Главная » Linux

What is rootkit in linux

Содержание
  1. What is rootkit in linux
  2. Detecting Linux rootkits
  3. What is a rootkit?
  4. Hiding by manipulation
  5. Popularity of rootkits
  6. Rootkit detection
  7. Methods to detect rootkit presence
  8. Behavioral analysis
  9. Memory analysis
  10. Using signatures
  11. Log file analysis
  12. Rootkit detection tools
  13. File integrity tools
  14. Rootkit scanners
  15. Rootkits and false positives
  16. Frequently Asked Questions
  17. Is a rootkit harmful to the system?
  18. What is the best way to detect a rootkit?
  19. How can I remove a rootkit?
  20. Which tools can I use to detect a rootkit?
  21. Tools
  22. Continue reading
  23. Antivirus for Linux: is it really needed?
  24. 3 comments
  25. Leave a Reply Cancel reply
  26. About Linux Audit
  27. Linux and UNIX security automation
  28. Recent Posts
  29. Contact

What is rootkit in linux

A rootkit, also sometimes written as root kit, is a set of software tools inserted by an intruder into a computer in order to allow that intruder to enter the computer again at a later date and use it for malicious purposes without being detected. These purposes include (1) collecting data about computers (including other computers on a network) and their users (such as passwords and financial information), (2) causing such computers to malfunction and (3) creating or relaying spam.

There are several ways in which computers can become infected with rootkits, as is the case with other types of malware (i.e., malicious software), including via downloaded programs, via e-mail attachments and even by visiting certain web sites. Rootkits can also be inserted by a skilled intruder who obtains physical access to a computer for even just a few minutes, such as by loading from a special disk or USB key drive.

Rootkits facilitate reentry for the intruder by installing a backdoor (i.e., a hidden method for obtaining access to a computer). This can be a remote access daemon, such as a modified version of telnetd or sshd, that is configured to run on a different port than the one that these daemons listen on by default. A daemon is a type of program that runs unobtrusively in the background, rather than under the direct control of a user, waiting to be activated by the occurrence of a specific event or condition.

Fundamental to the operation of any well-designed rootkit is the ability to hide or remove any traces of its insertion, existence and activities. For example, it can modify system logs so as to not record or to delete all references to its insertion, to subsequent logging in by the intruder and to processes (instances of programs in execution) run by the rootkit. Merely erasing or deleting log files, which is sometimes done by unskilled intruders, can be a clue that something is wrong.

A basic way in which rootkits make themselves extremely difficult to detect is by replacing several standard system utilities, such as find, ls, netstat, passwd, ps, w and who, with modified versions. For example, a modified version of ls, which is used to list the files and directories contained in any designated directory, might not display certain files that the developer of the rootkit wants to keep hidden, and a modified version of ps, which is used to list the processes currently on the system, might be designed to not display those processes that are launched by the rootkit.

Numerous rootkits and variations of them have been developed, and they are available for a wide variety of operating systems. They can be classified into application level, kernel level and BIOS level kits. At present, almost all rootkits fall into the first two categories. In the case of application level kits, some genuine application program executable files (i.e., the files that contain the ready-to-run version of the program) are replaced with fake ones. In the case of kernel level rootkits, a portion of the kernel (i.e., the core of the operating system) code is replaced with modified code. On Linux systems this is often accomplished through the use of loadable kernel modules (i.e., object code files that can be used to extend the kernel). Genuine system calls (i.e., requests made via a software interrupt by an active process for a service performed by the kernel) are often replaced by modified ones.

Читайте также:  Bchunk linux как пользоваться

Considerable skill, and often a great deal of persistence as well, is required to break into computers for which good security practices are being followed and successfully install rootkits. However, such installation can be highly rewarding for intruders, who often devote substantial time and effort to this task.

Although rootkits, by their very nature, can be very difficult to detect, there are several programs that can be useful in this regard. Among the more commonly used such programs on Linux and other Unix-like operating systems are chkrootkit and rkhunter.

