SlideShare ist ein Scribd-Unternehmen logo

OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity

Als PPTX, PDF herunterladen
Andrew Case
Andrew Case
Technologie
1 von 47
Analyzing Linux Rootkits with Volatility Andrew Case / @attrc
Who Am I? • Digital Forensics Researcher @ Terremark • Volatility Core Developer & Registry Decoder Co-Developer • Former Blackhat, DFRWS, BSides, and SOURCE speaker 2
Linux Support for Volatility • New in 2.2 • Over 30 plugins • Supports x86 and x86_64 • Profiles for common kernel versions [4] – You can also make your own [5] 3
Analyzing Average Coder [1] • Loads as an LKM • Hides processes, logged in users, and kernel modules • Operates by overwriting file_operation structures in the kernel 4
file_operations • One for each active file in the kernel • Has function pointers open, close, read, readdir, write, and so on • Referenced every time a file is accessed by the kernel • By hooking a file’s ops structure, a rootkit can control all interactions with the file 5
Hiding the Kernel Module • Average Coder hides itself by hooking the read member of /proc/modules • This is the file used by lsmod to list modules • This effectively hides from lsmod and the majority of other userland tools 6
Hiding Processes • There is one directory per-process under /proc, named by the PID – e.g. init has a directory of /proc/1/ • To hide processes, the readdir member of /proc is hooked • PIDs to be hidden are filtered out 7
Communicating with Userland • Average coder receives commands from the attacker through /proc/buddyinfo • Hooks the write member which normally is unimplemented 8
Possible Commands • hide – hide the LKM • hpid – hide process • hdport / hsport – hide network ports • huser – hide user • root – elevate process to uid 0 9
Detecting f_op hooks • The linux_check_fop plugin enumerates the /proc filesystem and all opened files and verifies that each member of every file ops structure is valid • Valid means the function pointer is either in the kernel or in a known (not hidden) loadable kernel module 10
# python vol.py -f avgcoder.mem --profile=LinuxCentOS63x64 linux_check_fop Volatile Systems Volatility Framework 2.2_rc1 Symbol Name Member Address ------------------------ ---------------- ------------------ proc_mnt: root readdir 0xffffa05ce0e0 buddyinfo write 0xffffa05cf0f0 modules read 0xffffa05ce8a0 11
Hiding Users • /var/run/utmp stores logged in users • Avg Coder uses path_lookup to find the inode structure for this file • It then hooks the read member of the i_fop structure to filter out hidden users from w and who 12
Detecting utmp Tampering – Pt 1 • To determine if the file is hooked, we need to find it in memory • We use the linux_find_file plugin with the –F option • This simulates path_lookup 13
# python vol.py -f avgcoder.mem -- profile=LinuxCentOS63x64 linux_find_file -F "/var/run/utmp" Volatile Systems Volatility Framework 2.2_rc1 Inode Number Inode ---------------- ------------------ 130564 0x88007a85acc0 14
Detecting utmp Tampering – Pt 2 • We now know where the inode is in memory • We can use the -i option to linux_check_fop to check a particular inode 15
# python vol.py -f avgcoder.mem -- profile=LinuxCentOS63x64 linux_check_fop -i 0x88007a85acc0 Volatile Systems Volatility Framework 2.2_rc1 Symbol Name Member Address ----------------------------- ---------------- ------------------ inode at 88007a85acc0 read 0xffffa05ce4d0 16
Detecting utmp Tampering – Pt 3 • We know utmp is hooked • Our live system analysis, whether manual or scripted, will have been lied to • So we want to recover the real file 17
Recovering utmp # python vol.py -f avgcoder.mem -- profile=LinuxCentOS63x64 linux_find_file -i 0x88007a85acc0 -O utmp # who utmp centoslive tty1 2013-08-09 16:26 (:0) centoslive pts/0 2013-08-09 16:28 (:0.0) 18
.bash_history • Stores the commands entered by users on the bash command line • Invaluable forensics artifact • Often the focus of anti-forensics: – unset HISTFILE – export HISTFILE=/dev/null – export HISTSIZE=0 – ssh -T 19
Bash History in Memory [2] • All commands in the current session are stored in-memory regardless of the previous anti-forensics tricks used • The times the commands were executed are also stored in memory regardless if timestamps are enabled! • Recovering this information would be interesting… 20
Recovering Bash # python vol.py -f avgcoder.mem --profile=LinuxCentOS63x64 linux_bash -H 0x6e0950 Volatile Systems Volatility Framework 2.2_rc1 Command Time Command -------------------- ------- #1376085128 sudo insmod rootkit.ko #1376085176 echo "hide" > /proc/buddyinfo #1376085180 lsmod | grep root #1376085194 w #1376085218 echo "huser centoslive" > /proc/buddyinfo #1376085220 w #1376085229 sleep 900 & #1376085241 echo "hpid 2872" > /proc/buddyinfo #1376085253 ps auwx | grep sleep 21
</Average Coder> • Detected the rootkit many ways • The techniques shown are applicable to a number of rootkits 22
Analyzing KBeast [3] • Loads as an LKM • Hides processes, files, directories, and network connections and provides keylogging capabilities • Gains control by hooking the system call table and /proc/net/tcp • Hides itself from modules list 23
Hiding the Module • Removes itself from the modules list • Rootkit stays active but is not detected by lsmod • Many other rootkits use this technique 24
