At the root of rootkits

Hackers have a frightening number of tools at their disposal. Some of the most common--but most potentially harmful--are kits of code designed to spy on or damage your network. Knowledge is power.

By Chris Prosise and Saumil Udayan Shah

This is our first Security Issues column written in 2001, and we begin with new stories, new experiences, and new techniques to share. We start with an examination of rootkits, the black-hat hacker's bag of evil tricks. We've had many encounters with the bad guys of the Internet and learned a lot about their techniques. We attribute a large part of the intelligence gathered on black-hat hackers to the Honeynet Project, led by Lance Spitzner of the Sun Microsystems GESS Security Team. You may have heard of hackers called “black-hat” hackers. Now we'll discuss some of the tools they use once they penetrate their victims' systems.

Anatomy of a hack
Before we begin unpacking the rootkit, let's look at how an intrusion develops. An attacker will first try to probe the target computer system for possible vulnerabilities. Typical activities include a port scan, enumeration of active services, possible enumeration of users, and so on. An attacker may also try to log in as a valid user by guessing user account names and passwords, either by using a list of commonly known accounts or by using brute-force techniques. Once an attacker has found a vulnerability, the next step is to exploit the vulnerability and gain user-level access on the target system. What follows is an attempt to escalate privileges to become the system administrator, or root, in Unix parlance. Now we'll look at what a black-hat hacker does once he or she has gained administrative control of a system.

The rootkit
Once a hacker has gained administrative access to the target system, she or he will typically proceed to install a rootkit. A rootkit is a collection of utilities designed for these sinister purposes:
  • Creating back-door entry points into the system for later use
  • Tampering with system log files to escape gathering of evidence
  • Modifying or replacing existing system tools to avoid detection by system administrators
  • Monitoring network traffic or keystrokes
  • Launching attacks on other systems from the target system

In this article, we will discuss a rootkit we found on a system belonging to the Honeynet Project network. The system was running Solaris 2.6, and the rootkit contained Solaris programs.

When we unpacked the rootkit, we found contents that can be classified in the following groups:

Back door programs
Packet sniffers
Log-wiping utilities
IRC programs
Miscellaneous programs

The rootkit also contained Unix shell scripts designed to automatically install the programs into the right places, erase the attackers' entries from log files, and install the back doors. The attacker first used FTP to transfer the rootkit archive over to the target system, and then unpacked the archive. The attacker then ran a script to configure the rootkit to let himself and his cohorts in using the back doors from their originating IP addresses and to keep Unix system utility programs such as find, ls, netstat, and ps from reporting their activities. All the programs in the rootkit look for specific rootkit configuration files. The rootkit configuration files contain the names of the accounts set up by the attackers, the files along with their full directory paths, and the incoming IP addresses of the attackers.

Going in the back door
The attackers installed a number of back door programs, which let them log in to the hacked system without using an exploit.

l0gin.kit, This is a replacement for the /bin/login program that is used when a remote user tries to log in to the system. The original login program was replaced with a version with a back door. This version with the back door lets the attacker in without requiring any authentication, based on the incoming IP address, a user name, or a combination of both.

bd2: bd2 is an rpcbind program that contains code that acts as a Trojan horse. It essentially installs itself as a disguised remote procedure call service and allows the attacker to run arbitrary commands on the target system.

tcpd: The tcpd binary on the rootkit is a replacement for the TCP wrappers daemon, which is used to wrap commonly used Internet services such as Telnet or FTP. The subverted tcpd binary bypasses restrictions enforced by TCP wrappers to selectively allow or deny other systems from accessing TCP services on that system.

Subverted binaries of common Unix programs
Unix system administrators tend to use certain programs frequently to monitor the system and watch what is going on. The following Unix binaries were replaced with versions containing Trojan horse code that masked the attackers' activities based on either user names or incoming IP addresses:

find: The Unix find program is used to locate files on the file system based on certain search criteria. The subverted version of find did not display files installed by the attackers, such as the rootkit files and other associated files.

ls: On Unix, ls is used to list the files in a particular directory. It works much the same way as the DOS command dir. The subverted version of ls suppressed the listing of rootkit files to prevent detection of the rootkit.

netstat: The netstat program is used to display different network statistics, such as established network connections, network services that are currently active, network routes, and so on. The subverted version of netstat masked the network entries that contained the attackers' IP address.

ps: The ps program displays a list of currently running processes. The subverted ps binary displays all processes but the attackers'. It can also suppress the display of any given process; the attacker can select which processes to suppress when he or she installs and configures the rootkit.

