rootkit and trojan hunting

all,
     i am developing a small host integrity scanner / checker, to hunt
rootkits and trojans. offcourse, i need to add more methods /
techniques to detect. I am currently hashing out important files like
kernel, /boot dir and System.map files. Is there any other possible
way to code it better and anyother suggestion would be really helpful
in my coding.

return C;

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

>      i am developing a small host integrity scanner / checker, to hunt
>  rootkits and trojans. offcourse, i need to add more methods /
>  techniques to detect. I am currently hashing out important files like
>  kernel, /boot dir and System.map files. Is there any other possible
>  way to code it better and anyother suggestion would be really helpful
>  in my coding.

Don't reinvent the wheel -- just use Tripwire.
http://sourceforge.net/projects/tripwire/ for the open source version,
or http://www.tripwire.com/products/ for the commercial version if you
need something beefier. Based on what you've said in your message, it
sounds like the open source version will work just fine.

Cheers,
Terry

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

"Zow" Terry Brugger wrote:
Also worth mentioning are aide http://sourceforge.net/projects/aide ,
which does file integrity checking ,  and rkhunter and lynis
http://www.rootkit.nl/ , rkunter checks the system for rootkits and
trojans and lynis checks for some configuration issues.

hth,
jeff

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Take a look at NIST's NSRL Project: http://www.nsrl.nist.gov/. They have
been doing this for several years now.

However, observe the size of the database; whitelisting approach is not
efficient for what you want to achieve if you intend to provide a general
solution (i.e. something to be useful out-of-the-box for different users and
environments).

Another approach being promoted by Microsoft and others is the use of
digital signatures in drivers and executables:
http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx. Personally, I
think it is much better, but you need support from developers and many
companies don't digitally sign their software.

My suggestion: Let your software digitally sign every approved executable
and driver to create a baseline and check digital signatures before
execution, if it's not signed then don't allow it to run (actually it gets
more complicated with processes and executables calling each other, but you
get the idea). In each company the whitelist would be relatively small and
manageable.

Note that this approach would work well within companies with a well defined
software change control management and certification process, it is not
something that individual users will find useful for their computers unless
they have certain IT/security background and know what they are doing,
otherwise you know what happens: Ok->ok->next->next. Whitelisting requires
intervention by someone who knows what to do, that's the reason we still
rely on blacklisting approaches in these cases and I don't believe there's
much we can do about it.

Handling updates is something that I haven't seen being done properly.
Usually, you send a patch and then need to update your whitelist database
with signatures of the resulting executable. Doing this is messy with most
products I've seen so far. In theory, your software could recognize a
digitally signed update, detect changes and locally sign the resulting
executables which you would then trust, since you trust the update.

Hope this helps,

Omar Herrera

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Return C
Sent: miércoles, 26 de marzo de 2008 12:06 a.m.
To: focus-ids@...
Subject: rootkit and trojan hunting

all,
     i am developing a small host integrity scanner / checker, to hunt
rootkits and trojans. offcourse, i need to add more methods /
techniques to detect. I am currently hashing out important files like
kernel, /boot dir and System.map files. Is there any other possible
way to code it better and anyother suggestion would be really helpful
in my coding.

return C;

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.22.0/1344 - Release Date: 26/03/2008
08:52 a.m.
 

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.519 / Virus Database: 269.22.0/1344 - Release Date: 26/03/2008
08:52 a.m.
 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Return C, have you looking about system call hooking or system call
table modifications?

>  Don't reinvent the wheel -- just use Tripwire.
>  http://sourceforge.net/projects/tripwire/ for the open source version,

(sigh) What about learning?

"Give a man a fish and you feed him for a day. Teach a man to fish and
you feed him for a lifetime." Chinese Proverb

--
Nuno Treez
--
Being a pain in the Internet's ass since 1996.
--
Si vis pacem, para bellum. (Vegetius, Epitome rei militaris, 3. Praef.)
--

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

>  >  Don't reinvent the wheel -- just use Tripwire.
>  >  http://sourceforge.net/projects/tripwire/ for the open source version,
>
>  (sigh) What about learning?
>
>  "Give a man a fish and you feed him for a day. Teach a man to fish and
>  you feed him for a lifetime." Chinese Proverb

I can't resist the retort: "Build a man a fire, you keep him warm for
a day. Set a man on fire and you keep him warm for the rest of his
life."

Seriously though, I will grant you the educational value of doing
something yourself, but in the security space, a lesson that is best
not learned the hard way is that building security software is hard.
Security critical software can be attacked in a lot of ways, and a
mature, well-known product has hopefully already addressed them. This
is usually most easily observed in the crypto space where someone
thinks they've come up with a great new way to encrypt data, but in
fact it's vulnerable to a attack that was well understood by
professional cryptographers years ago. Even developers who know what
they're doing make mistakes and we continue to find vulnerabilities in
mature products, as evidenced by the traffic on Bugtraq. One only
needs to read a couple issues of RISKS digest and CryptoGram to
understand this. The last thing I would want to see is this
enterprising programmer putting together this system, deploying it,
and then thinking they're safe; although, I will grant you that unless
an attacker had a particular interest in the system at hand, it's not
likely they'll think to look for and disable a custom-built integrity
verification system.

