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. ý A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. B is incorrect because a worm is a self-replicating program that will copy itself from system-to-system. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. |
|
|
þ C. A logic bomb is code that is inserted into programming code designed to execute under specific circumstances. ý A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. B is incorrect because a worm is a self-replicating program that will copy itself from system to system. D is wrong because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. E is incorrect because a rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. |
|
|
þ A. True. A popular form of permissible backdoor that can potentially be exploitable is a program set up by a programmer to provide remote access to the system to perform debugging and troubleshooting tasks. |
|
|
þ F. All of the answers are correct. To harden your system and help protect against Trojans, Sun recommends educating users, installing and updating anti-virus software, removing unnecessary compilers, securing file and directory permissions, and monitoring path variables. |
|
|
þ A, B, and D. To harden your system and help protect against Trojan horse programs, Sun recommends that path variables do not contain a parameter indicated with a dot (.) that could cause the system to search for executables or libraries within that path, as well as a search path for root or superuser that contains the current directory. ý C is wrong because a forward slash is legitimately used in the search path to indicate root and subdirectories. |
|
|
þ A and D. Device-specific files in the /etc and /devices directories are common targets for attackers to attempt to gain access to the operating system, especially for creating backdoors to the system. ý B is incorrect because /usr/asset is the working directory for ASET, and C is incorrect because /usr/local is simply an example of a typical download directory used to store files and programs by the current user. |
|
Which of these can be deployed to monitor and help prevent unauthorized changes from being made to system files?
|
|
|
|
Which of these is an ASET task that checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory?
|
|
|
|
Which of these is used to produce a Cyclic Redundancy Check (CRC) and block count for files that can help prevent backdoor attacks?
|
|
|
|
Which of these is an ASET task that performs a file comparison check from a master file that is created when the task is first executed?
|
|
|
|
Which of these is an ASET task that automatically sets system file permissions according to the security level you choose?
|
|
|
|
Which of these is an ASET task that is used to verify the integrity of user accounts, their passwords, and their groups?
|
|
|
|
Which of these tools can be used to check the integrity of system files?
|
|
|
|
Which of these can be used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system?
|
|
Answers
|
þ E. All answers are correct. To monitor and help prevent unauthorized changes from being made to system files, Sun recommends using Tripwire, the Basic Security Module (BSM), the Solaris cryptographic framework, and the Automated Security Enhancement Tool (ASET). |
|
|
þ D. During the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file. ý A is incorrect because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the EEPROM security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay. |
|
|
þ C. Checksum uses the sum command to produce a CRC and block count for files that can help prevent backdoor attacks. ý A is incorrect because ASET enables you to monitor and restrict access to system files and directories with automated administration governed by a preset security level (low, medium, or high). B is wrong because a message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. D is incorrect because the EEPROM check is an ASET task that inspects the EEPROM security parameter to ensure that it is set to the appropriate security level and has not been tampered with. |
|
|
þ B. System files checks is a file comparison check from a master file that is created when the task is first executed. For each security level, a list of directories that contains files to check is automatically defined; however, this list can be modified. ý A is incorrect because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. D is incorrect because, during the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the EEPROM security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task ensures that the system can be safely used as a perimeter gateway or secure network relay. |
|
|
þ A. The system files permissions tuning task automatically sets system file permissions according to the security level you choose. At the high level setting, permissions are assigned to restrict access; at the medium level, permissions are tightened just enough for most normal operating environments; and at the low level setting, permissions are set for open sharing. ý B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. For each security level, a list of directories that contains files to check is automatically defined; however, this list can be modified. C is incorrect because the user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. D is incorrect because during the system configuration files check, ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the EEPROM security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay. |
|
|
þ C. The user and group checks task is used to verify the integrity of user accounts, their passwords, and their groups. The primary check is made from the passwd and group files, and the passwords in local, and the NIS and NIS+ files. ý A is wrong because the system files permissions tuning task automatically sets system file permissions according to the security level you choose. B is incorrect because system files checks is a file comparison check from a master file that is created when the task is first executed. For each security level, a list of directories that contains files to check is automatically defined; however, this list can be modified. D is incorrect because during the system configuration files check ASET checks the integrity of, inspects, and makes modifications to system files mostly found in the /etc directory, and reports problems in the sysconf.rpt file. E is incorrect because the environment variables check task inspects the PATH and UMASK environment variables. These are found in the /.profile, /.login, and /.cshrc files. F is incorrect because the EEPROM check inspects the EEPROM security parameter to ensure that it is set to the appropriate security level and has not been tampered with. G is incorrect because the firewall setup task simply ensures that the system can be safely used as a perimeter gateway or secure network relay. |
|
|
þ F. All answers are correct. A message digest is a digital signature for a stream of binary data as verification that the data was not altered since the signature was first generated. The MD5 (for shorter message digests) and SHA1 (for larger message digests) are among the most popular message digest algorithms. The Solaris Fingerprint Database (sfpDB) is a free tool from Sun that allows you to check the integrity of system files online through cryptographic checksums stored in the database. System files checks is an ASET task used as a file comparison check from a master file that is created when the task is first executed. |
|
|
þ B and E. A rootkit is used not only to provide remote backdoor access to attackers but also to hide the attacker's presence on the system. Some types of rootkit utilities exploit the use of loadable kernel modules to modify the running kernel for malicious intent. ý A is wrong because a Trojan horse program is a malicious program that is disguised as some useful software. C is wrong because a logic bomb is code that is inserted into programming code designed to execute under specific circumstances. D is wrong because a fork bomb is a system process that replicates itself until it exceeds the maximum number of allowable processes. |
|
ABCD Inc. hired you to come in and manually run the Automated Security Enhancement Tool (ASET) at the high security level using the current parameters on a perimeter Solaris system. During your meeting with the customer, you were told that off-peak system utilization hours were from 9 P.M. to 4 A.M. The company also required that ASET be run periodically (every day at midnight). Finally, the server administrator at ABCD Inc. wanted help with manually creating an SHA1 file digest for the file solsoft using the Solaris cryptographic framework. What steps would you perform to provide the requested services? |
|
Answers
|
The first task that ABCD Inc. hired you to perform is to run ASET manually at the high security level. To avoid resource encumbrance, and knowing that ASET tasks should be run during off-peak hours or when system activities as well as the user load are low, you'll execute ASET promptly at 9 P.M. To do so, log in as root or become superuser and then issue the /usr/aset/aset -l high -d /usr/asset command. At that time, you should notify the customer that you'll be gathering the report files to monitor and solve security problems. The reports are stored in the /usr/aset/reports directory. The second task that the client requires you to perform is to have ASET run every day at midnight. To do so, log in with an account that has root privileges and verify that the PERIODIC_SCHEDULE variable in the /usr/aset/asetenv file is correctly set by default to run every day at midnight as shown here: PERIODIC_SCHEDULE="0 0 * * *" Next, insert a line in the crontab file to start ASET at the time determined by the PERIODIC_SCHEDULE environment variable with this command: /usr/aset/aset –p The third and final task that ABCD Inc. requires is to use the Solaris cryptographic framework to create an SHA1 file digest manually for the file solsoft. To compute the digest for file solsoft into an output file named solsoftsha1, simply issue this command: digest -v -a sha1 solsoft >> $HOME/solsoftsha1 At that point, you can view the file digest with this command, cat ~/solsoftsha1 with resulting output similar to the following extract: sha1 (solpatch) = 1ef50e5ad219e34f0b911a097b7b588e31f9b438 |
|
|