Detection through sysfs • sysfs provides a kernel-to-userland interface similar to /proc • /sys/module contains a directory per kernel module, named by the name of the module 25
linux_check_modules • The linux_check_modules plugin leverages sysfs to detect the hidden module • Gathers the modules list and every directory under /sys/modules and compares the names • No known rootkit hides itself from sysfs 26
# python vol.py -f kbeast.this -- profile=LinuxDebianx86 linux_check_modules Volatile Systems Volatility Framework 2.2_rc1 Module Name ----------- ipsecs_kbeast_v1 27
System Call Table Hooking • KBeast hooks a number of system calls in order to hide attacker activity • read, write, getdents, kill, open, unlink, and more… • These hooks allow the rootkit to alter control flow over a wide range of userland activity 28
# python vol.py -f ../this.k.lime --profile=Linuxthisx86 linux_check_syscall > ksyscall # head -6 ksyscall Table Name Index Address Symbol ---------- ---------- ---------- ------------------------------ 32bit 0x0 0xc103ba61 sys_restart_syscall 32bit 0x1 0xc103396b sys_exit 32bit 0x2 0xc100333c ptregs_fork 32bit 0x3 0xe0fb46b9 HOOKED # grep –c HOOKED ksyscall 10 29
Hiding Network Connections • KBeast hooks the show member of tcp4_seq_afinfo • This is a sequence operations structure used to populate /proc/net/tcp • netstat uses this to list connections • Hidden connections are simply filtered out from reading 30
Validating Network Ops Structures • The linux_check_afinfo plugin checks the file operations and sequence operations of: – tcp6_seq_afinfo – tcp4_seq_afinfo – udplite6_seq_afinfo – udp6_seq_afinfo – udplite4_seq_afinfo – udp4_seq_afinfo 31
# python vol.py -f kbeast.lime --profile=LinuxDebianx86 linux_check_afinfo Volatile Systems Volatility Framework 2.2_rc1 Symbol Name Member Address ----------- ------ ---------- tcp4_seq_afinfo show 0xe0fb9965 32
</KBeast> 33
Jynx / LD_PRELOAD • LD_PRELOAD is an env variable that, when set, loads a shared library into every process • Any function defined in the pre-loaded library is called before the real function • Very powerful for debugging purposes and abused by many malware samples 34
Jynx/Jynx 2 • Popular LD_PRELOAD based malware sample • Hooks all functions related to reading the filesystem and network – open/opendir/stat/fstat/fopen – unlink/access – accept • Uses the accept hook to implement a network-based backdoor 35
# python vol.py -f jynx.mem -- profile=LinuxUbuntu1204x64 linux_proc_maps > all_proc_maps # grep -c jynx2.so all_proc_maps 364 # grep jynx2.so all_proc_maps | head -3 0x7fb809b61000-0x7fb809b67000 r-x 0 8: 1 655368 /XxJynx/jynx2.so 0x7fb809b67000-0x7fb809d66000 --- 24576 8: 1 655368 /XxJynx/jynx2.so 0x7fb809d66000-0x7fb809d67000 r-- 20480 8: 1 655368 /XxJynx/jynx2.so 36
# python vol.py -f jynx.lime --profile=Linuxthisx86 linux_pstree <snip> .nc 3047 0 ..bash 3048 0 <snip> 37
# python vol.py -f jynx.lime --profile=Linuxthisx86 linux_netstat -p 3047,3048 Volatile Systems Volatility Framework 2.2_rc1 TCP 0.0.0.0:12345 0.0.0.0:0 LISTEN nc/3047 TCP 0.0.0.0:12345 0.0.0.0:0 LISTEN bash/3048 TCP 192.168.181.128:12345 192.168.181.129:42 ESTABLISHED nc/3047 TCP 192.168.181.128:12345 192.168.181.129:42 ESTABLISHED bash/3048 38
Recovering the Shared Object • linux_find_file can recover the entire shared object • Can then do binary analysis to determine what functions are hooked, password to the backdoor, etc [6] 39
Other Plugins • A number of other Volatility plugins can be used to perform and to aid in malware analysis • Use in conjunction with each other to get the best results! 40
Networking Plugins • linux_ifconfig – Lists if interface is in promiscuous mode • linux_arp – Prints the ARP cache (detect lateral movement) • linux_route_cache – Prints the routing cache (external IP addresses communicated with) 41
Networking Plugins Cont. • sk_buff_cache – Recover packets from the kmem_cache • pkt_queues – Recover queued packets on open/active sockets 42
File Access & Mappings • linux_dentry_cache – Recover the full path and metadata of accessed files • linux_vma_cache – Recovering files mapped into processes (shared libraries, mmap’d data files, etc) 43
Processes • linux_psaux – Recover command line arguments • linux_pslist_cache – Recovers processes from the kmem_cache (including exited ones) • linux_pidhashtable – Recovers processes from the pid hash table • linux_psxview – Lists all processes and if they are found in process list, cache, and/or hash table 44
Conclusion • Volatility’s Linux support provides powerful rootkit & IR analysis • We did not even cover all the plugins… • Exciting features to come soon related to Android processing! 45
The End • Volatility: – http://volatility-labs.blogspot.com/ – http://code.google.com/p/volatility/ – @volatility • Me – http://www.memoryanalysis.net – @attrc 46
References [1] http://average-coder.blogspot.com/2011/12/linux-rootkit.html [2] http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder- rootkit-bash.html [3] http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit- detecting-hidden.html [4] http://code.google.com/p/volatility/wiki/LinuxProfiles [5] http://code.google.com/p/volatility/wiki/LinuxMemoryForensics [6] http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx- rootkit-and.html 47

