July 24th, 2002, 06:49 AM
I am writing a whitepaper on rootkits. More specifically what rootkits are out there and how to recognize them. This seems to be a common question on many security mailing lists. What I am looking for is any resources people may have on specific rootkits. t0rn, adore, illogic etc... LKM kits are welcome but I'd also like links to older kits. Information, links to the actual kits ans any forensics info is welcome. I am targetting *nix and BSD kits but windows rootkits are welcome also. I hope to create a valuable one-stop resource for sys admins who think that they have been violated but are not sure and want to understand what was done. Please feel free to send any info you may have my way. I will post a link when the paper is complete for all to share.
July 24th, 2002, 02:44 PM
http://www.google.com/search?q=%22windows+rootkit%22 184 results windows rootkits.
http://www.google.com/search?q=%22linux+rootkit%22 548 results linux rootkits
http://www.google.com/search?q=t0rn+rootkit 928 results t0rn rootkit
Google is always your friend. Have fun parsing that much information.
http://www.sans.org/y2k/t0rn.htm Analsyis of t0rn rootkit (got link from google...)
\"Ignorance is bliss....
but only for your enemy\"
July 24th, 2002, 02:58 PM
Well, most rootkits, alter /bin/ps, /bin/netstat, /bin/ls .... they have a file for hidden processes, a file for hidden files...
Usualy, those files are in /dev/ (like in lrk[3-6]) but they can be anywhere else (tornkit7 uses /usr/... cant remember). An easy way to find those files is :
strings /bin/ps|grep /dev
strings /bin/ps|grep /usr
beside that, moset rootkits use other trojans to ensure the access. I found suid cgi-scripts, open ports spwaning a shell, a nice ping-back backdoor (you run the trojan with an argument like 666, and when you ping the host with a ping packet sized 666, you get a shell spawned on a port) and all sorts of other trojans. Nowdays, verry common is a ssh daemon which doesent log to syslog or wtmp/utmp, which combined with a LKM, can hide its forked processes, so at ps you dont see the shell of the attacker in the process list (unlike non-lkm rootkits). Beside that, when a cracker takes control of the system, he will make a directory where he puts in his stuff, like a sniffer, a DoS program, and probably other exploits. A very used sniffer was linsniffer (which put the output in tcp.log so `locate tcp.log` would do the job) and now I see t0rns is very used (output = system, so its rather uneffective to `locate system`). You can find also bots, eggdrop and emech are the most used.
Dont know right now any links to rootkits (just query google for lrk4, tornkit and you will find something) but as soon as I'll get home, I'll find something useful to you.
July 24th, 2002, 07:02 PM
I have most of the stuff off google. Though going through it all is taking me weeks. I'm also looking for information from individuals that may not be easily found on the web. I'd love to see that ping-back backdoor. Thanks for the links, I may get enough off of google for what I need. I am just trying to make it as complete as possible. I have a good collection of kits. Seems there are 5 or 6 variants of adore. Thanks again for all posts.
July 24th, 2002, 08:07 PM