A Look at BSD Rootkits 98
blackbearnh writes "Windows has a reputation for being easily exploited by rootkits, but just because you're using Linux or BSD doesn't mean you're safe from infection. In an interview on O'Reilly's ONLamp site, Joseph Kong (author of Designing BSD Rootkits ), talks about how to build and defend against Rootkits under BSD. 'I know a lot of people who refer to rootkits and rootkit-detectors as being in a big game of cat and mouse. However, it's really more like follow the leader — with rootkit authors always being the leader. Kind of grim, but that's really how it is. Until someone reveals how a specific (or certain class of) rootkit works, nobody thinks about protecting that part of the system. And when they do, the rootkit authors just find a way around it. This is what I meant earlier when I said rootkit hunting is hard — as you really have to validate the integrity of the entire system.'"
Illegal Book? (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re:Pardon me, but I'm not surprised (Score:5, Funny)
> E. Wyatt Tomlinson
OK, so we finally analyzed your signature above, and now we would like to proceed with the penetration testing of you.
Please advise.
Re: (Score:1)
Re: (Score:1)
Keep visiting the Anonymous {Debiles,Imbeciles} for having to do with rootkits!
Run your system off of CD (Score:5, Funny)
Re: (Score:1)
Re: (Score:1)
Re:Run your system off of CD (Score:5, Informative)
The big question is how this malware gets there in the first place. The "towards verifiable systems" presentation linked to from the article listed such options as users who run attachments (merde), malicious employees who intentionally install kits (!), and use of a stolen password. These are all problems that can't be stopped, only mitigated. A malicious employee with physical access to a machine has everything they need, and you can't stop them. You can mitigate the problem by checking for things like tampering with the case and BIOS resets (to clear the password), but these are not foolproof solutions. Same with a stolen password. If you don't know its stolen, a window will always exist in which it can be used.
It *is* possible to build technology that does not suffer from trivial problems like buffer overflows, but you can't stop someone who has clear access to a machine. Authority is authority, and there will always be methods to steal and/or abuse that authority over a machine.
bogus remarks (Score:4, Interesting)
Pardon me? Last time I checked I could pass some "toram" parameter to a lot of Live CDs, making the system run perfectly fine, entirely in memory, on my old P4 / 1 GB of ram. No problem to use other CD/DVDs.
Also, some forms of malware install at the BIOS/hypervisor level.
BIOS and hypervisor are two very different things. I seriously doubt that, today, a BIOS malware could be sufficiently advanced to act as a real root-kit. That is, a BIOS malware will not even be able to fool anti-virus running from inside the system. There simply ain't enough room in the BIOS to code such a beast. And you explain me how you remotely install a BIOS on a system that requires changing a jumper before you can flash the BIOS.
That blue pill paper was sensationalism at its worst. An "hypervisor rootkit" should provide a system capable of itself allowing another hypervisor to run. If it's not the case, it's super easy to detect... And even to counter: simply install another hypervisor, like the very fine Xen I'm running now and the hypervisor root-kit can't do anything.
Now another possibility: an hypervisor rootkit allowing another hypervisor to take place: the system would be so slow that the "timing attack" (an attack that has be proven to detect 100% of "hypervisor rootkits", should they ever come to exist) would simply be the user seeing its system so slow that it's clear that something fishy is going on.
Remember that you were replying to someone talking about running a system of a live CD. If the system has no hard disk, explain me where your hypothetical, urban legendary, hypervisor rootkit would reside? I seriously hope you're not implying the BIOS hold enough room to contain an hypervisor rootkit (come take a look at an hypervisor like Xen to see what I'm talking about). Not to mention that should the system have an hard disk and the hypervisor be prevent on the hard disk, I hardly see how a system configured to boot from the CD first would launch your urban legendary hypervisor...
You can't even *detect* that from inside the OS!
Anyone relying on scan ran from inside the OS to detect malware is a fool. An anti-virus running from inside the OS can find some malware and can prevent some kind of infections but thinking that because an anti-virus running from inside the OS reports nothing is a proof that there's no malware present on the system is a fool.
Btw I'm running an hypervisor on several machines, I've got "snort" behind a physically passive tap on my LAN, etc. I think the GP's advice of running a system of a Live CD is a very good advice (even tough you still can get infected... Good luck for malware to persist on the machine) while I think your answer is completely offtopic.
Re:bogus remarks (Score:4, Informative)
This is a possibility, but you're assuming that the system contains enough RAM to store all the necessary applications and datasets for the operation of the computer. Your anecdote does not prove that every machine can afford to load a complete OS into memory.
