1 ECE 4112 Internetwork Security Lab 5: Rootkits, Backdoors and Trojans Group Number: _______________ Member Names: _________________________ _________________________ Date Assigned: February 15, 2012 Date Due: February 23, 2012 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due. Goal: This lab will introduce you to rootkits, which are malicious programs put on a computer by someone who has already gained access and wishes to keep it and perform other tasks while remaining hidden. In this lab you will also learn how backdoors can be used to gain access to a computer. You will also see how Trojan programs can be used to create these backdoors. Summary: In this lab you will be examining two different kinds of rootkits for Linux and one for Windows. The first one is a traditional rootkit named lrk4, which is one of the most popular and stable rootkits available for use. The second one is a kernel level rootkit named Knark. We will also look at four ways of seeing if a rootkit is installed, by using kern_check, chkrootkit, strace and Rootkit Hunter. For Windows XP we will use a rootkit called Hacker Defender. This rootkit allows us to hide files and processes and creates a backdoor on the machine that has it. Later in the lab, you will use Netcat to gain access to a machine. Then, you will examine the properties of a Trojan by using a software package called Virtual Network Computing (VNC). Next, you will be using a Trojan program called Back Orifice 2000. RootKit Part of the Lab: Background and Theory: Though actually developing the code for rootkits would be difficult and time intensive, today there are dozens and dozens of common rootkits that are posted online for anyone to use. Using them just becomes a matter of reading and understanding the README file. In this way, all sorts of people have access to rootkits and discovering them on a system becomes a huge task in itself. We will see both how some rootkits2 are discovered and how some can go hidden if proper precautions are not taken or ineffective software is used. Lab Scenario: We will be installing rootkits on both our RedHat7.2 Virtual Machine and Windows XP Virtual Machine. It is assumed for this lab that we have already gained root access to our victim machine, although in reality this would have been an extra process, but for this lab we just want to focus on rootkits. (The use of a buffer overflow is most likely how an attacker would gain root access). First copy the lab5 contents from the NAS to your 7.2 virtual machine and to your virtual windows XP machine. Note: It was reported by some students that instead of copying the virtual machines after analyzing each root kit, it is easier to use VMWare’s built in snapshot system which allows you to save the state of a virtual machine at any point and revert back to it later. In order to use Snapshots the “legacy” virtual machines must be upgraded. Next, we make a backup of the Linux 7.2 virtual machine by going to the /root/vmware directory in the Linux WS 4.0 machine and typing (assuming RedHat7.2 is the name of your folder): #cp –r RedHat7.2 RedHat7.2.bak This may take a few minutes. AFTER COMPLETING EACH SECTION, YOU MAY WANT TO REVERT BACK TO THE BACKUP COPY OF REDHAT 7.2. DO THIS BY: #cp –r RedHat7.2.bak RedHat7.2 THE SAME IS TRUE FOR YOUR BACKUPS OF THE XP VM YOU WILL MAKE. #cp –r winXPPro.bak winXPPro Section 1: Lrk4 The lrk4 rootkit exploits several different binaries and allows a hacker to gain access to a machine using a hacker password and also allows the hacker to hide what he or she is doing. All of the files you need can be found on the NAS, in the folder “Lab5”. You can access the NAS as you did in previous labs, by mounting it just like a floppy or CDROM. On your RedHat 7.2 virtual machine: Copy the lrk4.unshad.tar.gz and chkrootkit-0.42b.tar.gz file to the /home directory. Copy the two files from the “rpms” folder on NAS to /home/tools.3 Copy knark-2.4.3.tgz into the /home directory and kern_check.c into /home/tools directory, these files will be used later in the lab. Just like Windows has different booting modes like the “safe mode” and the “command prompt” mode, linux has different runlevels. You will want to run the rest of the lab in runlevel 3 (command prompt) of linux, so that you are not in startx (linux GUI). You may go back to runlevel 5 (startx) by typing startx. To do this, in a terminal type: # init 3 Give it a few seconds. Log back in as root and create a user account called “user1” with the following command: #useradd user1 Then select a password for this user with the following command: #passwd user1 When prompted for a password, type one in and then re-type it at the next prompt. Now, type exit at the prompt and you should be returned to the login screen. Log in as user1; once you have logged in, type “whoami”. Q1.1: What do you see? Type exit again, and now try logging on as root, but use a wrong password and notice the error messages you get. Also notice that with an incorrect login, you still get the original login prompt. Keep this in mind. Go ahead and log in properly now. Q1.2: Check the date and the size of the login file and record it(use ls –l /bin/login). Unzip the lrk4.unshad.tar.gz file in the /home directory. Unzip the file using the following command: #tar xvfz lrk4.unshad.tar.gz The arguments xvfz sets the mode of the tar ball as follows: eXtract File ungZip Verbose. It extracts the given file and ungzips is as well as providing complete output. Now, before we can use the rootkit, we need to install a couple of libraries. Go into the /home/“tools/rpms” directory and install the two library rpms using the following commands: #rpm –i ld.so-1.9.5-13.i386.rpm #rpm –i libc-5.3.12-31.i386.rpm The “-i" argument tells rpm to install the rpm. Now, switch to the lrk4 directory (this should be /home/lrk4). The rootkit contains several pre-compiled binaries that a hacker can use on a machine to gain access, cover tracks, and sniff information. Today we are going to look at a corrupted login and ls commands. For more information on rootkits, as well as what needs to be done to