Questions about this topic? Sign up to ask in the talk tab.

Jynx Rootkit/1.0

From NetSec
Revision as of 22:06, 18 October 2011 by LashawnSeccombe (Talk | contribs)

Jump to: navigation, search

Rootkit Link

www.blackhatacademy.org/releases/Jynx-Kit-Pub.tar.gz

Introduction

Jynx is a rootkit that implements LD Preload to override several critical libc functions.


LD_PRELOAD ROOTKITS are simple if you understand how LD_PRELOAD works. You hook libc functions to obscure arbitrary code. The challenging part of this, and you'll see this in jynx, is that you have a limited amount of information given to you in a call.

For example, to decide whether or not to hide it, there is no way to get a full file path inside of readdir without hooking opendir and maintaining a lookup table which is gross and bulky. Or fstat, you only have an fd, so we have it look at the gid and of course it hides /etc/ld.so.preload. So, moving onto the specifics of jynxkit, for those who want to play with it, first thing: there's a lot of room for improvement.

I know one of our testers removed all the gid code, just hides by filename, for example, you could hide network connections in /proc/net/tcp. The issue with ignoring GID is that it's harder to hide processes from programs like 'ps' with our version, even ls /proc. It hides all processes with a certain gid, i recommend you use an existing system gid.

That isn't used much and won't be missed so you dont have to mask it in configs. You could hook into network functions to add backdoors etc. You can be pretty creative with ld_preload, it's really simple to implement. Since rootkit hunters rely on the environment to be truthful, it's easy to slide by undetected.

This rootkit is undetectable to rkhunter and chkrootkit. Kernel rootkits are unstable, they break between kernel versions, slow down the system, userland is stable but the linux kernel isn't stable at all. LKMs are useful for specific uses like setting a pid to 0 but robust LKMs cause issues.

Exercise

Try hiding tcp connections by hooking read.

Anyways, use packer.sh to make an auto installing shell file for your version of jynx-kit. Then just run ./install.sh to extract all sources, compile, install, and delete traces

I recommend pointing /etc/ld.so.preload to a soft link, that points to the ld_poison.so, so it's easier to remove. So just use ln -s to make the soft link, then copy that path to /etc/ld.so.preload then rm the soft link, and rm ld.so.preload after.

Retrieved from "http://nets.ec/index.php?title=Jynx_Rootkit/1.0&oldid=1493"