Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Jynx Rootkit/1.0"

From NetSec
Jump to: navigation, search
(Jynx)
Line 3: Line 3:
 
At the time of release, jynx was not detected by chkrootkit or rkhunter.  Jynx comes bundled with a magic-packet activated reverse connect [[SSL]] shell that hooks pcap in order to evade local [[sniffing]].
 
At the time of release, jynx was not detected by chkrootkit or rkhunter.  Jynx comes bundled with a magic-packet activated reverse connect [[SSL]] shell that hooks pcap in order to evade local [[sniffing]].
  
==Rootkit Link==  
+
==Introduction==
<pre>http://www.blackhatacademy.org/releases/Jynx-Kit-Pub.tar.gz</pre>
+
LD_PRELOAD rootkits are simple if one understand how LD_PRELOAD works. Libc functions are hooked in order to obscure arbitrary code. The challenging part of this is the limited amount of information given in a function call.
  
This is where the source to Jynx Kit is available.
+
For example, to decide whether or not to hide information, there is no way to get a full file path inside of readdir() without hooking opendir() and maintaining a lookup table which is not only hackish, but degrades performance of the system.
  
File contents:
+
With fstat(), only a file descriptor is passed, and thus Jynx uses a magic GID to hide /etc/ld.so.preload.
 
+
bc.c<br>
+
config.h<br>
+
ld_poison.c<br>
+
Makefile<br>
+
packer.sh<br>
+
README<br>
+
 
+
==Introduction==
+
LD_PRELOAD ROOTKITS are simple if you understand how LD_PRELOAD works. You hook libc functions to obscure arbitrary code. The challenging part of this, and you'll see this in jynx, is that you have a limited amount of information given to you in a call.
+
  
For example, to decide whether or not to hide it, there is no way to get a full file path inside of readdir without hooking opendir and maintaining a lookup table which is gross and bulky.
+
{{info|Jynx has room for improvement!  Want to contribute?  Visit our [[IRC]]!}}
Or fstat, you only have an fd, so we have it look at the gid and of course it hides /etc/ld.so.preload.
+
In one custom implementation of Jynx written by a student, a magic string is used as opposed to a magic GID.  It is harder to hide processes from programs like `ps' or even from a user obtaining a /proc listing using a magic string; thus Jynx uses the magic GID method.  It is recommended to use an existing system GID so that another group is not added to the system, and thus the file integrity of /etc/group is preserved.
So, moving onto the specifics of jynxkit, for those who want to play with it, first thing: there's a lot of room for improvement.
+
  
I know one of our testers removed all the gid code, just hides by filename, for example, you could hide network connections in /proc/net/tcp. The issue with ignoring GID is that it's harder to hide processes from programs like 'ps' with our version, even ls /proc. It hides all processes with a certain gid, i recommend you use an existing system gid.  
+
Because most rootkit detection mechanisms rely on a truthful environment, it is easy to bypass detection. By hooking [[LD Preload]], near anything is possible.
  
That isn't used much and won't be missed so you dont have to mask it in configs. You could hook into network functions to add backdoors etc. You can be pretty creative with ld_preload, it's really simple to implement. Since rootkit hunters rely on the environment to be truthful, it's easy to slide by undetected.
+
This rootkit is undetectable to rkhunter and chkrootkit and exists in [[userland]] or [[RING]] 3.
  
This rootkit is undetectable to rkhunter and chkrootkit. Kernel rootkits are unstable, they break between kernel versions, slow down the system, userland is stable but the linux kernel isn't stable at all. LKMs are useful for specific uses like setting a pid to 0 but robust LKMs cause issues.
+
==Configuration & Features==
 +
{{info| Download at [http://www.blackhatacademy.org/releases/Jynx-Kit-Pub.tar.gz]}}
  
 
==Exercise & Installation==
 
==Exercise & Installation==

Revision as of 21:54, 18 October 2011

Jynx

c3el4.png Jynx is a rootkit that implements LD Preload to override several critical libc functions.

At the time of release, jynx was not detected by chkrootkit or rkhunter. Jynx comes bundled with a magic-packet activated reverse connect SSL shell that hooks pcap in order to evade local sniffing.

Introduction

LD_PRELOAD rootkits are simple if one understand how LD_PRELOAD works. Libc functions are hooked in order to obscure arbitrary code. The challenging part of this is the limited amount of information given in a function call.

For example, to decide whether or not to hide information, there is no way to get a full file path inside of readdir() without hooking opendir() and maintaining a lookup table which is not only hackish, but degrades performance of the system.

With fstat(), only a file descriptor is passed, and thus Jynx uses a magic GID to hide /etc/ld.so.preload.

c3el4.png Jynx has room for improvement! Want to contribute? Visit our IRC!

In one custom implementation of Jynx written by a student, a magic string is used as opposed to a magic GID. It is harder to hide processes from programs like `ps' or even from a user obtaining a /proc listing using a magic string; thus Jynx uses the magic GID method. It is recommended to use an existing system GID so that another group is not added to the system, and thus the file integrity of /etc/group is preserved.

Because most rootkit detection mechanisms rely on a truthful environment, it is easy to bypass detection. By hooking LD Preload, near anything is possible.

This rootkit is undetectable to rkhunter and chkrootkit and exists in userland or RING 3.

Configuration & Features

c3el4.png Download at [1]

Exercise & Installation

-Try hiding tcp connections by hooking read.

Use packer.sh to make an auto installing shell file for your version of jynx-kit. Run ./install.sh to extract all sources, compile, install, and delete traces.

c3el4.png Pointing /etc/ld.so.preload to a soft link or symlink that points to the ld_poison.so is easier to remove.
  To make the soft link:
ln -s /path/to/poison.so /etc/ld.so.preload 
  Removal:
rm -vf /path/to/poison.so /etc/ld.so.preload
RPU0j.png Alternatively, you can simply overwrite /etc/ld.so.preload, however removal will be more difficult
rm -vf /etc/ld.so.preload ; mv /path/to/poison.so /etc/ld.so.preload