Empfohlen

Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Ericas-Linux-Plus-Study-Guide
Ericas-Linux-Plus-Study-GuideEricas-Linux-Plus-Study-Guide
Ericas-Linux-Plus-Study-GuideErica StJohn
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernelMorteza Nourelahi Alamdari
 

Empfohlen

Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Ericas-Linux-Plus-Study-Guide
Ericas-Linux-Plus-Study-GuideEricas-Linux-Plus-Study-Guide
Ericas-Linux-Plus-Study-GuideErica StJohn
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernelMorteza Nourelahi Alamdari
 
LINUX System Call Quick Reference
LINUX System Call Quick ReferenceLINUX System Call Quick Reference
LINUX System Call Quick Referencewensheng wei
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIXBioinformatics and Computational Biosciences Branch
 
Rhce ppt
Rhce pptRhce ppt
Rhce pptMohammed Ben
 
Linux kernel
Linux kernelLinux kernel
Linux kernelMahmoud Shiri Varamini
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeKernel TLV
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 IntroductionMohammed Farrag
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!Zubair Nabi
 
Linux training
Linux trainingLinux training
Linux trainingartisriva
 
AOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itAOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itZubair Nabi
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O SchedulersRajKumar Rampelli
 
IRQs: the Hard, the Soft, the Threaded and the Preemptible
IRQs: the Hard, the Soft, the Threaded and the PreemptibleIRQs: the Hard, the Soft, the Threaded and the Preemptible
IRQs: the Hard, the Soft, the Threaded and the PreemptibleAlison Chaiken
 
