Locked Linux Kernel 2.6.x /proc rootkit(Unix/Darbe-A)

[otreva]

Date:

=====

2012-11-21

Introduction:

=============

Unix/Darbe-A is a new kernel rootkit based /proc file system., modification is made in order to support kernel 2.6.x

 

Detected

========

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Analysis

=========

 

analiz@server:/tmp$ uname -a

Linux server 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:32:50 UTC 2012 i686 i686 i386 GNU/Linux

 

analiz@server:/tmp$ lsmod

Module Size Used by

security 13046 0 <--- Linux Kernel Module ??? What is the task?

vsock 47098 0

rfcomm 37291 4

bnep 17711 2

 

analiz@server:/tmp$ ./kontrol

 

Sistem yetki unitesi

 

Kullanim: ./kontrol

 

What is the meaning of the word "sifre"? - it is not an english word? ~ comes from the Turkish. In English it means "password"

 

analiz@server:/tmp$ gdb ./kontrol

GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04

 

(gdb) r sifre <- run

Starting program: /tmp/kontrol sifre

Bir Bulutla KI$ Gelmez! < -- Turkish sentence

[inferior 1 (process 3314) exited with code 01] <-----------Anti debug ???

 

analiz@server:/tmp$ ./kontrol password

 

Sifre yanlis! <--? Wrong Password.

 

analiz@server:/tmp$ objdump -s ./kontrol | grep sifre

80c5b30 3c736966 72653e20 0a0a2000 66616272 .. .fabr <--??* fabr??

 

analiz@server:/tmp$ objdump --start-address=0x80c5b30 --stop-address=0x80c5b50 -s ./kontrol

 

./kontrol: file format elf32-i386

 

Contents of section .rodata:

80c5b30 3c736966 72653e20 0a0a2000 66616272 .. .fabr <---- fabrika ??

80c5b40 696b6100 0a536966 72652079 616e6c69 ika..Sifre yanli

 

analiz@server:/tmp:/tmp$ ./kontrol fabrika <--- pass is fabrika

# id <--- ?? upss.. #root#

uid=0(root) gid=0(root) groups=0(root)

 

Linux Kernel Module(security.ko) has been injected into the system, control program(./kontrol fabrika) makes a normal user to root.

 

Descargar:

This is the hidden content, please

• Sign In
• or
• Sign Up