Shellcoders Programming Uncovered (Uncovered series)

Console versions of utilities such as ps or top can be easily deceived using a long chain of blank characters or <CR> characters overwriting the original name . This method is not suitable for deceiving an experienced administrator. Furthermore, this technique is powerless against K Desktop Environment (KDE) monitors . However, it is possible to disguise as some innocent process such as vi or bash . To tell the truth, the situation is not as simple as it seems! Nowadays, practically no one works in vi . And where does an "extra" shell come from? A vigilant administrator will notice this immediately. However, if the hacker is lucky enough, this might not happen. After all, lots of users have several copies of shells running, and no one counts them. Also, it is possible to insert into some user process using ptrace ” and it is practically impossible to find hacker there.

If worst comes to worst, the hacker can abandon any concealment . There are lots of processes in the system, and it isn't possible to trace all of them. The main issue is periodically splitting the hacker's process into two ones and killing the original process. This blinds the top utility that informs administrator how long a specific process executed.

It should be mentioned that:

• Adore and many other rootkits do not work on the systems that boot from read-only media (LiveCD, in particular), resulting in DoS.

• Adore and many other rootkits do not work on multiprocessor systems (and practically all servers are multiprocessor machines). This is because they mess with the scheduler instead of trapping system calls or proc_root .

• Adore and many other rootkits do not contain the MODULE_LICENSE("GPL") string, which makes the system display warnings when they are loaded.

Interesting Links Related to the Stealth Technique

• Linux Kernel Internals . An excellent book created by a team of brainy German guys. It describes Linux kernel internals clearly and without irrelevant digressions (in English).

• " (Nearly) Complete Linux Loadable Kernel Modules ." A hacker's manual on writing modules for Linux and FreeBSD. It candidly describes viruses and rootkits. Available at http://packetstormsecurity.org/docs/hack/LKM_HACKING.html .

• " Direct Kernel Object Manipulation ." A presentation from the Black Hat conference, explaining how files, processes, and network connections can be disguised under Windows and Linux. Available at http://www.blackhat.com/presentations/bh-europe-04/bh-eu-04- butler .pdf .

• " Abuse of the Linux Kernel for Fun and Profit " in Phrack, issue 50. An article about development of LKMs and trapping system calls under older Linux versions.

• " Weakening the Linux Kernel " in Phrack, issue 52. An excellent article explaining how to conceal LKMs for disguising files, processes, and network connections under older versions of Linux.

• " Sub proc_root Quando Sumus " in Phrack, issue 58. A brief description of the technique of installing a custom filter over VFS.

• " Linux On-the-Fly Kernel Patching without LKM " in Phrack, issue 58. Trapping system calls without LKMs and symbolic information.

• " Infecting Loadable Kernel Modules " in Phrack, issue 61. Infection of LKMs.

• " Kernel Rootkit Experiences " in Phrack, issue 61. An article written by Stealth (the author of the well-known Adore), describing his experience of creating LKM rootkits.