However, even with such tools, it is still very difficult to be fully certain that any rootkits have been detected and that any suspected rootkits have been completely eliminated. Thus, if there is suspicion that a computer has become infected, the most prudent solution generally is to reinstall the operating system, application programs and data from reliable backup sources and take steps to minimize the possibility of reinstallation of rootkits. But even these steps are are not sufficient in the case of BIOS rootkits.

A BIOS (basic input output system) is a small program that controls a personal computer’s hardware from the time the computer is started until the main operating system takes over. BIOS rootkits are considered next generation rootkits, in that they are still not widely deployed but may become much more common in the future as BIOSs become more complex and designed for ease of updating. Not only are BIOS rootkits considerably more difficult to install, but they are also much more difficult to detect and remove. Because the BIOS is stored in a memory chip rather than on the hard disk drive (HDD), such rootkits can survive even a complete reformatting of the HDD and a reinstallation of the operating system.

Among the most important steps that can be taken to prevent the planting of rootkits are selecting a relatively secure operating system and restricting physical access to the computer and network. It is much easier for operating systems with inherently weak security, such as the Microsoft Windows systems, to become seriously infected with rootkits than it is for operating systems with fundamentally strong security, most notably Linux and other Unix-like operating systems. This is mainly because the latter have an integral system of file access permissions which restricts access to the root account, which rootkits need to do their most severe damage. It is also because most rootkits have been developed for use with the Microsoft Windows systems, due to their much more widespread use and greater ease of infection.

Created May 14, 2007. Updated September 12, 2007.
Copyright © 2007 The Linux Information Project. All Rights Reserved.

Источник

Detecting Linux rootkits

Table of Contents

What is a rootkit?

A rootkit is a set of tools with the goal to hide its presence and to continue providing system access to an attacker. The word rootkit comes from the root user, which is the administrator account on Linux systems and Unix-clones. The kit refers to a toolkit, or a set of tools.

Hiding by manipulation

The tools in the rootkit are typically altered binaries that provide an alternative truth. They will display everything a typical command would do, except those parts that are part of the rootkit itself. Some rootkits also provide an additional backdoor. This way the system can be fully patched and still allow the attacker to enter via the hidden entrance.

Читайте также:  Acronis true image или windows backup

Rootkits are usually not installed by a system administrator. In fact, the system administrator is typically the victim of such software. He or she is seeing manipulated results when using common system tools like ls and ps.

Popularity of rootkits

Nowadays rootkits are less popular than they were before. This is partially due to some measures were taken in modern Linux kernel versions. The newer versions increase the difficulty to circumvent some areas like using some of the available system calls. As you may expect, the cat-and-mouse game is not over and backdoors remain very popular. Often the attacker doesn’t even need full root access to misuse a system for other purposes. Helping in a Distributed Denial of Service (DDoS), sending spam, or act as a hop to attack other systems, to name a few.

Rootkit detection

Methods to detect rootkit presence

Since rootkits are malicious, they should be detected as soon as possible. There are different ways to detect them, each with different rates of success. Let’s have a look at the various methods.

Behavioral analysis

Each system has processes running that consume resources like processor time and memory. As rootkits alter the execution path, its behavior might become visible.

By timing common operations (profiling), it can be possible to detect alterations in the kernel or system tools. You would then compare them with a known-good state. This known-good state can be measured from a similar system, or even from the system at a given time. When it is different at a later stage, then this might be a possible hint and may require additional research.

Another detection method is by creating files tailored to what rootkits may use. When they don’t show up in the output of a system tool or system call, it may indicate a rootkit at work.

Memory analysis

Although rootkits can be masters of illusion, they need to use disk storage, run in memory, or both. If a rootkit is using memory, then memory analysis can be used for detection. An open source memory forensics tool like Volatility can capture the contents of memory and analyze it.

Using signatures

The antivirus industry uses fingerprints or signatures to detect common malware like viruses, worms, and backdoors. Some parts of the rootkit can be detected with the same approach. Many of the rootkits use hard-coded paths or names, making it easier to detect them.