Linux IO
Linux IOLinux IO
Linux IOLiran Ben Haim
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkMohammed Farrag
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
Presentation for RHCE in linux
Presentation for RHCE in linux Presentation for RHCE in linux
Presentation for RHCE in linux Kuldeep Tiwari
 
AOS Lab 6: Scheduling
AOS Lab 6: SchedulingAOS Lab 6: Scheduling
AOS Lab 6: SchedulingZubair Nabi
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
AOS Lab 11: Virtualization
AOS Lab 11: VirtualizationAOS Lab 11: Virtualization
AOS Lab 11: VirtualizationZubair Nabi
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Linux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesLinux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesKASHISH BHATIA
 

Weitere ähnliche Inhalte

Was ist angesagt?

LINUX System Call Quick Reference
LINUX System Call Quick ReferenceLINUX System Call Quick Reference
LINUX System Call Quick Referencewensheng wei
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeKernel TLV
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!Zubair Nabi
 
Linux training
Linux trainingLinux training
Linux trainingartisriva
 
AOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itAOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itZubair Nabi
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentMohammed Farrag
 
IRQs: the Hard, the Soft, the Threaded and the Preemptible
IRQs: the Hard, the Soft, the Threaded and the PreemptibleIRQs: the Hard, the Soft, the Threaded and the Preemptible
IRQs: the Hard, the Soft, the Threaded and the PreemptibleAlison Chaiken
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkMohammed Farrag
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
Presentation for RHCE in linux
Presentation for RHCE in linux Presentation for RHCE in linux
Presentation for RHCE in linux Kuldeep Tiwari
 
AOS Lab 6: Scheduling
AOS Lab 6: SchedulingAOS Lab 6: Scheduling
AOS Lab 6: SchedulingZubair Nabi
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
AOS Lab 11: Virtualization
AOS Lab 11: VirtualizationAOS Lab 11: Virtualization
AOS Lab 11: VirtualizationZubair Nabi
 

Was ist angesagt? (20)

LINUX System Call Quick Reference
LINUX System Call Quick ReferenceLINUX System Call Quick Reference
LINUX System Call Quick Reference
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIX
 
Rhce ppt
Rhce pptRhce ppt
Rhce ppt
 
Linux kernel
Linux kernelLinux kernel
Linux kernel
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 Introduction
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programming
 
AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!AOS Lab 1: Hello, Linux!
AOS Lab 1: Hello, Linux!
 
Linux training
Linux trainingLinux training
Linux training
 
AOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on itAOS Lab 4: If you liked it, then you should have put a “lock” on it
AOS Lab 4: If you liked it, then you should have put a “lock” on it
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
 
IRQs: the Hard, the Soft, the Threaded and the Preemptible
IRQs: the Hard, the Soft, the Threaded and the PreemptibleIRQs: the Hard, the Soft, the Threaded and the Preemptible
IRQs: the Hard, the Soft, the Threaded and the Preemptible
 
Linux IO
Linux IOLinux IO
Linux IO
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
 
Presentation for RHCE in linux
Presentation for RHCE in linux Presentation for RHCE in linux
Presentation for RHCE in linux
 
AOS Lab 6: Scheduling
AOS Lab 6: SchedulingAOS Lab 6: Scheduling
AOS Lab 6: Scheduling
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
AOS Lab 11: Virtualization
AOS Lab 11: VirtualizationAOS Lab 11: Virtualization
AOS Lab 11: Virtualization
 

Ähnlich wie OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity

OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Linux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesLinux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesKASHISH BHATIA
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Part 04 Creating a System Call in Linux
Part 04 Creating a System Call in LinuxPart 04 Creating a System Call in Linux
Part 04 Creating a System Call in LinuxTushar B Kute
 
Container security: seccomp, network e namespaces
Container security: seccomp, network e namespacesContainer security: seccomp, network e namespaces
Container security: seccomp, network e namespacesKiratech
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Linux@assignment ppt
Linux@assignment pptLinux@assignment ppt
Linux@assignment pptRama .
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerunidsecconf
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxMartin Holovský
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debuggingHao-Ran Liu
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 