Packet sniffers
The attackers also installed packet sniffers to capture network traffic. The attackers used the sniffers only when they wanted to listen in on something.

le: a Solaris Ethernet packet sniffer

snif: another packet sniffer

sniff-10mb: a sniffer designed to work on a 10mbps Ethernet connection

sniff-100mb: a sniffer designed to work on a 100mbps Ethernet connection

Log wiping utilities
The attackers also brought along tools to erase entries from Unix logfiles such as wtmp, utmp, and messages (syslog). The program used, zap3, erased their tracks from wtmp, utmp, lastlog, wtmpx, and utmpx. zap3 looks for log files in commonly used log directories such as/var/log, /var/adm, /usr/adm, and /var/run.

IRC programs
During their compromise of the Honeynet network's Solaris system, the attackers installed an Internet Relay Chat proxy and an Internet Relay Chat bot. The proxy's purpose was to bounce IRC messages across their IRC channel, and the bot's purpose was to keep the channel open, maintain operations on the channel, and respond to specific commands issued over the channel.

The IRC bot helped us monitor the hackers' chats, look into their motives, and learn about their moves. We noticed an interesting behavior pattern regarding the use of the IRC bot. The IRC setup had a purpose beyond just exchanging messages between the hackers. In this instance, the attackers had set up the IRC bots to respond to their commands and execute them on all the systems controlled by the attackers. We noticed that they had compromised dozens of systems all over the Internet and installed the IRC bots on each one of them. Whenever an attacker issued a command over the IRC channel, all of the bots would run that command on every compromised system. Later on, we learned that the attackers were using the IRC bots to trigger a distributed denial of service (DDoS) attack.

The attackers used the GNU IRC proxy and the EnergyMech IRC bot in this rootkit. More information on how hackers use IRC can be found at The Theory Group.

Miscellaneous programs
The rootkit also contained programs other than those commonly found in rootkits. One such program was the file editor pico, a very easy-to-use full-screen text editor. Unix systems usually have the editor vi installed on them; any proficient Unix administrator would be familiar with vi. That the attackers preferred pico leads us to believe that they did not have strong Unix skills, yet with prebuilt exploits and rootkits, they were able to compromise and control dozens of weakly configured systems across the Internet.

The rootkit also contained denial of service (DoS) attack programs, which flood the network with packets that overwhelm a target system's packet processing ability and cause it to be blocked off from the rest of the network. DoS attacks can be used to choke networks completely, preventing traffic from going into or coming out of the network. In this instance, the attackers used these DoS programs, which they installed on all the machines they compromised, to launch a coordinated distributed denial of service attack—a DoS attack launched from multiple systems, making it harder to defend against the onslaught.

In our next episode
In this article, we took a look at the contents of a rootkit found in a real-life attack. There are many different types of rootkits and rootkit utilities floating around the Internet. From time to time, we come across commonly used rootkits or rootkits that have been modified by attackers for special purposes. The rootkit discussed in this article is an example of such a hybrid. To see an archive of commonly used rootkits, check out Packetstorm.

Our next column will focus on the detection of rootkits and how to tell if your system is "owned." Meanwhile, stay safe, and as usual, share your discussions about black-hat hackers and rootkits at

Chris Prosise is the vice president of professional services at Foundstone, a network security firm specializing in consulting and training. Formerly a U.S. Air Force officer and a Big 5 consultant, Chris is the coauthor of Incident Response: Investigating Computer Crime and is an adjunct professor at Carnegie Mellon University. Chris holds a B.S. in electrical engineering from Duke University and is a Certified Information Systems Security Professional (CISSP).

Saumil Udayan Shah, principal consultant for Foundstone, provides information security consulting services to Foundstone clients. Shah specializes in ethical hacking and security architecture. He holds an M.S. in computer science from Purdue University and is a Certified Information Systems Security Professional (CISSP).

Editor's Picks