2015 - Alastair O'Neill -The Matrix PRELOADED

rootkits and LD preload and things like that very interesting talk Alistair is a security consultant NCC group and if you find him on Google then you win a prize

I am a rootkit wizard as look it said I'm security consultant frenzy secret and I'm primarily a C in pro program but I also found some other more obscure language like Fortran because and I didn't like spare time my research units well now and I get it generally from honey pots from people who you know friends about their service compromise or just crawling to a payment for source code sometimes so the general state of UNIX malware is pretty cool there's an awful lot of DDoS pearl you know standard UDP flooding scripts in session I see some differences and 90s but some can I can sort of compiled IRC bot step to the exact same about artists and in

terms of routes generally the thing I see a lot is sh t 4 and s HP 5 and if you're not familiar with them they are these root kids from the early 2000s their usual and rootkits and essentially what they do is they replace the entire like sort of trouble bin tools of PS cat netstat and it also replaced M&S shd and businesses hd's like pretty obvious stuff when your box is compromised and suddenly bin PS sometimes that from 2000 so one of the things that I have seen a lot recently and that I've seen more and more hour LD preload kids so i'll talk about there in a minute so just again for you to power so again titans old

kindness from the 90s like early 2000s it's been around forever it's an IRC bot there's nothing cool about it people are still using the same old source code with like no modifications light i drew is another meyer sea-based partner this is specifically designed to run on a rather it was written by an italian chap in 2009 2010 recall right and quite cool it's very nice it's very tight and but recently you see one with mac forms and few years ago 2012 I was looking around I found a light I drove on that and a bottle my honey pots and it was a group of Italians were running a router botnet and on all the routers they were trying

to run litecoin letters because processing power four hundred others there's lots of pearl RC box and there's a big one which is this presenting one everyone used it it's I'm sort of honoring it with my presenting teacher and you always know what it is because even though they change the option they change other can take it always has the luxury the variable for packets is becoming it's like it's pretty obvious and then you've got a sexy four or five usually in case that just alter views and small things out or so LD preload it's an environment variable England forces a dynamically linked program to load a library so in words and every binary like unless it's static bigger

pilot tend to use shared libraries and it's really useful for debugging because you're able to change like functions and insert cover would modify things so you can watch what happened and and it's got other uses other legitimate users because you can also like you can use it to look functions and torsos which is a rapid comes with tour to total and TCB traffic towards apps using ugly preload to for something to go through for so it loads the library that's pre-loading in a privileged position in the change libraries and it loads it like that's the very first library and and that means that you can refine functions you can change what they do because you are

the proof most privileged position in the chain and you can poach standard sim library functions like right to say instead of running DDoS you can write lolcatz and all these things you can do pretty pretty cool stuff with and because you're in the producers and if it was just environment variable it would be really cool but it's more than just environment variable because on linux there is a file that lets you globally force every single userland binary to load this library and its etc LD saw a trailer and and I'm sure somewhere in some mailing list from like the 1980s 1990s someone has a really really legitimate reason for including this picture but any we can find it

please please tell me because the only person I've seen it be used for is evil evil memory there are limitations broadly freeland set uid line which cannot be preloaded accepted in the root situations so when something is a net setter LD preload when the program library itself is that you ID or when it's in Lynch or than 64 so there's not really any limitation especially if you government

statically compiled binaries are unaffected by and this because they don't load any libraries because they come with all that I respect you and and for obvious reasons kerbal space code which ones in the current is infected because this is purely isn't so here it is it's it's that usually exploitable really obvious method of screwing with like the Ataris land and obviously amazing thing bad happens have decided to write some ruckus and they are almost entirely for them there's some proof of code concept that proof of concept code out there for solaris and it's an sshd back door on door and there's some AI example come floating around and I'm seeing complete and stuff and they've

got advantages they're small they're simple they're portable you can compile it it'll run pretty much anything let's see in the same location and there's quite a number and it's increasing so you see a lot of the magnetizer themselves at aunty forensic e or they've got all kinds of cool auntie debugging message and you'll never detect them and some of them are you know private super leaf no one has them and some of them are just like really really egotistical like this which includes a weird Bible quote because there's nothing more dramatic than the Bible to make your but they're actually all kind of terrible and there's varying levels of terrible but they are all terrible

