Henti, here is a link for a scanner for Adore, although you seem to have a newer version than what's mentioned below. Stuart ------- Forwarded message follows ------- Date sent: Wed, 25 Oct 2000 09:30:09 +0200 Send reply to: Stephane.Aubertat_private From: Stephane Aubert <Stephane.Aubertat_private> Organization: Herve Schauer Consultants Subject: Announce: rkscan, a kernel-based rootkit scanner. To: INCIDENTSat_private ======================================================== Rootkit Scanner for loadable kernel-module rootkits (Analysis and detection tool for KNARK and ADORE) ======================================================== Stephane Aubert <Stephane.Aubertat_private> Hervé Schauer Consultants (http://www.hsc.fr) rkscan is a kernel-based module rootkit scanner for Linux, it detects Adore (v0.14, v0.2b and v0.24) and knark (v0.59). rkscan.c is available at the end of this mail. Introduction ============ When running on a computer, rootkits allows an unprivileged user to hide files, hide process, run commands as root ... that's why they are called rootkits ! krk (Kernel-based RootKits) are still rootkits but now they don't need to change the ls, ps or find binaries because they are intercepting system calls. krk seem to be very difficult to detect while running on a rooted computer. rkscan is a small scanner to help sysadmins to detect infected computers by: . KNARK version 0.59 knarf is written by Creed <creedat_private> and can be found on packetstrom.securify.com . ADORE versions 0.14, 0.2b and 0.24 Adore is written by Stealth and can be found on http://spider.scorpions.net/~stealth/ rkscan.c is given at the end of the mail and will be available on <URL: http://www.hsc.fr/ressources/outils/> ( Only in a few days ... I am at SANS NS2000 in Monterey :) I have written this first version during Dave Dittrich's course on DDOS, thanx Dave for this course !) Don't forget : There are differents technics to protect yourself against krk, the best one is certainly to disable the kernel-module support. Usage ===== Just run : ./rkscan Example: !! Don't run the following command unless you know what you are doing. # insmod adore.o # exit % ./rkscan -=- Rootkit Scanner -=- -=- by Stephane.Aubertat_private -=- Scanning for ADORE version 0.14, 0.2b and 0.24 ... #ADORE rootkit is running with ELITE_CMD=50666 ! Scanning for KNARK version 0.59 ... KNARK rootkit NOT DETECTED on this system. Done. % ./ava U U Checking for adore 0.12 or higher ... Adore 0.14 installed. Good luck. Adore 0.14 de-installed. How it works ============ Adore v0.14 uses a setuid call to detect if its module is loaded: #define ELITE_CMD 31337 int adore_installed() { return setuid(ELITE_CMD+2); } ... printf("Checking for adore 0.12 or higher ...\n"); if ((version = adore_installed()) <= 0) { printf("Adore NOT installed. Exiting.\n"); exit(1); } Adore v0.24 uses a setuid call to detect if its module is loaded: (ELITE_CMD is fixed in the Makefile to 61855) adore_t *adore_init() { adore_t *ret = calloc(1, sizeof(adore_t)); ret->version = setuid(ELITE_CMD+2); return ret; } Knark uses a settimeofday call to detect if its module is loaded: #define KNARK_GIMME_ROOT 9000 ... if(settimeofday((struct timeval *)KNARK_GIMME_ROOT, (struct timezone *)NULL) == -1) { perror("settimeofday"); fprintf(stderr, "Have you really loaded knark.o?!\n"); exit(-1); } So the main problem is to find the ELITE_CMD or KNARK_GIMME_ROOT values that can have been changed. That why we need a scanner to test each possible values. Bad news ======== Future version of these rootkits will certainly use crypto or just something like the following lines in oder to hide themself more and more. #define ELITE_CMD 31337 #define KEY_1 42843 #define KEY_2 89843 #define KEY_3 11343 #define KEY_4 17323 #define KEY_5 64543 /* may be more */ int ItIsMe() { setuid(KEY_1); /* put a global var to the first state (state=1;) */ setuid(KEY_2); /* action: state=(state==1?2:0); */ setuid(KEY_3); /* and so on ... */ setuid(KEY_4); /* and so on ... */ setuid(KEY_5); /* and so on ... */ } int adore_installed() { ItIsMe(); return setuid(ELITE_CMD+2); /* ok if state==5 and ELITE_CMD is good */ } And it will be more and more difficult to scan these krk :( It's time to rebuild you kernel and disable module support ! The scanner =========== /** rkscan.c (C) 2000 by Stephane Aubert ** <Stephane.Aubertat_private> ** ** Rootkit Scanner for: ** . KNARK version 0.59 ** (kernel-based rootkit) ** knarf was written by Creed <creedat_private> ** and can be found on packetstrom.securify.com ** ** . ADORE version : 0.14, 0.24 and 2.0b ** (kernel-based rootkit) ** Adore was written by Stealth ** and can be found on http://spider.scorpions.net/~stealth/ **/ #include <sys/types.h> #include <values.h> #include <unistd.h> #include <stdio.h> #include <time.h> // Use MAXINT for a fullscan #define UPSCAN 65535 int knark_scan( void ) { int command; printf(" Scanning for KNARK version 0.59 ...\n"); for( command=UPSCAN; command>=0; command-- ) { if(settimeofday((struct timeval *)command, (struct timezone *)NULL) == 0) { printf(" #KNARK rootkit is running (settimeofday command=%d) !\n\n", command ); return 1; } } printf(" KNARK rootkit NOT DETECTED on this system.\n\n"); return 0; } int adore_scan( void ) { int version; uid_t uid; printf(" Scanning for ADORE version 0.14, 0.24 and 2.0b ...\n"); // for all possible UIDs for( uid=UPSCAN; uid>=2; uid-- ) { if( getpwuid(uid) == NULL ) { // if UID is not in /etc/passwd if( (version=setuid( uid )) >0 ) { printf(" #ADORE rootkit is running with ELITE_CMD=%d !\n\n", uid-2 ); return 1; } } } printf(" ADORE rootkit NOT DETECTED on this system.\n\n"); return 0; } int main( int argc, char *argv[] ) { int retval=0; printf("-=- Rootkit Scanner -=-\n" "-=- by Stephane.Aubertat_private -=-\n\n"); if( getuid()==0 ) { printf(" *** Don't run this scanner as root ! ***\n\n"); exit( 0 ); } retval += adore_scan(); retval += knark_scan(); printf("Done.\n"); exit( retval ); } ==EOF=================================================== ------- End of forwarded message ------- -- Stuart Udall stuartat_private - http://www.cyberdelix.net/ ..revolution through evolution want to make some cash? check out http://cyberdelix.net/affiliates.htm ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 09:26:09 PDT