Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar.

• Slide 1

Slide 2 Phalanx A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar Slide 3 Introduction History Objectives Phalanxs standing in Rootkit classification Features Notable infections Detection mechanisms Prevention mechanisms Availability Agenda 2011 Jinwei Liu & Subhra S. Sarkar Slide 4 Phalanx is a self-injecting kernel rootkit designed for sniffing into user SSH credentials for Linux 2.6 branches. This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. Moreover, Phalanx allows continued privileged access to the compromised system while hiding its presence from administrators by subverting standard OS functionality. Introduction 2011 Jinwei Liu & Subhra S. Sarkar Slide 5 1. First surfaced in 2005 2. Originally developed by rebel ([email protected]) 3. Beta 1: Backdoor, file hiding, process hiding 4. Beta 2: Socket hiding, improved process hiding 5. Beta 3: TTY-Sniffer, improved obfuscation 6. Current version: Beta 6 (with additional functionalities) History 2011 Jinwei Liu & Subhra S. Sarkar Slide 6 The objectives of Phalanx fall into the following categories 1. HID: User space object hiding 2. PE: Privilege escalation 3. REE: Re-entry/backdoor 4. REC: Reconnaissance 5. NEU: Defense neutralization Objectives 2011 Jinwei Liu & Subhra S. Sarkar Slide 7 Rootkits can be broadly classified into the following categories 1. Type 0 rootkit 2. Type 1 rootkit (a) Hooking lookup Tables (b) Code patching (c) Hooking CPU registers Phalanxs standing in rootkit classification 2011 Jinwei Liu & Subhra S. Sarkar Slide 8 3. Type 2 rootkit (a) Kernel object hooking (b) Direct kernel object manipulation 4. Type 3 rootkit (a) Virtual machine based (b) Hardware assisted virtual machine based From the above classification, its clear that Phalanx falls in Type 1 rootkit category. Phalanxs standing in rootkit classification contd. 2011 Jinwei Liu & Subhra S. Sarkar Slide 9 1. Harvest SSH keys and other credentials 2. Creates hidden directory /etc/khubd.p2 or by some other name for collecting user information. Sometimes the directory name might be different to hide detection. 3. Uses methods to hide its running processes 4. Doesnt show up in process listing using ps or ls /proc. However, its directory on /proc is accessible. Features 2011 Jinwei Liu & Subhra S. Sarkar Slide 10 1. Linux servers of kernel.org for distributing Linux Kernel Image were compromised in July, 2011 2. SRFC breach at University of Cambridge in April, 2009 3. Several attacks were launched in August, 2008 on servers running on Linux Notable infections 2011 Jinwei Liu & Subhra S. Sarkar Slide 11 1. Try doing cd inside /etc/khubd.p2 even though running ls command wont list it. 2. /dev/shm/ may contain files from attack. 3. Any directory by name khubd.p2 is not displayed in ls directory listing, but the directory can be accessed using cd command. 4. Checking reference count in /etc/ against the number of directories shown by ls command. Detection mechanisms 2011 Jinwei Liu & Subhra S. Sarkar Slide 12 1. Proactively identify and examine systems where SSH keys are used as part of automated processes. 2. Encourage users to use keys with passphrases 3. Review access paths to Internet facing systems and ensure that the systems are fully patched. Prevention mechanisms 2011 Jinwei Liu & Subhra S. Sarkar Slide 13 Phalanx can be downloaded for free for educational purposes from the following URL http://packetstormsecurity.org/search/?q=phalanx Author: rebel ([email protected]) Current version available for download: beta 6 Release date: Nov 17, 2005 http://packetstormsecurity.org/search/?q=phalanx Availability 2011 Jinwei Liu & Subhra S. Sarkar Slide 14 Below is the list of references - 1. http://www.phrack.org/issues.html?issue=66&id=16 2. http://www.sophos.com/en-us/threat-center/threat-analyses/viruses- and-spyware/Troj~Phalanx2-A.aspx 3. http://www.madirish.net/?article=353 4. http://hep.uchicago.edu/admin/report_072808.html 5. http://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac ks 6. http://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit-665891/ 7. http://smartech.gatech.edu/handle/1853/34844 8. http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.htmlhttp://www.phrack.org/issues.html?issue=66&id=16http://www.sophos.com/en-us/threat-center/threat-analyses/viruses- and-spyware/Troj~Phalanx2-A.aspxhttp://www.madirish.net/?article=353http://hep.uchicago.edu/admin/report_072808.htmlhttp://www.us- cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac kshttp://www.linuxquestions.org/questions/linux-security-4/ssh-key- based-attacks-phalanx2-rootkit-665891/http://smartech.gatech.edu/handle/1853/34844http://www.cs.umd.edu/~mwh/papers/petroni07sbcfi.html References 2011 Jinwei Liu & Subhra S. Sarkar Slide 15 Thank You 2011 Jinwei Liu & Subhra S. Sarkar