Ähnlich wie OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity (20)

OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Linux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slidesLinux io introduction-fudcon-2015-with-demo-slides
Linux io introduction-fudcon-2015-with-demo-slides
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
First steps on CentOs7
First steps on CentOs7First steps on CentOs7
First steps on CentOs7
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
Part 04 Creating a System Call in Linux
Part 04 Creating a System Call in LinuxPart 04 Creating a System Call in Linux
Part 04 Creating a System Call in Linux
 
Container security: seccomp, network e namespaces
Container security: seccomp, network e namespacesContainer security: seccomp, network e namespaces
Container security: seccomp, network e namespaces
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
Linux@assignment ppt
Linux@assignment pptLinux@assignment ppt
Linux@assignment ppt
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compact
 
Linux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
 
Hardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/LinuxHardening Linux, introducing Securix GNU/Linux
Hardening Linux, introducing Securix GNU/Linux
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 

Kürzlich hochgeladen

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Kürzlich hochgeladen (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity

  • 1. Analyzing Linux Rootkits with Volatility Andrew Case / @attrc
  • 2. Who Am I? • Digital Forensics Researcher @ Terremark • Volatility Core Developer & Registry Decoder Co-Developer • Former Blackhat, DFRWS, BSides, and SOURCE speaker 2
  • 3. Linux Support for Volatility • New in 2.2 • Over 30 plugins • Supports x86 and x86_64 • Profiles for common kernel versions [4] – You can also make your own [5] 3
  • 4. Analyzing Average Coder [1] • Loads as an LKM • Hides processes, logged in users, and kernel modules • Operates by overwriting file_operation structures in the kernel 4
  • 5. file_operations • One for each active file in the kernel • Has function pointers open, close, read, readdir, write, and so on • Referenced every time a file is accessed by the kernel • By hooking a file’s ops structure, a rootkit can control all interactions with the file 5
  • 6. Hiding the Kernel Module • Average Coder hides itself by hooking the read member of /proc/modules • This is the file used by lsmod to list modules • This effectively hides from lsmod and the majority of other userland tools 6
  • 7. Hiding Processes • There is one directory per-process under /proc, named by the PID – e.g. init has a directory of /proc/1/ • To hide processes, the readdir member of /proc is hooked • PIDs to be hidden are filtered out 7
  • 8. Communicating with Userland • Average coder receives commands from the attacker through /proc/buddyinfo • Hooks the write member which normally is unimplemented 8
  • 9. Possible Commands • hide – hide the LKM • hpid – hide process • hdport / hsport – hide network ports • huser – hide user • root – elevate process to uid 0 9
  • 10. Detecting f_op hooks • The linux_check_fop plugin enumerates the /proc filesystem and all opened files and verifies that each member of every file ops structure is valid • Valid means the function pointer is either in the kernel or in a known (not hidden) loadable kernel module 10
  • 11. # python vol.py -f avgcoder.mem --profile=LinuxCentOS63x64 linux_check_fop Volatile Systems Volatility Framework 2.2_rc1 Symbol Name Member Address ------------------------ ---------------- ------------------ proc_mnt: root readdir 0xffffa05ce0e0 buddyinfo write 0xffffa05cf0f0 modules read 0xffffa05ce8a0 11
  • 12. Hiding Users • /var/run/utmp stores logged in users • Avg Coder uses path_lookup to find the inode structure for this file • It then hooks the read member of the i_fop structure to filter out hidden users from w and who 12
  • 13. Detecting utmp Tampering – Pt 1 • To determine if the file is hooked, we need to find it in memory • We use the linux_find_file plugin with the –F option • This simulates path_lookup 13
