Difference between revisions of "Jynx Rootkit/1.0"
(→Introduction) |
(→Exercise & Installation) |
||
| Line 22: | Line 22: | ||
==Exercise & Installation== | ==Exercise & Installation== | ||
| − | + | '''Exercise''' : Try hiding tcp connections by hooking read. | |
| − | + | Basic installation: | |
| − | + | ./packer.sh | |
| + | ./install.sh | ||
{{info|Pointing /etc/ld.so.preload to a soft link or symlink that points to the ld_poison.so is easier to remove.}} | {{info|Pointing /etc/ld.so.preload to a soft link or symlink that points to the ld_poison.so is easier to remove.}} | ||
| Line 34: | Line 35: | ||
rm -vf /path/to/poison.so /etc/ld.so.preload | rm -vf /path/to/poison.so /etc/ld.so.preload | ||
| − | {{warning|Alternatively, you can simply overwrite /etc/ld.so.preload, however removal will be more difficult}} | + | {{warning|Alternatively, you can simply overwrite /etc/ld.so.preload, however removal will be more difficult. This is what '''install.sh''' uses.}} |
rm -vf /etc/ld.so.preload ; mv /path/to/poison.so /etc/ld.so.preload | rm -vf /etc/ld.so.preload ; mv /path/to/poison.so /etc/ld.so.preload | ||
Revision as of 22:58, 18 October 2011
Jynx
|
Jynx is a rootkit that implements LD Preload to override several critical libc functions. |
At the time of release, jynx was not detected by chkrootkit or rkhunter. Jynx comes bundled with a magic-packet activated reverse connect SSL shell that hooks pcap in order to evade local sniffing.
Introduction
LD_PRELOAD rootkits are simple if one understand how LD_PRELOAD works. Libc functions are hooked in order to obscure arbitrary code. The challenging part of this is the limited amount of information given in a function call.
For example, to decide whether or not to hide information, there is no way to get a full file path inside of readdir() without hooking opendir() and maintaining a lookup table which is not only hackish, but degrades performance of the system.
With fstat(), only a file descriptor is passed, and thus Jynx uses a magic GID to hide /etc/ld.so.preload.
|
|
Jynx has room for improvement! Want to contribute? Visit our IRC! |
In one custom implementation of Jynx written by a student, a magic string is used as opposed to a magic GID. It is harder to hide processes from programs like `ps' or even from a user obtaining a /proc listing using a magic string; thus Jynx uses the magic GID method. It is recommended to use an existing system GID so that another group is not added to the system, and thus the file integrity of /etc/group is preserved.
Because most rootkit detection mechanisms rely on a truthful environment, it is easy to bypass detection. By hooking LD Preload, near anything is possible.
This rootkit is undetectable to rkhunter and chkrootkit and exists in userland or RING 3.
Configuration & Features
|
|
Download at http://www.blackhatacademy.org/releases/Jynx-Kit-Pub.tar.gz |
Exercise & Installation
Exercise : Try hiding tcp connections by hooking read.
Basic installation: ./packer.sh ./install.sh
|
|
Pointing /etc/ld.so.preload to a soft link or symlink that points to the ld_poison.so is easier to remove. |
To make the soft link: ln -s /path/to/poison.so /etc/ld.so.preload
Removal: rm -vf /path/to/poison.so /etc/ld.so.preload
|
Alternatively, you can simply overwrite /etc/ld.so.preload, however removal will be more difficult. This is what install.sh uses. |
rm -vf /etc/ld.so.preload ; mv /path/to/poison.so /etc/ld.so.preload
