Linux Forensics Ebook

What are Rootkits and how to detect them

Rootkits are one of the worst things that can happen to a system and they are one of the most dangerous attacks, more dangerous than usual malware and viruses, both in the damage they cause to the system and difficulty in finding and detecting them. Rootkits can stay on your system for a long time without the user even noticing and it can cause some serious damage to the system.

The word “RootKit” originally comes from the world of ‘Unix’ systems, where the root is the user with the most access privileges to the system’. While the word kit defines the kit containing a set of malicious tools like keyloggers, banking credential stealers, password stealers, antivirus disablers or bots for DDos attack, etc. Putting both of these together, you get RootKit.

They are designed in such a way that they remain hidden and do malicious things like intercepting internet traffic, stealing credit cards, and online banking information. Rootkits give cybercriminals the ability to control your computer system with full administrative access, it also helps the attacker to monitor your key-strokes and disable your antivirus software which makes it even easier to steal your secret information.

How do RootKits get in the system?

Rootkits are, according to their type, unable to spread by themselves. Therefore, they are spread by the attacker by such tactics that the user is unable to notice that something is wrong with the system. Usually by hiding them in devious software that looks legitimate and could be functional. Be that as it may, when you award the software consent to be introduced on your framework, the rootkit discreetly sneaks inside where it might lay low until the attacker/hacker actuates it. Rootkits are very hard to identify because they can hide from users, admins, and most of the Antivirus products. Basically, in case of a compromisation of a system by Rootkit, the scope of malignant movement is very high.

Social Engineering:

The hacker tries to obtain root/administrator access by exploiting known vulnerabilities or by using social engineering. Cybercriminals employ social engineering to get the job done. They try to install rootkits on the user’s system by sending them in a phishing link, email scams, redirect you to malicious websites, patch the rootkits in legitimate software that looks normal to the naked eye. It’s important to know that Rootkits do not always want the user to run a malicious executable to sneak in. Sometimes all they want is a user to open a pdf or Word document to sneak in.

Types of RootKits:

To understand the types of rootkits properly, first, we need to imagine the system as a circle of concentric rings.

  • At the center, there is a Kernel known as ring zero. The kernel has the highest level of privileges over a computer system. It has access to all the info and can operate on the system as it wants.
  • Ring 1 and Ring 2 are reserved for less privileged processes. If this ring fails, the only processes that are going to be affected are the ones the ring 3 depends upon.
  • Ring 3 is where the user resides. It is user mode having a hierarchy of strict privilege access.

Critically, a procedure running in a higher privileged ring can bring down its benefits and run in an external ring, yet this can’t work the reverse way around without the unequivocal assent of the working framework’s security instruments. In situations where such security components can stay away from, a privilege escalation vulnerability is said to exist. Now there are 2 most prominent types of RootKits:

User Mode Rootkits:

Rootkits of this category operate at low privileged or user level in the operating system. As expressed before rootkits cause hackers to keep their authority over the system by giving a secondary passage channel, User Mode Rootkit will in general change the significant applications at the user level in this way concealing itself just as giving backdoor access. There are different rootkits of this type for both Windows and Linux.

Linux user-mode RootKits:

Many Linux user-mode rootkits are available nowadays for example:

  • To gain remote access to the target’s machine, login services like ‘login’, ‘sshd’ are all modified by the rootkit to include a backdoor. Attackers can have access to the target’s machine just by getting to a backdoor. Remember that the hacker already exploited the machine, he just added a backdoor to come back another time.
  • To perform the privilege escalation attack. The attacker modifies commands like ‘su’,sudo such that when he uses these commands through a backdoor he will get root-level access to services.
  • To hide their presence during an attack by
  • Process hiding: various commands which show data about procedures running on the machine-like ‘ps’,’pidof’,’top’ are modified with the goal that the assailant procedure isn’t recorded among other running procedures. Additionally, the command ‘kill all’ is typically changed with the goal that the hacker’s process cannot be killed, and order ‘crontab’ is changed so that malicious processes run at a specific time without changing in crontab’s configuration.
  • File hiding: hiding their presence from commands like ‘ls’, ‘find’. Also, hiding from ‘du’ command which shows disk usage of a process run by an attacker.
  • Event hiding: hiding from system logs by modifying ‘syslog.d’ file so that they cant logged in these files.
  • Network hiding: hiding from commands like ‘netstat’ ,’iftop’ which shows active connections. Commands like ‘ifconfig’ are also modified to eradicate their presence.