  • 14. # python vol.py -f avgcoder.mem -- profile=LinuxCentOS63x64 linux_find_file -F "/var/run/utmp" Volatile Systems Volatility Framework 2.2_rc1 Inode Number Inode ---------------- ------------------ 130564 0x88007a85acc0 14
  • 15. Detecting utmp Tampering – Pt 2 • We now know where the inode is in memory • We can use the -i option to linux_check_fop to check a particular inode 15
  • 16. # python vol.py -f avgcoder.mem -- profile=LinuxCentOS63x64 linux_check_fop -i 0x88007a85acc0 Volatile Systems Volatility Framework 2.2_rc1 Symbol Name Member Address ----------------------------- ---------------- ------------------ inode at 88007a85acc0 read 0xffffa05ce4d0 16
  • 17. Detecting utmp Tampering – Pt 3 • We know utmp is hooked • Our live system analysis, whether manual or scripted, will have been lied to • So we want to recover the real file 17
  • 18. Recovering utmp # python vol.py -f avgcoder.mem -- profile=LinuxCentOS63x64 linux_find_file -i 0x88007a85acc0 -O utmp # who utmp centoslive tty1 2013-08-09 16:26 (:0) centoslive pts/0 2013-08-09 16:28 (:0.0) 18
  • 19. .bash_history • Stores the commands entered by users on the bash command line • Invaluable forensics artifact • Often the focus of anti-forensics: – unset HISTFILE – export HISTFILE=/dev/null – export HISTSIZE=0 – ssh -T 19
  • 20. Bash History in Memory [2] • All commands in the current session are stored in-memory regardless of the previous anti-forensics tricks used • The times the commands were executed are also stored in memory regardless if timestamps are enabled! • Recovering this information would be interesting… 20
  • 21. Recovering Bash # python vol.py -f avgcoder.mem --profile=LinuxCentOS63x64 linux_bash -H 0x6e0950 Volatile Systems Volatility Framework 2.2_rc1 Command Time Command -------------------- ------- #1376085128 sudo insmod rootkit.ko #1376085176 echo "hide" > /proc/buddyinfo #1376085180 lsmod | grep root #1376085194 w #1376085218 echo "huser centoslive" > /proc/buddyinfo #1376085220 w #1376085229 sleep 900 & #1376085241 echo "hpid 2872" > /proc/buddyinfo #1376085253 ps auwx | grep sleep 21
  • 22. </Average Coder> • Detected the rootkit many ways • The techniques shown are applicable to a number of rootkits 22
  • 23. Analyzing KBeast [3] • Loads as an LKM • Hides processes, files, directories, and network connections and provides keylogging capabilities • Gains control by hooking the system call table and /proc/net/tcp • Hides itself from modules list 23
  • 24. Hiding the Module • Removes itself from the modules list • Rootkit stays active but is not detected by lsmod • Many other rootkits use this technique 24
  • 25. Detection through sysfs • sysfs provides a kernel-to-userland interface similar to /proc • /sys/module contains a directory per kernel module, named by the name of the module 25
  • 26. linux_check_modules • The linux_check_modules plugin leverages sysfs to detect the hidden module • Gathers the modules list and every directory under /sys/modules and compares the names • No known rootkit hides itself from sysfs 26
  • 27. # python vol.py -f kbeast.this -- profile=LinuxDebianx86 linux_check_modules Volatile Systems Volatility Framework 2.2_rc1 Module Name ----------- ipsecs_kbeast_v1 27
  • 28. System Call Table Hooking • KBeast hooks a number of system calls in order to hide attacker activity • read, write, getdents, kill, open, unlink, and more… • These hooks allow the rootkit to alter control flow over a wide range of userland activity 28
  • 29. # python vol.py -f ../this.k.lime --profile=Linuxthisx86 linux_check_syscall > ksyscall # head -6 ksyscall Table Name Index Address Symbol ---------- ---------- ---------- ------------------------------ 32bit 0x0 0xc103ba61 sys_restart_syscall 32bit 0x1 0xc103396b sys_exit 32bit 0x2 0xc100333c ptregs_fork 32bit 0x3 0xe0fb46b9 HOOKED # grep –c HOOKED ksyscall 10 29
  • 30. Hiding Network Connections • KBeast hooks the show member of tcp4_seq_afinfo • This is a sequence operations structure used to populate /proc/net/tcp • netstat uses this to list connections • Hidden connections are simply filtered out from reading 30