Like it or not, security researchers consider it a real threat [blackhat.com].
If you have a physical block in place, then one would think that you should be safe. Not all systems have this jumper, or have it set to prevent flashing by default. Also, an attacker with physical access could change the jumper setting. (See my original post above.)
If you were paying attention, I addressed that issue. If the computer stores settings anywhere (either a hard drive OR removable flash drive), then it is vulnerable. And let's be honest. How many users are going to create a new system layout and reburn it every time they want to change their system? Unless we're talking about an appliance device, not many.
Re: (Score:2)
If you were paying attention, I addressed that issue. If the computer stores settings anywhere (either a hard drive OR removable flash drive), then it is vulnerable. And let's be honest. How many users are going to create a new system layout and reburn it every time they want to change their system? Unless we're talking about an appliance device, not many.
Ignoring, for the moment, your assertion that the BIOS could be compromised (though your link doesn't show that security researchers are concerned at all--just one researcher who was looking to be published), storing settings, which are data isn't going to recompromise the system unless there is a vulnerability in the software which reads and uses that data. Just having the hard drive there isn't going to cut it.
In the event of installed software, assuming the malware compromises these files, yes, that co
Re: (Score:2)
His full paper on the matter is here: https://www.blackhat.com/presentations/bh-federal- 06/BH-Fed-06-Heasman.pdf [blackhat.com]
Also, I made another post right below this one that contained a link to a paper he did on storing extra code in the PCI cards themselves.
Re: (Score:2)
Q: How are settings loaded under Unix systems?
A: Executable Shell Scripts.
"Just" having the hard drive available will do nicely.
I don't understand. Can you give an example of how the data in your settings which is set by an executable shell script is going to compromise my machine unless there is a vulnerability in the shell script? Are you suggesting that during the LiveCD boot process, the LiveCD will run scripts which are located on the hard drive without user intervention?
Re: (Score:2)
If the exploit works, it works. Pure and simple. His papers are referenced by other security researchers (which is how I found out about them) who mention BIOS exploits. By your logic, all researchers are "just looking to get published" whether they advance their field or not.
Re: (Score:3, Interesting)
If the exploit works, it works. Pure and simple. His papers are referenced by other security researchers (which is how I found out about them) who mention BIOS exploits. By your logic, all researchers are "just looking to get published" whether they advance their field or not.
There's so much more to whether it works or not that your statement is absurd. There's difficulty, feasibility, detectibility, reproducibility... at Black Hat last year, a presenter failed (multiple times) to demonstrate his exploit because it was extraordinarly difficult to pull off, and there's speculation that the Maynor wireless exploit wasn't demonstrated for the same reasons. In that latter case, a well respected security firm stood behind two researchers who showed remote, wireless exploitation of
Re: (Score:3, Interesting)
True. However, these are not particularly sophisiticated attacks. They assume that a privledge elevation exploit already exists. If one exists, then reflashing the BIOS and/or executing PCI-BIOS commands are straightforward and well-documented. Anyone who has done system-level coding could pull it off without needing to question if it's even possible. Reading throu
Re: (Score:3, Informative)
Re: (Score:2, Insightful)
Re:bogus remarks (Score:5, Informative)
I just spent a few minutes reading this paper [ngssoftware.com] from the same fellow who introduced BIOS rootkits. It's quite interesting:
The paper goes on to explain the *exact* steps necessary to implement such a rootkit. Ouch.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Funny)
Re: (Score:2, Interesting)
I work at Sun and some of the worlds largest companies use our gear. I know one case where a heavy iron machine went down and it would have cost over 200 k for the 2 hours the box was down. Thankfully we have a good support crew and they had fail over components , dedicated to that company or it could have been bad.
Of all the *nix variants I have used Solaris seems t
Re: (Score:2)
Not so easy in a high availability environment. Where boot times can cost thousands of dollars a second. These root kits can cause havok there.
If a system's boot time has any impact on your services' availability, your architecture is broken.
but once it's in memory... (Score:1, Funny)
What can I say? BSD is in our memory, rest in peace BSD! You will remain in our memories..
