LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-20-2008, 02:29 AM   #1
trv
LQ Newbie
 
Registered: Oct 2003
Posts: 7

Rep: Reputation: 0
Exclamation Debug Register Rootkits - How to detect?


Hello,

Lately Immunity Inc. published a new rootkit, called DR rootkit, available from their homepage along with sources.

The only other rootkit of this kind is mood-nt rootkit, developed 2-3 years ago by darkangel, a member of the antifork group (like the guy that made kern_check etc). It's available from darkangels website and it's in packetstorm too.

These rootkits use the Debug Registers of the processor to hook onto system calls and play with the system.

I must say I have not found anywhere a "mood-nt analysis" or a "DR rootkit analysis" document, but have not dived into their code either (it's not the simpliest thing in the world..).


Does anyone have any idea how to detect those rootkits if they are installed on the system? Obviously the tradiotional checks do not work...

Regards,
trv
 
Old 11-20-2008, 06:38 AM   #2
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
It seems like you can trust the OS less and less as time goes on. That might mean the best solution is to rely on a different OS. For example, boot to a Live CD and use the find command to look for hidden, out of place, or otherwise suspicious files/directories. You could also monitor network traffic. The NSM Wiki has more information on Network Security Monitoring. If you can't trust the OS, I don't think you should rely on it to report accurate results from commands. These ways don't focus on detecting X type of rootkit, they should work with all rootkits.
 
Old 11-20-2008, 05:20 PM   #3
trv
LQ Newbie
 
Registered: Oct 2003
Posts: 7

Original Poster
Rep: Reputation: 0
Well yes ok, but those things really do not work with these rootkits..

Anyway, I'm looking for specific details or analysis on debug register rootkits, not general tips!
 
Old 11-20-2008, 06:21 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Quote:
Originally Posted by trv View Post
those things really do not work with these rootkits..
With all due respect but if you haven't searched for analysis docs or looked at the code, how can you know for sure what works and what not?


Quote:
Originally Posted by trv View Post
I'm looking for specific details or analysis on debug register rootkits
A few minutes worth of searching showed me a nice discussion on DailyDave, an interesting remark by Brad S. elsewhere, some primary-coloured pills, some recent papers on debug registers and suggestions about SMM and hardware. But just being curious, what would you do with that information? Do you have anything to share yourself on the subject by any chance?

And even though DR kits might be hard to detect right now it isn't something automagical. And one still must find a system, and a route into that system and transition out of userland...
 
Old 11-20-2008, 06:33 PM   #5
trv
LQ Newbie
 
Registered: Oct 2003
Posts: 7

Original Poster
Rep: Reputation: 0
Hello unSpawn. I expected that this thread may draw your attention

Don't get me wrong here. I'm doing a paper for a project in my university about rootkit technology, and after i've covered everything else, I decided to write some info about this special breed of rootkits, that work with the debug registers. Don't think anything too special or some extraodrintary research, it's mostly bibliographical.

I'm following dailydave and i've read some of the generic papers on the subject around debug registers. But that's not what i'm looking for.

Using chkrootkit I was not able to detect those rootkits, haven't tested rkhunter yet. You maintain it dont you? So you may be one of the best person to ask..

How can one detect dr rootkits? Of course you can also hook the registers and then the rootkit hook'em back etc. But is there any other way? From what I understand, there are no published methods or papers about "detecting debug register rootkits" (like there are for almost every other kind of rootkit)

Again, dont get me wrong, I'm looking into these things for completeness in my paper.
For examle i'm going to write "adore-ng and other vfs rootkits can be detected by examining 'this' thing, and there is 'this' program that does it, and there is 'this' paper covering it in detail. Then there are rootkits involing redirection of the whole syscall table, others involing rewriting addrress of the table etc, that can be detect with kern_check and other means etc.

But in the case of dr rootkits, I think there are not many things to write for..

Last edited by trv; 11-20-2008 at 06:35 PM.
 
Old 11-21-2008, 02:08 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
Quote:
Originally Posted by trv View Post
is there any other way? From what I understand, there are no published methods or papers about "detecting debug register rootkits"
I'd appreciate you posting the URI's for the papers you've got on the subject. 3 methods come to mind right now, each with their own esoteric requirements: dedicated PCI cards, Intel SMM and VMM's. As far as I know no readymade tools are available as of now. That's the answer you're looking for, right? Other than that I emphasise it's still a three stage rocket so without known good tools right now that still leaves auditing the entry phase and gathering evidence from the post-mortem phase.
 
Old 11-28-2008, 04:54 AM   #7
trv
LQ Newbie
 
Registered: Oct 2003
Posts: 7

Original Poster
Rep: Reputation: 0
Hello unSpawn, and sorry for the big delay

You are correct about everything in your last post, and that's the purpose of my original question.
If there exist any papers/tools, that dont have to do with pci cards/virtual machines etc.
Tools like saint jude or something maybe, kernel modules monitoring constantly the state of the system to see somehow if the debug registers are accesses from uncommon processes or for strange purposes.
Maybe monitoring all the do_debug function calls somehow.. i don't know.
That's what i was talking about when I asked if something in this area exists, some research maybe.
Maybe rkhunter could have a module available too, for just the 'extreme' cases when someone wants to be protected for threats like that too. But of course, i don't know if it's even possible detecting using a lkm, so that you dont have to go 'deeper' under the os to monitor the debug registers.
 
Old 11-28-2008, 11:30 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,485
Blog Entries: 54

Rep: Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902Reputation: 2902
If you don't want to be only spoonfed conclusions I think you should at least read Rodrigo Branco on KIDS (2007) and Nick Petroni's dissertation (2008).
 
Old 11-28-2008, 11:53 AM   #9
trv
LQ Newbie
 
Registered: Oct 2003
Posts: 7

Original Poster
Rep: Reputation: 0
thank you for those. i've alread read Rodrigo's presentation (great), but only knew Petroni as a name from the copilot paper. Time to read his dissertation
 
  


Reply

Tags
debug, rootkits


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: What You Need to Know About Linux Rootkits. LXer Syndicated Linux News 1 02-27-2007 08:59 AM
How to debug without having debug section in an executable ? unclesam Linux - Newbie 0 02-02-2006 06:23 AM
What are some symptoms of rootkits? pdeman2 General 7 01-02-2006 03:44 AM
how do rootkits work Chiel Linux - Newbie 1 08-31-2004 05:48 AM
[debug]what does the following debug information mean icoming Programming 21 06-08-2004 02:13 AM


All times are GMT -5. The time now is 11:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration