All posts by Ciaran McNally

Final year student in Computer Applications DCU

Functional Specification (part 1)

Section 1:                                    Introduction

1.1 Overview

Rootkits are typically any software that subverts the Kernel of an operating system. They are normally used by malicious parties to maintain privileged access once a system has been compromised. They can be used to carry out stealthy operations, leaving the owner of the breached system completely unaware of its presence. The operations rootkits carry out are generally malicious in nature, with the overall goal of remaining undetected. Many rootkits are installed as Linux Kernel Modules.

Using Systemtap, I would like to investigate the various elements involved in the development of a rootkit. I would also like to investigate how they carry out the common functionality normally associated with them. Systemtap allows the deep probing and tracing of the Linux operating system internals. This will ensure the gathering of very useful operating system information. It is also possible to inject additional operations on a live OS environment during runtime via Systemtap scripting engine.

I would like to implement a variety of rootkit functionality using Systemtap and then demonstrate how this can contribute to the development of a Linux Kernel Module Rootkit.

Some of the components and functionality I hope to Investigate and develop:

  • Installation of a rootkit

  • Accessing the System call table

  • Modifying System calls

  • Hiding the rootkit module

  • Implementing a Keylogger

  • Network traffic sniffing

  • Data Exfiltration

  • Remote Hidden Access

  • Affecting User space functions

  • Detection / Mitigation

The overall goal of this project is to gain a deeper understanding of the various elements of a rootkit through development and investigative research. Gaining familiarity with Systemtap will also prove very useful in understanding the workings of the Linux operating system. Systemtap will aid in systems testing and the debugging of future Development projects.

Section 1:                                    Introduction

1.2 Glossary

OS: Operating System. In this project this will most likely refer to the Linux operating system.

Kernel:  This is a fundamental part of an operating system. It provides a bridge between applications that run on an OS and the actual data processing done in the lower hardware levels. The kernel manages system resources and connects the components of a pc via various inter-process communication mechanisms and system calls.

Monolithic Kernel:  An operating system architecture in which the entire OS works in kernel space. It uses a set of system calls to implement all system services.

System Calls:  These provide an interface between a process and the operating system. It is how a program requests service from the kernel; providing a communication layer.

Systemtap: a tool that allows developers deeply examine a running Linux system. It uses probing mechanisms to allow breakpoints or tap points be set anywhere within the operating system.

Tapset: Reusable scripts provided with the systemtap framework/language. Equivalent to a library of already developed functions.

Keylogger:  Utility that logs keystrokes to a file normally as the person typing is unaware of its presence.

LKM:  Linux/loadable Kernel module. This is an object file that is used to extend functionality of the base Linux kernel. They are usually used to add support for new hardware or File Systems.

Black-Hat: Security conscious malicious party who leverages bugs in computer systems for personal gain or a malicious goal.

Malware: Software that only serves malicious intent.

Botnet: Internet-connected robotic software, used to carry out tasks on a large scale. They normally have a command and control station that pushes tasks to the “bots”. A Bot in an evil case is normally a malware infected computer system or device.

Section 2:                                General Description

2.1 Software/System Functions

Listed below is a breakdown of the expected functionality each component of this project will possess.

Installation of Rootkit / Systemtap setup

  • Build Script for Systemtap to install environment

  • Makefile to build Rootkit Loadable Kernel Module

Systemtap scripts

These will be created throughout the development process to complement each developed component of our rootkit. Providing testing data and deep analysis at every step.

  • To investigate each component of the kernel I interact with

  • Testing the System call table & System calls

  • Looking up Kernel functions

  • Implementation of Keylogger

  • Implementation of Traffic capture/sniffing

  • User-space probing

  • Allowing Remote access

  • Data Exfiltration

  • Demonstrating each component at system level (including “hidden” elements)

The Rootkit

It is possible the different functionality below may be spread over multiple files but Ideally I’d like to keep everything in the one file.

  • Hijack System call table

  • Modify system calls

    • read/write etc.

    • Implement attacks

    • provide control interface

  • Hide Module from Module/File listings

  • Hide Files

    • log files

  • Keylogger

  • Network Packet sniffing

  • Remote Access

    • through network

    • remote code execution

    • possibly provide a hidden shell

  • Data Exfiltration


Other areas of Investigation…

  • Detection

    • chkrootkit & rkhunter.

    • Having a look at how detection occurs

    • Probing the above processes with systemtap

  • Avoidance

    • Examining possibilities of avoiding common detection methods

  • Mitigation

    • Ways to guarantee detection

    • Tactics to avoid rootkit infection/installation


Section 2:                                General Description

2.2 User Characteristics and Project Objectives

A major goal of this project is to document with code (via Systemtap scripts) the various methods employed by modern rootkits. Hopefully gaining a much deeper understanding of the Linux operating system in the process and how rootkits can leverage this operating system. The final tool/rootkit at the end of the development process could be used by amateur or professional security enthusiasts.