  • 31. Validating Network Ops Structures • The linux_check_afinfo plugin checks the file operations and sequence operations of: – tcp6_seq_afinfo – tcp4_seq_afinfo – udplite6_seq_afinfo – udp6_seq_afinfo – udplite4_seq_afinfo – udp4_seq_afinfo 31
  • 32. # python vol.py -f kbeast.lime --profile=LinuxDebianx86 linux_check_afinfo Volatile Systems Volatility Framework 2.2_rc1 Symbol Name Member Address ----------- ------ ---------- tcp4_seq_afinfo show 0xe0fb9965 32
  • 33. </KBeast> 33
  • 34. Jynx / LD_PRELOAD • LD_PRELOAD is an env variable that, when set, loads a shared library into every process • Any function defined in the pre-loaded library is called before the real function • Very powerful for debugging purposes and abused by many malware samples 34
  • 35. Jynx/Jynx 2 • Popular LD_PRELOAD based malware sample • Hooks all functions related to reading the filesystem and network – open/opendir/stat/fstat/fopen – unlink/access – accept • Uses the accept hook to implement a network-based backdoor 35
  • 36. # python vol.py -f jynx.mem -- profile=LinuxUbuntu1204x64 linux_proc_maps > all_proc_maps # grep -c jynx2.so all_proc_maps 364 # grep jynx2.so all_proc_maps | head -3 0x7fb809b61000-0x7fb809b67000 r-x 0 8: 1 655368 /XxJynx/jynx2.so 0x7fb809b67000-0x7fb809d66000 --- 24576 8: 1 655368 /XxJynx/jynx2.so 0x7fb809d66000-0x7fb809d67000 r-- 20480 8: 1 655368 /XxJynx/jynx2.so 36
  • 37. # python vol.py -f jynx.lime --profile=Linuxthisx86 linux_pstree <snip> .nc 3047 0 ..bash 3048 0 <snip> 37
  • 38. # python vol.py -f jynx.lime --profile=Linuxthisx86 linux_netstat -p 3047,3048 Volatile Systems Volatility Framework 2.2_rc1 TCP 0.0.0.0:12345 0.0.0.0:0 LISTEN nc/3047 TCP 0.0.0.0:12345 0.0.0.0:0 LISTEN bash/3048 TCP 192.168.181.128:12345 192.168.181.129:42 ESTABLISHED nc/3047 TCP 192.168.181.128:12345 192.168.181.129:42 ESTABLISHED bash/3048 38
  • 39. Recovering the Shared Object • linux_find_file can recover the entire shared object • Can then do binary analysis to determine what functions are hooked, password to the backdoor, etc [6] 39
  • 40. Other Plugins • A number of other Volatility plugins can be used to perform and to aid in malware analysis • Use in conjunction with each other to get the best results! 40
  • 41. Networking Plugins • linux_ifconfig – Lists if interface is in promiscuous mode • linux_arp – Prints the ARP cache (detect lateral movement) • linux_route_cache – Prints the routing cache (external IP addresses communicated with) 41
  • 42. Networking Plugins Cont. • sk_buff_cache – Recover packets from the kmem_cache • pkt_queues – Recover queued packets on open/active sockets 42
  • 43. File Access & Mappings • linux_dentry_cache – Recover the full path and metadata of accessed files • linux_vma_cache – Recovering files mapped into processes (shared libraries, mmap’d data files, etc) 43
  • 44. Processes • linux_psaux – Recover command line arguments • linux_pslist_cache – Recovers processes from the kmem_cache (including exited ones) • linux_pidhashtable – Recovers processes from the pid hash table • linux_psxview – Lists all processes and if they are found in process list, cache, and/or hash table 44
  • 45. Conclusion • Volatility’s Linux support provides powerful rootkit & IR analysis • We did not even cover all the plugins… • Exciting features to come soon related to Android processing! 45
  • 46. The End • Volatility: – http://volatility-labs.blogspot.com/ – http://code.google.com/p/volatility/ – @volatility • Me – http://www.memoryanalysis.net – @attrc 46
  • 47. References [1] http://average-coder.blogspot.com/2011/12/linux-rootkit.html [2] http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder- rootkit-bash.html [3] http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit- detecting-hidden.html [4] http://code.google.com/p/volatility/wiki/LinuxProfiles [5] http://code.google.com/p/volatility/wiki/LinuxMemoryForensics [6] http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx- rootkit-and.html 47