CIS 450

1
CIS 450 Network Security

• Chapter 15 Preserving Access

2

• Backdoor a way for an attacker to get back into
  a network or system without being detected
• Common ways to install backdoors
• By opening a port and using a listening agent
• Vision Port Scanner
• http//linuxpr.com/releases/5354.html
• Netcat
• Tini When I went to download the file I
  received a message from my virus scanner that the
  .exe file has a virus which was cured
• Through the use of a Trojan program
• Contains overt and covert programs
• QAZ

3
Rootkits

• What is it
• http//www.linuxdevcenter.com/pub/a/linux/2001/12/
  14/rootkit.html
• Trojanize key system files on the operating
  system
• File-Level Rootkits
• The legitimate program is replaced with the
  Trojan version
• The legitimate program becomes the overt program
  and the backdoor becomes the covert function
• Programs replaced are the ones that a UNIX
  administrator would use page 548
• Attacker can get back into system and hide his
  tracks
• Operate at the application (user) level
• Defending against
• File-level rootkits can be discovered by looking
  for changes in binary programs
• Tripwire
• Aide

4
Rootkits

• Kernel-Level Rootkits
• Operate at the kernel (operating system level)
• By altering the heart of the operating system,
  kernel-level rootkits enable attackers to create
  a system that appears normal to users and
  administrators. In reality, the underlying kernel
  is riddled with attacker modifications, all
  masked by the manipulated kernel. Kernel-level
  rootkits usually include the ability to redirect
  system calls, so when a user wants to run one
  program--say, ps, netstat or ifconfig--a
  Trojanized version is executed. These tools can
  also hide processes, files, sniffer usage and
  network port usage by altering the kernel so that
  it "lies" to you. Attackers are using numerous
  kernel-level rootkits for Linux, Solaris and
  Windows, among others.

5
Rootkits

• Kernel-level rootkits continued
• Defending Against
• Techniques used to defend against file-level
  rootkits don't work as well on a system with a
  kernel-level rootkit, as all requests for
  information go through the rotten kernel itself
• While AIDE may show you that your login binary is
  intact, the kernel-level rootkit redirects
  execution to the attacker's backdoor
• Defeating kernel-level rootkits requires
  hardening the kernels of critical systems
• Saint Jude Project monitors the integrity of a
  Linux kernel by looking for modifications of the
  system call table
• Can deploy machines with monolithic kernels
  created by building a kernel that doesn't support
  loadable kernel modules
• Hardening the kernel itself
• Pittbull
• Hardened versions of Unix and Unix-like OSes such
  as such as SELinux3 and Sun Microsystems Trusted
  Solaris include additional kernel protections
• Note Kernel-hardening solutions can be unwieldy
  if widely deployed, because they alter the
  fundamental operation of the kernel, complicating
  system administration and possibly breaking
  third-party tools

6
UNIX Rootkits

• File-level Rootkits
• TrojanIT - http//www.rishabhdara.com/link.php?cur
  rentgrp30
• Lrk5 - http//www.ossec.net/rootkits/lrk.php
• Ark, Rootkit (This has a Trojan embedded in it,
  received message from anti-virus software even
  though I did not download it or open it), and Tk
  - http//www.antiserver.it/Backdoor-Rootkit/
• Kernel-level rootkits
• Knark - http//www.rishabhdara.com/link.php?curren
  tgrp30

7
Wrappers

• A tool that combines two or more files into a
  single file, usually for the purpose of hiding
  one of them.
• Examples
• SilkRope 2000 - http//www.pestpatrol.com/pestinfo
  /s/silk_rope.asp
• Saran Wrap - http//pestpatrol.com/zks/pestinfo/s/
  saran_wrap_1_0.asp