because the only privilege a gene pool is quite small they're all based on only a handful of different like rootkits basically and only a small amount of research it means that any problems in implementation or any strange design choices tend to propagate because wicked writers are lazy it turns out they like to copy each other's code they liked it not bother looking at so the good news about that is that it makes it easier for us to the techno to remove them and the bad news is that it also makes it easier for someone who is a lot scarier to come in and use them to elevate privileges or so on and I mean even if

you catch the initial privilege escalation so we used to install in these were kids they essentially hand out room like a hawk exes worrying so we've talked about what they are so we're going to talk about the flaws in hell they're designed we're going to talk about how their design leads you to be able to remove them or to and use them for privilege escalation and one thing that I'm not going to be discussing because it would be a bad idea is the idea of compromising lovely because that would be bad so I've written some code which least a few months ago and one is a very very small winery it's 109 bytes or so I

think maybe hundred ninety and just as the leads etc lb got sort of preload it's written in assembly and it's very small and then i wrote a perl script that detects one of the rootkit skull design so it had dates over sixes and variables and it detects that are on sores and so my github is I'm said march market if you can find all out there so the family tree of using Android kids is kind of fairly basic so in 2009 it's the earliest sample of any root collective funny is one called LD minutes Venus oh and there's only one reference to it it's some guys from 2000 i talked about how he got compromised by this painting

lost remove and no one else apparently has ever been infected by it so I don't know how widespread it was if anyone has ever actually seen it or heard about it please tell me and and then it was pretty quiet from that up until 2011 when a rootkit called jinx released by a group called black hat and Academy and there's like back at library and it was an open source i'll be pretty large it was fairly simple and it hit some files it had a reverse shell it's kind of cold and in 2012 they released an updated version called Jing speak to which is sort of the de facto father of most of the other bridges

2011 a private room kit was released and privately to like blackademy people and their friends called gallon it's very very similar to jinx a few differences which will cover later but it'sit's ultimately quite similar and 2011 that was also live underscore underscore MDMA which is being actively developed and latest Iowa South 2013 I haven't looked for any news but i'm sure the probably are some from last year so that's out there in the world I've seen catalyzed some boxes it's around 2011 2012 and 2015 had three releases abroad kid called Umbreon and so it's probably the best the only promoter kids um the 2011 version has flaws the 2012 version was pretty good I only got the 2015 version

this weekend so unfortunately it's not much in it but I couldn't actually get it to work without segfault on my VM constant so go to the pinch of salt and in 2014 the Bible quote one Azazel and it's troy from Jenks it's straight up copy of jenks essentially but it's been totally rewritten and functional should have changed it has some extra functionality and that is what inspired this talk because I remember talk about how great was and how would you know avoided all these forensics but no one actually tried to use it ever and apparently because so there's some common functionality across from kids and so obviously there's a back door you want access to

game are you want to gain access remotely again you want to be able to get in passions and privilege escalation if you do get in through another account or small I like like however it works and you want to be able to adjust to route and obviously you want to hide files and predict our protector route chip and you also want to be able to hide network connections and the way I'll be prettier you kids usually do this is by preventing you from reading things in prov net TCP and there are other ways of doing that from using language that's how they do it most of the time third is other common organic so in terms of the back toes one of the

most common methods is an accepted fact or so and so how that works is it cooks the accept function should handles the connections and and if you're coming from a range of ports say the rookies in the comic father has 1337 1339 if you're going from 1 30 37 and that's your source port you connect and basically allow you to interact with that for this if it's a back door so you can surf you're actively factoring existing connections so things like Isis HD and so on and generally you occasionally see a hatchet password to the back door takes that one not always but sometimes and another piece of functionality seeing these are Pam hooks which I'll

talk about here we are and so Pam is plural authentication and modules in minutes basically it's a set of authentication functions and tools that allow you to authenticate things like a cessation so on and a bunch of user and rootkits and use these functions to give you back the reason they do this is because you only need to hook about three or four pound functions something there's like panel on an underscore event a few others but it's very very simple you don't need a lot of code and you can bite or ssh without Dorian you doing and but it's it's horrible the one the one thing that's bad about them getting this though is they usually need to because

Pam does encompass like every linux distribution out of the box if you suddenly find you've got Pam all over your box then it's probably even backdoor my son guy is trying to like install it to gain access to insulation so we should talk about the more specific route gets so they'll leave let me feed us so and like I said it's only really mentioned in one blog I only have one sample and it doesn't give me a whole lot to talk about and that's the first is is the first killer can find and again it doesn't it's got a lot of functionality and for something that was made you know and six years ago it's got

some really cool stuff cuz it discovered later independently so it's got Pam authentication okay it does it in a different manner and but it's got it not quite cool and it had all the passwords and ever hashed which you don't see until like 2012 and its really really early so I played with the idea that it might be related to jinx somehow or maybe the offer and went on later on and rotates and but in the end i discarded that I did because it's just got so much functionality and and jinx really doesn't so sticky things so I mean if this is the grandfather rfl we minutes grandfather this is sort of the father this is like the main ancestor of

everything so there's two versions they've both been publicly released their code is on github and under the user choke point I think it is and so the way they differ is back door mechanisms jynx version one used a reverse shell triggered by 49 genes version 2 uses an exception which uses existing listing services and they took a relatively small engine function it's just me absolutely very minimal to give my phones from lincoln LS and so on and the way it allows the malware right or malware user to interact with the operating system itself when you want to see files are they are is it has its own second and library called really not so which essentially them uses the original

see calls and it's kind of a messy way because it made early because itself well we've got gallon as well so Galan is a private ryan to jinx it has an accepted fact on and but the extent back door is crazy it has its own clients that you need to generate a conflict file for with a Python script and and it's overkill it uses like I'm some crazy AES and two fish crypto to like hide traffic and the password is back doors hatched and obviously and but the one thing is wrong with the effort that is to like make this crazy back door it's still like really really big in fairly potent options it's fairly

simple and you'll see how about it is so we've got label underscore underscore n da da so which is obviously legitimate by coming anytime you see live MDMA on your box you think break cool just genuine flying around and it's a combination of Jason Aldean and it's me that so I think or at least it seems to have independently discovered a bunch of the same things that my LD monthly dancer and it's being actively developed and it's out there in the wild again the last time when I was twenty thirteen year lease and like I was twenty eleven and it looks Pam it's pretty cool but unlike some the other records i have samples of i didn't get in source code

are we gotta find me so i had Lester talk ridiculous name umbreon is a private rootkit it's based on Jake's it's pretty good umbreon version tube is a real pain to remove and my brown version one is also a bit problematic debug and not as bad umbreon version 3 which was released this year and check out this weekend i haven't actually managed to get to work it without psychotic everything see and it's on sale and a few sort of underground forms you know there's the occasional kayak for them sending a truck one hundred dollars a pop and so yeah it is being actively developed there's three versions version one isn't being actively developed version 2 is the

primary you getting fixes and those two differ by their back doors is like James one is and then there's a third version which is being actively build and that differs what if it doesn't work blue passwords on inter hatched and and it cooks an awful lot of functions and it's much better hiding something making sub difficult to remove and it is a real pain unless you know and unless you're lucky it's quite difficult removing fine and another publicly released and work it source it's on choke point again because it's the same guys and there's a private version apparently allegedly you haven't seen it but you never know and it's designed to be reversible resistant to to forensics so all the hooks have

been rewritten and it uses so we're gonna skate all the strings in the body so the password the line resets of England so on and so forth and it has content acacia numbers and in in its in its defense it tries to be stealthy it doesn't like it there but it dries so mostly top will avoid discussing statically compiled tools because anyone can compile bit hard and remove it I mean I wrote a tiny thing to do it yourself it's it's an assembly was fun but it simply to do that so it's more interesting to talk about the false mail these things so obviously the first file is that they can't message that buys em