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
Re: (Score:2)
You know, you can pick up a CD/DVD-ROM drive fairly cheap (or free from a friend)... unless someone has a magic new technology that ca
Re: (Score:2)
With mass production, running one production line is cheaper than running two. That's why it is entirely feasible that the readers and rewriters are actually identical as far as physical components go, and the only differences are in the control board software. In which case simply patching that software would m
System in ROM (Score:1)
OpenBSD? (Score:2)
Re: (Score:3, Informative)
A BSD rootkit? (Score:2, Funny)
Re: (Score:1)
Re: (Score:3, Informative)
Re: (Score:2)
Who cares? BSD is dying anyways right?
Re: (Score:3, Funny)
Fact: DragonflyBSD, yet another offshoot of the beleaguered FreeBSD "project", is already collapsing under the weight of internal power struggles and in-fighting. "They haven't done a single decent release," notes Mark Baron, an industry watcher and columnist. "Their mailing lists read like an online version of a Jerry Springer episode, complete with food fights, swearing, name-calling, and chair-throwing." Netcraft reports that DragonflyBSD is run on exactly 0% of internet servers.
Since when did Steve Balmer start working at dragonflyBSD ?
Re: (Score:1, Troll)
(1) BSD conforms to UNIX standards better than Linux
(2) I have The Gimp 2.2.14 on my BSD box, and it works fine. 2.2.15 was only released a couple of days ago, and I really don't feel the need to update at the moment.
(3) Open Office has worked for years, and still works. I use it daily.
(4) If by "almost no developers left" you mean hundreds of main-stream developers, and thousands of applications porters, I'd say yo
Parent lifted from Uncyclopedia (Score:1)
Durr? (Score:1)
I dunno, ya think that's why they're called ROOTkits?
Re: (Score:2)
Re: (Score:1)
rootkit detectors (Score:4, Informative)
Re: (Score:3, Insightful)
My understanding was the best you can do is boot from CD and then examine the hard disk which actually has the OS installed.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Kernel changes (Score:2)
Why can't the rootkit software look at an MD5 checksum of the kernel vs the kernel as configured, to determine if there are changes to the kernel?
Not a *nix programmer myself, but as previous posters pointed out (FreeBSD is a Ford Escape and whatnot), the same ideas apply everywhere.
Your OS is rooted. So, you call your OS's MakeMD5Hash() function. Except, how do the hash function wasn't rooted? For all you know, that code could now return nothing but the MD5 hash calculated before the kernel was ra
Audio Interview on BSDTalk (Score:2, Informative)
http://bsdtalk.blogspot.com/2007/05/bsdtalk113-de
got root (Score:3, Informative)
There is no fundamental reason (Score:4, Interesting)
Second, all modules should be exposed and visible at all times, along with the connections between modules. This is not hard. You have a hypervisor which doesn't do virtualization, rather it simply queries the OS on what the OS is currently doing. Why have something below the kernel? Because then it cannot be written to by the kernel. It is outside the kernel's memory space. It cannot be trapped, descheduled, replaced, modified or even sniffed by the OS or anything the OS is running. This gives you a covert channel to a monitoring tool that the rootkit cannot disable or interfere with. The OS merely needs to provide some sort of API that the hypervisor can use to supervise the kernel's activities and intercept the information needed to establish the covert channel with the monitoring tool.
Too complex? Ok, then how about a third solution: Have the compiler randomize the kernel's ABI. Totally. Absolutely zero predictability in how parameters are passed. The compiler just needs to make sure ALL calls to a specific function call that function the same way, whether the object is linked in or compiled as a module. It also has to make sure that out-of-tree builds also compile to the correct ordering for each function. Binary-only modules would need to be supplied with the source code for a glue layer that can map the binary's ABI with that of the kernel. Any unauthorized module will make calls that violate the ABI and therefore cannot stay running. They might crash the kernel, but that could be better than unauthorized and uncontrolled activity which might do far more damage.
Last, but not least, the kernel could support trusted computing modules and mandatory access controls for memory. It's the least secure, in some ways, but Trusted IRIX is pretty damn secure and I'd have some measure of faith in any integrity system that came close in design. (SGI released "Open B1" - OB1 - which was some of the code used to make IRIX as hard as it was. Dunno if anybody looked through the code for ideas - it wouldn't have mapped directly into Linux, but ideas are ideas and are OS-independent. Besides, OpenBSD at the time had no mandatory access control support. I don't know how far the other BSDs have got - I know there's some MAC and/or RBAC support in some, but are we talking basics or B1-equiv?)
Maybe a rootkit author could bypass all of these, but I doubt - seriously doubt - that it would be a trivial weekend exercise to bypass Trusted Computing or strong authentication/validation mechanisms.
