Re: can't seem to find these tools/rootkit anywhere ..

From: zeno (bugtraq@cgisecurity.net)
Date: 07/10/02


From: zeno <bugtraq@cgisecurity.net>
To: stuart@cyberdelix.net
Date: Wed, 10 Jul 2002 12:25:37 -0400 (EDT)

chkrootkir is the best I've found.

www.chkrootkit.org

Detects quite a few and is updated monthly/bi-monthly. Includes lkm detection and
sniffer log finding ability.

- zeno@cgisecurity.com

>
> Henti,
>
> here is a link for a scanner for Adore, although you seem to have a newer version than what's mentioned
> below.
>
> Stuart
>
> ------- Forwarded message follows -------
> Date sent: Wed, 25 Oct 2000 09:30:09 +0200
> Send reply to: Stephane.Aubert@HSC.FR
> From: Stephane Aubert <Stephane.Aubert@HSC.FR>
> Organization: Herve Schauer Consultants
> Subject: Announce: rkscan, a kernel-based rootkit scanner.
> To: INCIDENTS@SECURITYFOCUS.COM
>
> ========================================================
>
> Rootkit Scanner for loadable kernel-module rootkits
>
> (Analysis and detection tool for KNARK and ADORE)
>
> ========================================================
>
> Stephane Aubert <Stephane.Aubert@hsc.fr>
> Hervé Schauer Consultants (http://www.hsc.fr)
>
> rkscan is a kernel-based module rootkit scanner for Linux,
> it detects Adore (v0.14, v0.2b and v0.24) and knark (v0.59).
>
> rkscan.c is available at the end of this mail.
>
>
> Introduction
> ============
>
> When running on a computer, rootkits allows an unprivileged user
> to hide files, hide process, run commands as root ...
> that's why they are called rootkits !
>
> krk (Kernel-based RootKits) are still rootkits but now they don't
> need to change the ls, ps or find binaries because they are
> intercepting system calls.
>
> krk seem to be very difficult to detect while running on
> a rooted computer.
>
> rkscan is a small scanner to help sysadmins to detect infected
> computers by:
>
> . KNARK version 0.59
> knarf is written by Creed <creed@sekure.net>
> and can be found on packetstrom.securify.com
>
> . ADORE versions 0.14, 0.2b and 0.24
> Adore is written by Stealth
> and can be found on http://spider.scorpions.net/~stealth/
>
>
> rkscan.c is given at the end of the mail and will be available on
> <URL: http://www.hsc.fr/ressources/outils/>
>
> ( Only in a few days ... I am at SANS NS2000 in Monterey :)
> I have written this first version during Dave Dittrich's course
> on DDOS, thanx Dave for this course !)
>
> Don't forget :
> There are differents technics to protect yourself against krk,
> the best one is certainly to disable the kernel-module support.
>
>
> Usage
> =====
>
> Just run : ./rkscan
>
> Example:
>
> !! Don't run the following command unless you know what you are doing.
> # insmod adore.o
> # exit
>
> % ./rkscan
> -=- Rootkit Scanner -=-
> -=- by Stephane.Aubert@hsc.fr -=-
>
> Scanning for ADORE version 0.14, 0.2b and 0.24 ...
> #ADORE rootkit is running with ELITE_CMD=50666 !
>
> Scanning for KNARK version 0.59 ...
> KNARK rootkit NOT DETECTED on this system.
>
> Done.
> % ./ava U U
> Checking for adore 0.12 or higher ...
> Adore 0.14 installed. Good luck.
> Adore 0.14 de-installed.
>
>
> How it works
> ============
>
> Adore v0.14 uses a setuid call to detect if its module is loaded:
>
> #define ELITE_CMD 31337
> int adore_installed() {
> return setuid(ELITE_CMD+2);
> }
> ...
> printf("Checking for adore 0.12 or higher ...\n");
> if ((version = adore_installed()) <= 0) {
> printf("Adore NOT installed. Exiting.\n");
> exit(1);
> }
>
> Adore v0.24 uses a setuid call to detect if its module is loaded:
> (ELITE_CMD is fixed in the Makefile to 61855)
>