so ldd is a little utility that prints and a list of like loaded libraries and by dividing and and that led itself is a bash script the restaurant that only does so which is our program we shared library 310 peoples on earth LD that so is actually statically compiled so admittedly I am kind of talking about avoiding studying while tools or hoop but this one is pretty good for detecting and it's easy for any company you know it's it's a standard clinics and so this is what the output of LED min ago she look like you got that escape that silly now let's see you got lb minutes this is what it looks like after jinx has been installed so M

echo now needs lit k5 crypto the best cell and it also needs that mysteriously name xxxx against jinx tuna so I wonder what that would be um so yeah that's this is pretty much the easiest way to decorate because you can never really miss that if everything is now using like live ssl looks to something right now so yeah I mean this is one of the fatal forms of these or hundreds there's no real way to get around it except for doing something really really disgusting not to engage that create function which is how programs are sort of like launching eyes and and killing it and this thing will always tell you where they look it is so once you know where

it lives you you're on your way to getting rid of it and solar route it's too bright LED umbreon those to an exact video ok and and you get a desire but if you get start getting bizarre errors on led you know something's up and and since there's also live LD minutes and that's a tattoo and LG 2.18 that so or whatever you call it and you can also use those break those or evening it's like copy them into a different angle and there's not really any way they can stop that easily but even though you know where it is it doesn't necessarily do it so here we have drinks and the LED we try and

remove it without Ram I can't remove it although we do get told it's a rib right protected regular file so know it exists in the listen up such file or directory air so it hides itself in XX drinks by cooking things like open talking things like what still on their mobile and so on so forth so what options do we have if we can't go into XX jinx we could try CD so yeah jinx doesn't even look CH there so you can always change directory into the working drink and you still can't open it with file or whatever but you at least know you're in the directory you least know it exists so CD works file and then using open done so

we know that the rootkit exists know where it is so and we know that it stinks because it says cheeks too so we can use really that's so so we can actually prove a reality that cell and like see the operating system as it is and there's no authentication this there's no password it's you know it it'll be like a cooler things don't again so so oh yes so James kept open as well right but now that's gonna be important a bit and once you're in the directory and if what you're calling doesn't use the absolute path to the directory and the XX chinks won't be included in the function call so don't need to work so

certain programs won't ever be rotated or affected by the jinx functionals and as well as that once we have really done so we are immune to all the week we see the operating system as it is so we can just remove it but that's boring so let's do the bonus round so if you stream this jinx to you look for X X Games and the way Jenks does privilege escalation is it checks for environment variable before and a soy de binary being watched so you can just strings the thing grab the environment variable and then your route you prickly just like really easily there's no and alpha skates you again there's nothing hiding this it's just lying there any strings

on the library without eating pre-loading is really well designed and so it's not obligated it's not in its always in the same location jinx and then you always have access to straight man so you always find it you'll always be able to apply elevated privileges and escape the function that's when you do that and also get out many and really that's Oprah got it too so if the guy deploying the rock world kid is really smart you might have a problem and so you could change for example we've been working on the team so idea that they're going to put change in a glide a folder and they're going to change name the folder to be in strength like they

change the name of the J's library itself to be well because we talk quickly about open but not on 64 minutes you can do this you can sue the route you know it's there you can go into etc LD that sort of preload and it's gone because um yeah it uses only 64 instead of wellman so that's pretty but you can just overwrite the file that stuff it's nice so yeah and nearly every single route kids are based on Jesus except from fails at home hooking up 64 I don't know why they just copy the same code for everything and having probably changing I mean let's take care right they must be spent days on this crazy interconnector at least

maybe even months of work and you can just do like that go let's go and so yeah they're all follow these users on Ricky's are based on jinx that's why you have that it means the removing is tribute all the time it's not as fun as privileged escalating but it's effective it's easy to do and it strikes me is where that they have the I 686 original hope and all 64 but I so if it does ever get fixed here is a tiny base64 encoded by doing it just removed 170 characters done and so other rootkits so again gillen as I just said it's got the exact same vulnerabilities it's got the exact same problems it changes the password