Re:There is no fundamental reason (Score:5, Informative)
Step 1: Analyze NVidia or ATI graphics driver for buffer overflows or similar security issues.
Step 2: Construct an OpenGL call to exploit the issue and create an easy access point into the kernel.
Step 3: Use new access point to patch the kernel or BIOS code.
Step 4: Close the doors and clean up the mess so that there is no evidence of tampering. Just a regular kernel running regular modules and processes. No one knows that the kernel has actually been modified.
Step 5: ??? (Contact foreign terrorists? Skim partial pennies into a swiss bank account? Use for DDoS operations?)
Step 6: Profit!
Note that this potentially works for modules other than graphics modules. It's just that they're the most complex and therefore easier to exploit.
Two problems:
1. This would make binary modules impossible.
2. The current ABI must be documented in a machine-readable form somewhere on the system. The rootkit installer can modify the patch before installing it. Worst case, it can compile source code into a pristine binary that is compatible. (Since you'd be required to have a compiler on your system.)
Indeed... compilation is not barrier... (Score:2)
Indeed. You can even hide a virus in source code, if the source is complex enough. Like, say, Gecko or Qt or Gtk or
Compilation isn't a big slow noticable step any more. I'm using Tcl modules that generate C code to cache an SQL table at runtime... as an optimization. There's gentoo riceboys talking about building a kernel from the miniroot at boot time...
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
I believe this is called the Linux Kernel Development Process. It even scrambles the API's pretty good between iterations.
Minimalist OS (Score:2, Interesting)
Take an "appliance" web-server for instance.
You need a way for the web server application to read and write to a data store, you need a way for the end-user to access the web server for pages, and you need some way to administer the system. You need to make sure nothing else happens that isn't directly supporting these activities. You also need to make sure any "supporting" activity doesn't do something rogue.
Due to "legacy" requ
Re: (Score:2)
http://plan9.bell-labs.com/plan9/ [bell-labs.com]
SE... (Score:1)
Re: (Score:2)
Oh please.. (Score:2, Interesting)
The system is designed to prevent noobs from doing stupid things.
You have to intentionally do something bad, IE circumvent standard security procedures to let this happen.
You have several chances to NOT do what you know is bad, besides, you have to know what you are doing to be able to do it!
If you manage to end up with your Linux or BSD box infected, you OPTED IN by your own free will so don't whine.
Re: (Score:1)
CHMOD 777 *
The command is short, so it can't be too bad, right?
</sarcasm>
BIOS rootkits are a myth (Score:1, Interesting)
Bullsh*t.
Urban fsck*ng legend.
There have been some very lame, very trivial to detect, viruses targetting the BIOS but that's it. There simply ain't enough room to put something approaching a rootkit in the BIOS. There's your reality check.
I'll also mention that a lot of "beige PCs" motherboard require a jumper to be toggl
Re: (Score:2)
BSD Systems (Score:3, Interesting)
The author of the article also wisely notes that KLDs also can cause problems. I would say that the KLDs included by default are fairly safe. It is the third party ones that you need to be wary of. I disagree with the author on the notion that compiling the support right into the kernel is a good answer. What happens if a remote hole is found in, say IPv6, and you have it hard coded into the kernel. I would rather be able to instantly kldunload the offensive binary rather than have to take an entire server offline to patch, recompile the kernel and continue on.
Re: (Score:1)
Once you're penetrated you're ****ed. (Score:5, Insightful)
There's no magical difference between "rootkits" and any other trick for hiding code in a system... it doesn't matter if it's a "virus", or a "rootkit" or even a "polymorphic perverse passive-agressive viral-enhanced trojan rootkit" (or whatever the cool terminology of the week is), the trick to hiding is to change the things you know the rootkit detectors or antivirus software is looking for so they look right. The trick to finding them is to look in more places, and look in ways that they haven't thought of covering up. But the real trick is keeping them out in the first place.
Security is like sex... once you're penetrated you're ****ed. If the basic software is designed to that when implemented as documented there's no mechanism for an attacker to use, then you're in pretty good shape. At least, you will be able to fix any holes that DO show up without breaking working software. And that's the main disadvantage Windows has... there's just too much everyday software and important APIs that are inherently insecure. Even when implemented as documented, there's attacks
At the very least, you need to cut that down to "you just asked to do something that might be stupid, do you mean it?".
Re:Once you're penetrated you're ****ed. (Score:4, Funny)
I think a car analogy would work better here... at least cars are something most people here have a passing familiarity with.