Kernel-mode Rootkits:

Before moving onto kernel-mode rootkits, first, we will see how the kernel works, how the kernel handles requests. The kernel allows applications to run using hardware resources. As we have discussed rings concept, The ring 3 applications cannot access a more secure or high privileged ring i.e ring 0, they depend on system calls which they process using subsystem libraries. So, the flow is something like this:

User mode>> System Libraries>>System Call Table>> Kernel

Now what an attacker will do is he will alter the System Call Table by using insmod and then map malicious instructions. Then he will insert malicious kernel code and flow be like this:

User mode>> System Libraries>>Altered System Call Table>>
Malicious Kernel Code

What we will see now is how this System call Table is altered and how the malicious code can be inserted.

  • Kernel Modules: The Linux Kernel is designed in such a way to load an external kernel module to support its functionality and insert some code at the kernel level. This option gives attackers great luxury to inject malicious code in kernel directly.
  • Changing kernel file: when Linux kernel is not configured to load external modules, Kernel file alteration can be done in memory or hard disk.
  • The kernel file holding the memory image on the hard drive is /dev/kmem. The live running code on the kernel also exists on that file. It doesn’t even require a system reboot.
  • If memory cannot be altered, the kernel file on the hard disk can be. The file which holds the kernel on the hard disk is vmlinuz. This file can only be read and altered by root. Remember that for a new code to execute, a system reboot is required in this case. Changing the kernel file does not need going from ring 3 to ring 0. It just needs root permissions.

An excellent example of Kernel rootkits is SmartService rootkit. It prevents users from launching any antivirus software and hence serves as a bodyguard for all other malware and viruses. It was a famous devastating rootkit up to mid-2017.

Chkrootkit:

These types of malware can stay on your system for a long time without the user even noticing and it can cause some serious damage as once the Rootkit is detected there is no other way but to reinstall the whole system and sometimes it can even cause hardware failure.

Luckily, there are some tools which help to detect a variety of known Rootkits on Linux systems like Lynis, Clam AV, LMD (Linux Malware Detect). You can check your system for known Rootkits by using the commands below:

First of all, we need to install Chkrootkit by using the command:

ubuntu@ubuntu:~$ Sudo apt install chkrootkit

This will install Chkrootkit tool and you can use it to check for rootkits by using:

ubuntu@ubuntu:~$ sudo chkrootkit
ROOTDIR is `/'
 
Checking `amd'...                                           not found
Checking `chsh'...                                          not infected
Checking `cron'...                                          not infected
Checking `crontab'...                                       not infected
Checking `date'...                                          not infected
Checking `du'...                                            not infected
Checking `dirname'...                                       not infected
Checking `su'...                                            not infected
Checking `ifconfig'...                                      not infected
Checking `inetd'...                                         not infected
Checking `inetdconf'...                                     not found
Checking `identd'...                                        not found
Checking `init'...                                          not infected
Checking `killall'...                                       not infected
Checking `login'...                                         not infected
Checking `ls'...                                            not infected
Checking `lsof'...                                          not infected
Checking `passwd'...                                        not infected
Checking `pidof'...                                         not infected
Checking `ps'...                                            not infected
Checking `pstree'...                                        not infected
Checking `rpcinfo'...                                       not found
Checking `rlogind'...                                       not found
Checking `rshd'...                                          not found
Checking `slogin'...                                        not infected
Checking `sendmail'...                                      not found
Checking `sshd'...                                          not found
Checking `syslogd'...                                       not tested
Checking `aliens'...                                        no suspect files
Searching for sniffer's logs, it may take a while...        nothing found
Searching for rootkit HiDrootkit's default files...         nothing found
Searching for rootkit t0rn's default files...               nothing found
Searching for t0rn's v8 defaults...                         nothing found
Searching for rootkit Lion's default files...               nothing found
Searching for rootkit RSHA's default files...               nothing found
Searching for rootkit RH-Sharpe's default files...          nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
The following suspicious files and directories were found:
/usr/lib/debug/.build-id /lib/modules/5.3.0-45-generic/vdso/.build-id /lib/modules/
5.3.0-46-generic/vdso/.build-id
/usr/lib/debug/.build-id /lib/modules/5.3.0-45-generic/vdso/.build-id /lib/modules/
5.3.0-46-generic/vdso/.build-id