for the M except backdoor jinx doesn't a ship gallant does sha256 or share one which is there and and it's got it's crazy the clients like encryption traffic stuff but that's the way it's still really loose it really easy to move it doesn't include any extra hooks it's there's no point talking about if it's as easy it's james but just really pretentious and tell you linux we got stolen lip underscore and dma they do bring family function okay so you think always getting by a ssh which is quite cool they don't use reality that so do a loop and trying to think of how they broke up the top of my head because I look at the back thing

they use an eid or UID and checks to see through the writings around lay on your functions based on that and open they only have open open 64 and L legal inexperienced so doesn't the original doesn't have that an environment variable for privilege escalation so you don't really have that option sadly and live on this corner store in DNA has like fancy aged man and all kinds of stuff to the back door kind of like Kevin but knowledge of the top and and it uses another library called labels forms or any in a crypt that cell which is another subtle name and there's no hashed passwords their environment variables stated so again it's pretty easy to remove umbreon and public

functions based on your GID so if you are roof and your group ID and this is 1337 for example you'll be able to see the others if not evil and so it's a good idea in practice the boys reality that so which is human ability and because it going he'll be rid of that but every function now needs a gita check check you know are you the rookie owner so if you object dump the library there is like because it talks about 100 something functions you have like 100 different compared instructions that are all checking for this one giv so you can simply pull it out change your key ID to it there you go there's also an

environment variable which you can use to privilege escalation and here is an example of the compare so 84 compares like you can't really miss that and that said Umbreon does hook up in 64 it makes it really annoying to remove and it doesn't install itself to a folder and protect that like jinx and protects itself and added the folder it usually shares the name because 100m it also uses chatter which you aren't familiar with there is extended filesystem attributes and Linux which allow you to set and sort of permissions on a file at being like you can't normally delete it then shb for 255 which I mentioned earlier use that to make them really obvious like being PS backdoor difficult

remove and which is fine when they're not cooking functions and trying to like rip you probably but when they are then that's real pain and Umbreon is kind of flawed and sometimes there's like there's a race condition in the install strip so sometimes it doesn't it writes the location to etc LD that soda preload first but only includes file and not the library so you're just end up getting loads and loads of an LD preload Aires on and there's a room duh pin tool for and for me when it's messed up and that works pretty well but yeah I mean it's kind of weird of the install script has a race condition right you can it can

break it as I so M zazzle has a number of kind of cool features so the first feature that it has which is interesting is that when it instead of breaking ldd when your room you try to weld ed things as as will move itself before you do that so it looks exactly it's easier and LBP and it actually copies itself to a different directory and then [ __ ] itself backgrounds um so that's really quite cool and but the problem with that is if you are not room it actually doesn't have the permissions to move itself so you can just like the annoying user and you'll see an LED and again as I as well Stella to before because it

doesn't attempt to hide itself you can always see in the like if you LS and LSD able to see it and its default name when you install it is n later selinux some of it lives inside of the little bolder so it's it's not that suspicious but if you're using DVD something that doesn't have this doesn't have a similar to install then it was pretty and it doesn't hatch the password for like the except back door or anything like that and it does zuhr its variables to avoid you singing strings but you can write a 30 line pro script or blacks in Python 21 and get the default with like the default even it has um the pan looks in

as our immense immensely broke and this is why i don't think anyone actually used it before they gave all these like glowing reviews on these hacking forms because i look at this right now and it the sword variables for all the strings and come after in the init like the binding the shape the bank itself and the bible quote is not sword it's sitting there in its own and these or variables that will come in the white section straight up at some search where all the strangelet so you can basically pull out anything from that section ons an ons order to get the password for the back door and as i was also supposed to

break hell you got so and for reasons i mean it does try and move itself i assume if you're a normal user but that doesn't work it's broken because they type out it and they never actually think fixed it titles been a few years but so here we have the pam hooks in as that saved fault when you try and Sue and it's incredibly incredibly broke and defending uses any of the power functions are all and it's a mission-critical on your linux box don't don't try and play right now because i'm just bring everything the only thing that works is the sshd and that only works sometimes and other times it's crashed on me also there you can see the