Log file analysis

Suspicious events like daemons crashing could be a first indication of a system break-in. While it may not be directly related with a rootkit, it may be a hint. So monitoring the log files for unexpected events and crashes could be a useful step in the detection process.

Rootkit detection tools

File integrity tools

One method to detect alterations to a system is with the help of file integrity tools. These suites consist of several components:

  • File database
  • Checksums
  • Metadata
  • Utilities

The utilities are used to create and check checksums or fingerprints of files. They store the checksum in the database, together with metadata. Examples of metadata include the ownership, permissions, and timestamps of a file. Typically detection occurs at the moment when the current state is compared with an earlier moment in time. Previously it was Tripwire that was known to do this. Nowadays AIDE and Samhain are used for this purpose.

Rootkit scanners

Specialized tools exist to detect traces of rootkits. These rootkit scanners search for common and uncommon files, compare the outputs of different utilities and try to trick a rootkit in revealing itself again. Rootkit Hunter and Chkrootkit are the most known tools.

Читайте также:  Moschip mcs9904 windows 10

Rootkit Hunter at work

Rootkits and false positives

Most detection methods are not fool-proof. So-called false positives are common. This means that a finding is raised that actually is not related to the work by a rootkit. Tools try to reduce these false positives as much as possible. With the fine line between malicious software and just innocent system behavior, it is hard to be 100% secure.

Frequently Asked Questions

Is a rootkit harmful to the system?

Yes, it is. A rootkit is malicious software and therefore unwanted malware.

What is the best way to detect a rootkit?

Use a malware scanner combined with file integrity monitoring and accounting of suspicious system calls. AIDE can be used for file integrity monitoring, complemented by the Linux Audit Framework to monitor changes and used system calls.

How can I remove a rootkit?

As a rootkit is a master of illusion, it is almost impossible to remove it and being 100% sure of its complete removal. For that reason, the general advice is to do a fresh installation instead.

Which tools can I use to detect a rootkit?

The detection of rootkits can be done by generic intrusion detection tools, malware scanners, or specific rootkit scanners for Linux.

Tools

Some tools mentioned in this post:

Did you find this article useful? Great! Make our community smarter and share this knowledge.

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.

Continue reading

Antivirus for Linux: is it really needed?

3 comments

Hi Michael… I Would add Unhide to this list…. Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. .. Te project page is… http://www.unhide-forensics.info/ …..

Thanks, that is indeed a useful addition for the readers. Being the original author of Rootkit Hunter, I’m familiar with this great tool. So thanks for sharing!

If you have a Debian based distribution then debcheckroot may be the tool of your choice: https://www.elstel.org/debcheckroot/ . It compares the sha256sum of each file detecting also rootkits that can not be found in any rootkit database. Rootkit databases do not contain signatures of rootkits authored by the NSA or any other western intelligence agency.

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Linux Audit

This blog is part of our mission: help individuals and companies, to scan and secure their systems. We simply love Linux security, system hardening, and questions regarding compliance.

Besides the blog, we have our security auditing tool Lynis. Open source, GPL, and free to use.

For those with enterprise needs, or want to audit multiple systems, there is an Enterprise version.

«One security solution to audit, harden, and secure your Linux/UNIX systems.»

Benefits:

  • Perform audits within a few minutes
  • Central management
  • Powerful reporting
  • Compliance checks (e.g. PCI DSS)
  • Additional plugins and more tests

Enjoy the articles!

Linux and UNIX security automation

Lynis is a free and open source security scanner. It helps with testing the defenses of your Linux, macOS, and Unix systems. Typical use-cases for this software include system hardening, vulnerability scanning, and checking compliance with security standards (PCI-DSS, ISO27001, etc).

Recent Posts

Contact

This blog is part of our mission to share valuable tips about Linux security. We are reachable via @linuxaudit

Company details

CISOfy
De Klok 28,
5251 DN, Vlijmen, The Netherlands
+31-20-2260055

Источник

Оцените статью
© 2024 Советы по настройке компьютера