Searching for LPD Worm files and dirs...                    nothing found
Searching for Ramen Worm files and dirs...                  nothing found
Searching for Maniac files and dirs...                      nothing found
Searching for RK17 files and dirs...                        nothing found
chkproc: Warning: Possible LKM Trojan installed
chkdirs: nothing detected
Checking `rexedcs'...                                       not found
Checking `sniffer'...       lo: not promisc and no packet sniffer sockets
vmnet1: not promisc and no packet sniffer sockets
vmnet2: not promisc and no packet sniffer sockets
vmnet8: not promisc and no packet sniffer sockets
bnep0: PACKET SNIFFER(/sbin/dhclient[432])
Checking `w55808'...                                        not infected
Checking `wted'...                                          chk wtmp: nothing deleted
Checking `scalper'...                                       not infected
Checking `slapper'...                                       not infected
Checking `z2'...                                            chk lastlog: nothing deleted
Checking `chkutmp'...     The tty of the following user process(es) was not found
in /var/run/utmp !
! RUID          PID TTY    CMD
! 101 0 es=v8_context_snapshot_data:100,v8101 --msteams-process-type=notificationsManager
! ess-type=pluginHost       0 ta:100,v8_natives_data:101
! root         3936 pts/0  /bin/sh /usr/sbin/chkrootkit
! root         4668 pts/0  ./chkutmp
! root         4670 pts/0  ps axk tty,ruser,args -o tty,pid,user,args
! root         4669 pts/0  sh -c ps axk "tty,ruser,args" -o "tty,pid,user,args"
! root         3934 pts/0  sudo chkrootkit
! usman        3891 pts/0  bash
chkutmp: nothing deleted

Chkrootkit program is a shell script that checks system binaries in the system path for malicious modification. It also includes some programs that check various security issues. In the above case it checked for a sign of rootkit on the system and didn’t find any, well that’s a good sign.

Rkhunter (RootkitHunter):

Another awesome tool for hunting a variety of rootkits and local exploits in an operating system is Rkhunter.

First of all, we need to install Rkhunter by using the command:

ubuntu@ubuntu:~$ Sudo apt install rkhunter

This will install Rkhunter tool and you can use it to check for rootkits by using:

ubuntu@ubuntu:~$ Sudo rkhunter --check | rootkits
Checking for rootkits...
Performing check of known rootkit files and directories
55808 Trojan - Variant A                                 [ Not found ]
ADM Worm                                                 [ Not found ]
AjaKit Rootkit                                           [ Not found ]
Adore Rootkit                                            [ Not found ]
aPa Kit                                                  [ Not found ]
Apache Worm                                              [ Not found ]
Ambient (ark) Rootkit                                    [ Not found ]
Balaur Rootkit                                           [ Not found ]
BeastKit Rootkit                                         [ Not found ]
beX2 Rootkit                                             [ Not found ]
BOBKit Rootkit                                           [ Not found ]
cb Rootkit                                               [ Not found ]
CiNIK Worm (Slapper.B variant)                           [ Not found ]
Danny-Boy's Abuse Kit                                    [ Not found ]
Devil RootKit                                            [ Not found ]
Diamorphine LKM                                          [ Not found ]
Dica-Kit Rootkit                                         [ Not found ]
Dreams Rootkit                                           [ Not found ]
Duarawkz Rootkit                                         [ Not found ]
Ebury backdoor                                           [ Not found ]
Enye LKM                                                 [ Not found ]
Flea Linux Rootkit                                       [ Not found ]
Fu Rootkit                                               [ Not found ]
Fuck`it Rootkit                                          [ Not found ]
GasKit Rootkit                                           [ Not found ]
Heroin LKM                                               [ Not found ]
HjC Kit                                                  [ Not found ]
ignoKit Rootkit                                          [ Not found ]
IntoXonia-NG Rootkit                                     [ Not found ]
Irix Rootkit                                             [ Not found ]
Jynx Rootkit                                             [ Not found ]
Jynx2 Rootkit                                            [ Not found ]
KBeast Rootkit                                           [ Not found ]
Kitko Rootkit                                            [ Not found ]
Knark Rootkit                                            [ Not found ]
ld-linuxv.so Rootkit                                     [ Not found ]
Li0n Worm                                                [ Not found ]
Lockit / LJK2 Rootkit                                    [ Not found ]
Mokes backdoor                                           [ Not found ]
Mood-NT Rootkit                                          [ Not found ]
MRK Rootkit                                              [ Not found ]
Ni0 Rootkit                                              [ Not found ]
Ohhara Rootkit                                           [ Not found ]
Optic Kit (Tux) Worm                                     [ Not found ]
Oz Rootkit                                               [ Not found ]
Phalanx Rootkit                                          [ Not found ]
Phalanx2 Rootkit                                         [ Not found ]
Phalanx Rootkit (extended tests)                        [ Not found ]
Portacelo Rootkit                                        [ Not found ]
R3d Storm Toolkit                                         [ Not found ]
RH-Sharpe's Rootkit                                      [ Not found ]
RSHA's Rootkit                                           [ Not found ]
Scalper Worm                                             [ Not found ]
Sebek LKM                                                [ Not found ]
Shutdown Rootkit                                         [ Not found ]
SHV4 Rootkit                                             [ Not found ]
SHV5 Rootkit                                             [ Not found ]
Sin Rootkit                                              [ Not found ]
Slapper Worm                                             [ Not found ]
Sneakin Rootkit                                          [ Not found ]
'Spanish' Rootkit                                        [ Not found ]
Suckit Rootkit                                           [ Not found ]
Superkit Rootkit                                         [ Not found ]
TBD (Telnet BackDoor)                                    [ Not found ]
TeLeKiT Rootkit                                          [ Not found ]
T0rn Rootkit                                             [ Not found ]
trNkit Rootkit                                           [ Not found ]
Trojanit Kit                                             [ Not found ]
Tuxtendo Rootkit                                         [ Not found ]
URK Rootkit                                              [ Not found ]
Vampire Rootkit                                          [ Not found ]
VcKit Rootkit                                            [ Not found ]
Volc Rootkit                                             [ Not found ]
Xzibit Rootkit                                           [ Not found ]
zaRwT.KiT Rootkit                                        [ Not found ]
ZK Rootkit                                               [ Not found ]

This will check for a large number of known rootkits in your system. To check for system commands and all types of malicious files in your system, type the following command:

ubuntu@ubuntu:~$ Sudo rkhunter --c --enable all --disable none

If an error occurs, comment out the error lines in /etc/rkhunter.conf file and it will work smoothly.

Conclusion:

Rootkits can do some serious irreversible damage to the operating system. It contains a variety of malicious tools like keyloggers, banking credential stealers, password stealers, antivirus disablers, or bots for DDos attack, etc. The software remains hidden in a computer system and keeps doing its work for an attacker as he can remote access the victim’s system. Our priority after detecting a rootkit should be to change all the system’s passwords. You can patch all the weak links but the best thing is to completely wipe and reformat the drive as you never know what is still inside the system.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14