> adore_t *adore_init()
> {
> adore_t *ret = calloc(1, sizeof(adore_t));
> ret->version = setuid(ELITE_CMD+2);
> return ret;
> }
>
> Knark uses a settimeofday call to detect if its module is loaded:
>
> #define KNARK_GIMME_ROOT 9000
> ...
> if(settimeofday((struct timeval *)KNARK_GIMME_ROOT,
> (struct timezone *)NULL) == -1) {
> perror("settimeofday");
> fprintf(stderr, "Have you really loaded knark.o?!\n");
> exit(-1);
> }
>
> So the main problem is to find the ELITE_CMD or KNARK_GIMME_ROOT values
> that can have been changed.
>
> That why we need a scanner to test each possible values.
>
>
> Bad news
> ========
>
> Future version of these rootkits will certainly use crypto or just
> something like the following lines in oder to hide themself more and more.
>
> #define ELITE_CMD 31337
> #define KEY_1 42843
> #define KEY_2 89843
> #define KEY_3 11343
> #define KEY_4 17323
> #define KEY_5 64543
> /* may be more */
>
> int ItIsMe() {
> setuid(KEY_1); /* put a global var to the first state (state=1;) */
> setuid(KEY_2); /* action: state=(state==1?2:0); */
> setuid(KEY_3); /* and so on ... */
> setuid(KEY_4); /* and so on ... */
> setuid(KEY_5); /* and so on ... */
> }
> int adore_installed() {
> ItIsMe();
> return setuid(ELITE_CMD+2); /* ok if state==5 and ELITE_CMD is good */
> }
>
> And it will be more and more difficult to scan these krk :(
>
> It's time to rebuild you kernel and disable module support !
>
>
> The scanner
> ===========
>
> /** rkscan.c (C) 2000 by Stephane Aubert
> ** <Stephane.Aubert@hsc.fr>
> **
> ** Rootkit Scanner for:
> ** . KNARK version 0.59
> ** (kernel-based rootkit)
> ** knarf was written by Creed <creed@sekure.net>
> ** and can be found on packetstrom.securify.com
> **
> ** . ADORE version : 0.14, 0.24 and 2.0b
> ** (kernel-based rootkit)
> ** Adore was written by Stealth
> ** and can be found on http://spider.scorpions.net/~stealth/
> **/
>
> #include <sys/types.h>
> #include <values.h>
> #include <unistd.h>
> #include <stdio.h>
> #include <time.h>
>
> // Use MAXINT for a fullscan
> #define UPSCAN 65535
>
> int knark_scan( void ) {
> int command;
> printf(" Scanning for KNARK version 0.59 ...\n");
> for( command=UPSCAN; command>=0; command-- ) {
> if(settimeofday((struct timeval *)command,
> (struct timezone *)NULL) == 0) {
> printf(" #KNARK rootkit is running (settimeofday command=%d) !\n\n",
> command );
> return 1;
> }
> }
> printf(" KNARK rootkit NOT DETECTED on this system.\n\n");
> return 0;
> }
>
> int adore_scan( void ) {
> int version;
> uid_t uid;
> printf(" Scanning for ADORE version 0.14, 0.24 and 2.0b ...\n");
> // for all possible UIDs
> for( uid=UPSCAN; uid>=2; uid-- ) {
> if( getpwuid(uid) == NULL ) { // if UID is not in /etc/passwd
> if( (version=setuid( uid )) >0 ) {
> printf(" #ADORE rootkit is running with ELITE_CMD=%d !\n\n", uid-2 );
> return 1;
> }
> }
> }
> printf(" ADORE rootkit NOT DETECTED on this system.\n\n");
> return 0;
> }
>
> int main( int argc, char *argv[] ) {
> int retval=0;
> printf("-=- Rootkit Scanner -=-\n"
> "-=- by Stephane.Aubert@hsc.fr -=-\n\n");
>
> if( getuid()==0 ) {
> printf(" *** Don't run this scanner as root ! ***\n\n");
> exit( 0 );
> }
>
> retval += adore_scan();
> retval += knark_scan();
>
> printf("Done.\n");
> exit( retval );
> }
>
> ==EOF===================================================
>
>
> ------- End of forwarded message -------
> --
> Stuart Udall
> stuart@cyberdelix.net - http://www.cyberdelix.net/
> ..revolution through evolution
>
> want to make some cash? check out http://cyberdelix.net/affiliates.htm
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com