Although normally associated with malicious intent and rightfully so, there are some legitimate uses of rootkits. Rootkits can and are used by law-enforcement agencies to collect evidence. This of course only applies to suited cases where the crime is technologically based. A few examples of such cases are mass fraud, network/system trespassing, distribution of underage pornography, software/media piracy and other associated copyright violations.

Also in more recent times malicious rootkit type software has and is being used in Military applications as Military forces of course rely heavily on technology. Spying and Security Intelligence is a massive industry and an area that could and does benefit from this “sneaky” software.

Regrettably most rootkits are used maliciously; having their attributes leveraged for profit by “Black-Hat” individuals. They are commonly part of and associated with, Illegal Botnets or Malware. I believe understanding how rootkits are created and how they operate will greatly benefit myself as I intend on pursuing work in the Information security field. I would hope the fundamentals of this project could be used by anyone hoping to gain insight into rootkits. In the same way that I do throughout the development process.

By the end of the project, I hope to have developed a fully functional rootkit that demonstrates most if not all of the functionality mentioned in the previous section (2.1). I would also like to be able to demonstrate a deep understanding of the various components it interacts with inside the Linux Kernel using Systemtap or otherwise.

Section 2:                                General Description

2.3 Operational Scenarios

Rootkits can be and are deployed in a variety of different ways. The kernel module variety I will be developing requires that our installer already has root privileges before deploying. I will explore a few different methods commonly used by Law-enforcement or Security personnel, Military Officials or Black-hats to install rootkits.

Viral infection

Sometimes rootkit technology is combined with a self-propagating virus. A Virus normally spreads and distributes itself without the aid or interaction of a human attacker. They are also normally more detectable and out of control. Rootkits are used in a sanctioned or precision attack and are under strict control of an attacker. The combination of the two, results in a very powerful and dangerous piece of software. Recently this technique has been employed in military operations and due to its almost wild nature infected a lot more targets than was probably intended. This is a very ethically questionable creation and method of installation.

Used in combination with a software exploit

The rootkit is installed after a security professional acquires root privileges through a software exploit. There are many different kinds of privilege escalation bug that could result in this scenario. The attacker could take advantage of an out-of-date kernel and escalate their privileges or via exploiting higher privileged network facing software. There is an abundance of software exploits, this ensures rootkits are still a threat.

Patching & Code Modification

Sometimes rootkits can be included as a patch or modification to legitimate software that goes unnoticed by the person installing it. This is a very real threat as nobody is going to read all of the code of the software they are installing or can’t because of licensing protections.

Once installed it is assumed our attacker or malicious party will maintain access to the compromised machine. A normal operational scenario involves the attacker gaining remote access to the rootkit infected system via a backdoor, then abuses his privileged powers for either legal or malicious purposes without detection. The attacker could exfiltrate private data or acquire legal evidence depending on the scenario of usage.

In military operations, rootkits have been used to gain a tactical advantage by collection mission critical Intelligence data or allowed the shutting down of enemy operations.

Section 2:                                General Description

2.4 Constraints

  • Attacker needs root privileges before installation

In order to install a Loadable kernel module it is necessary for the attacker to already have root privileges. There are user-space rootkits but they don’t have as many options or exert as much control over the OS as an LKM based rootkit.

  • Definite methods of detection

There are a lot of different concrete methods to detect rootkits. It is very possible one of these methods could be overlooked during development and as a result many rootkits don’t fully evade detection. It’s quite difficult to fully hide a rootkit from a person fully aware of how they normally operate. On the other hand,  if an attacker managed to gain root access on a machine they don’t own, it is completely possible the administrator may already be negligent of securing their machine/server.

  • Slight hit on operating system performance

As the rootkit operates deep within the operating system is is quite possible there would be a slight hit on OS performance. I would like to measure this using Systemtap as this could be interesting data. I would also like to see where I can cut down on this.

  • File writing within the kernel

There are many articles describing the dangers of reading/writing to a file within the kernel and how it is against common Policy. I will have to investigate different methods of possibly getting around this. I would like to see if I can take advantage of already existing kernel logging avenues that I could hide instead of managing this aspect myself.

  • Time

This Project involves a lot of research into new areas and techniques that I am unfamiliar with. As there will be a lot of reading and research involved, I will need to manage my time very carefully. I do hope the rootkit I develop, at the very minimal, will contain a keylogger, a network sniffer and a method of capture exfiltration. If I manage my time appropriately I should be able to complete and look into all areas of my proposed project and not only my minimal requirements.

  • Tools & Languages

The tools I’ll be using throughout development are new to me. I hope to gain good knowledge of how to best wield them. Systemtap seems like a very useful framework for me to learn as I can see how good knowledge of it will greatly improve my ability to diagnose and inspect issues deep within the OS. I am also unfamiliar with regular conventions of the C programming language used in LKMs as I have only had brief encounters with them, I expect this will take a bit of time to adjust to.