There are two other general reasons that I don't like seeing people
reinventing the wheel (not specific to security software), and one
more reason specific to learning settings:
1. it creates more wheels,
2. it dilutes effort across numerous systems rather than making one or
two systems very good, and
3. building software from scratch is a less valuable skill than being
able to fix, extend, and integrate software written by others.

The first is self explanatory to anyone who has ever wanted to add
some functionality to a Debian box -- be it a word processor or a new
window manager (both examples from real experience in the very recent
past). Which one to choose? Now, I understand the political or
technical reasons that cause code bases to fork, but it seems that
more often developers are too lazy to try to understand someone else's
code or unwilling to make an effort to work together, and we end up
with a massive duplication of effort. This duplication of effort is
particularly unfortunate if it could instead be used to make any one
of these systems better. (Is a decent open source WYSIWYG word
processor too much to ask for?) Now granted, both of these reasons are
really tilted heavily towards open source development, because if a
company tries to create a competing product, then they should know if
they're going to be attracting customers on price, features, or
something else (marketing, monopolistic business practices, etc). As I
recall, AIDE was created before the open source version of Tripwire,
and was probably largely responsible for Tripwire putting out an open
source version. All the other suggestions made so far are worth
looking at as they all provide different functionality from each
other.

The final point is one that's come more from experience. I'm not
saying that writing code from scratch is not a worthwhile skill, just
that being able to work within code others have written has proven to
be a valuable skill in my career -- one that's not shared with all
developers, and has pretty much been self taught, as my undergraduate
education actively discouraged it, and while my graduate coursework
didn't discourage, it didn't do anything to encourage it either.

All that said, I read Return C's original request as, "This seems like
a good idea, so I'm coding it up to protect my servers. What do all of
you think I can do to make it better?". Now, if they actually meant it
as, "I've heard this is an approach, and I'd like to code it up myself
to see what's involved. What do all of you think I should try or watch
out for?" Then I think that's great, and this forum will probably be
well served by a discussion of integrity checking approaches for
intrusion detection. I'll even start it off:
How do you protect the hashes? Tripwire 1 required that you put them
on WORM (Write Once, Read Many) or write-protected media. Tripwire 2
uses public key crypto to sign the hashes. While both approaches work,
neither has seemed particularly elegant, particularly as they require
a human in the loop, which makes system updates or managing large
groups of systems more labor intensive. I believe "Tripwire
Enterprise" adds features to ease these management issues in large
environments, but ultimately, it's just adding more layers to hide the
underlying issue. Any ideas how it could be better handled, perhaps by
leveraging kernel extensions such as LIDS or SELinux?

Cheers,
Terry

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Hi Terry,
             I appreciate your valuable comments. One thing I forgot
to tell in my previous post is that, I solely develop this tool for
academic purpose and nothing to make it like Tripwire or so and so
softwares. I always enjoy coding in Linux and C and try to learn new
things by coding myself rather installing a tool and learning it.
Offcourse, I do read a lot about techniques and other tools in
security space, to keep my knowledge up to date. This is purely for my
personal interest. Also I love to devel tools which would be helpful
for sysadmins and security pro's as well. Like I used to develop worm
removal tools in Win32. Thank you all once again.

return C;


On Thu, Mar 27, 2008 at 10:56 PM, Zow Terry Brugger <zow@...> wrote:
------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Dear Return,

>              I appreciate your valuable comments. One thing I forgot
>  to tell in my previous post is that, I solely develop this tool for
>  academic purpose and nothing to make it like Tripwire or so and so
>  softwares. I always enjoy coding in Linux and C and try to learn new
>  things by coding myself rather installing a tool and learning it.

Yes -- as Nuno set me straight. If you're just doing some hands on
learning for your own edification, that's awesome, and I certainly
don't want to discourage anyone from learning.

So -- how are you going to protect the hashes?

Are you planning on building these hashes on a per-host basis, or
maintaining a central store of hashes for all systems running a common
set of software?

If the running kernel is infected, how do you know that the data
you're reading off the disk (and calculating the hashes by) is
actually what's on the disk, and not just what the rooted kernel wants
you to see?

Are you targeting any particular distro, which might have hashes for
the files of interest in its package management database?

Sorry I'm more questions than answers, but hopefully thinking about
these things will point you in a promising direction.

Cheers,
Terry

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

hi Terry,
             I am currently coding this tool using gcc, MySql and
Openssl. I use MySql server for database and Openssl for cryto related
functions.
             For storing hashes I have two solutions. One, I will
follow the same as tripwire, like storing the hashes in encrypted
format (basically encrypting sql fields) and store it in non-writable
media (like CD-ROM). Second, I will bind the database detailes along
with the binary (a.out) of the hashing engine. So that my tool will
have the executable binary as well as the hash values. I will not
store these hash values anywhere else in the fs.
            Also I would like to give web interface functionality for
the alerts and monitoring (like ACID). I can code this in php. only
thing is, the serve needs top open Apache server. Since, this would
not be a good solution, as to open MySql and Apache server on a
production server, Iam planning to implement it as centralized
database server, isolated Web console and agents which will capture
and monitor systems. But once I started to think all this, it looks
like a big product and code base increases more which i never dreamt
off !
           But anyway I will do this as I enjoy coding in Linux, C and ASM :)

return C;

return C;

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------