live selinux cuts up in the media which this is how I feel this is like having the bucket acad guys we're talking those is from lungs how their body police this route get doin all rookies and it's broken because of a typo and the padlocks are broke and even though people been writing battle droid 3 years ridiculous so I've repeated the same slide quite a bit I've covered go through the same stuff em usual in roof it's are definitely going to become more popular with the colonel changes and because as the current changes and things like the exec function Dixon tax exchange and it breaks up a mess it's a lot easier to write something that lives

in diesel and breaks the entire userland that it is to have 10 million if that's in your current route just in case you install current location and they are pretty powerful you can do some really really interesting things with them you can break exactly for example I've written a proof of concept one with myself that is interesting in loads itself into memory before every program runs and then if it finds its gone and recreate itself and so in terms of forensics you can essentially really cetera lbs on that trailer up and hard disk offline in there you have you found okay that's that again nothing's or there's no obfuscation

in terms of life forensics when you're actually on the box and so if you can't do Led you can do crop maps and so every program gone in minutes as a mask and this is what led reads bomb and the colonel essentially is crazy violent lists all of the other libraries and you can obviously you can use LED but just in case is broken you can also check the memory rest of the functions because if they're not in the place they're supposed to be then someone's obviously messing around your functions and which is sort of and if anyone has any samples you can find me on Twitter will underscore ta 0 please feed me loads and

loads of samples and I really enjoy these I was exceedingly exceedingly happy to get up around this weekend I'm gonna be three this weekend and I found the slides I thought I'd have a really cool discussion about the first person to talk about but nothing works yeah freaking like I was reading someone so my tools and let it talk about earlier there's no get up get up calm / said march / pretty little all caps or Google present margin for removed events if you want to assembla jet skis and Nazem and I'm funky don't you slimy dancer me and so it's Nazem dash F and the reason I'm doing it that way is because make it

really small I wrote custom elevators and as as well killer it's pretty obvious it has and and other useful tools you might want to keep around if you're thinking plenty of these so if you're she gonna copy of drinks really that's so we'll then break every other rootkit so you can just have all those lying around and I'll be pre-loaded any time you're playing with these it's really good keep your copy on like a USB just in case and there's also the sash shell and it's a small study be compiled shell it's usually used for like recovering from a horrible operating system crash because everything built in it but all rights alternatively sometimes you'll find its

youth on my trousers and things but it's got all these built-in utils it's really good and umbreon v3 actually attempted to break some are breaking executing say since it doesn't work you can t worry about that so questions anyone happy but she's one of you who says I'm in rather the panna cotta yet one of you slackers like not paying attention Johnson as the LD critical so everybody you friendly vigilant yeah and what why is it still there like yeah I have no idea that again this property comes back to some like mailing this conversation in the 19th where Stalin and Linus were like let's include this this seems like a good idea and then they've never removed

it but and I mean in all honesty if you resist me you could pretty much just create the file itself shattered so no one gave a right to it and then go about it because you will never ever need to use this I've never once seen a legitimate use of I have two questions / see if you want to use reality guy so does setting the LG if you go to burn variable to start arrive what's in etc yes yes it does technically shin is my understanding is that the money ltd can be on-site execution code I might be wrong this just something I have you seen anyone take advantage of that so say you're

using LG as a user trying to check if something's dangerous maybe you are some CEO and suddenly it's got an entry point it wouldn't follow orders ma'am so not far as I'm aware of the heard that and I mean it depends if you're using sudo if they've got access to like your you're pushing anyway and like like early to use a bash script that is in use urban it doesn't have any real options for executing alternate scene I mean I guess if someone has your car bunch of user they might change your diet patch rc2 like it do that so different like so say that you're running a back door and like l dds scripted pen that also like get

some Michelle or something then yeah it might be bad but I've never seen it be like offer any options for drone injection early um I mean again only those is productive environment variables and so yeah I don't I don't think it's a situation but I don't have a look at that I've never seen any mess with retinol chart exploit that you see success before X sort so actually yeah I need to be they'll hopefully over the water cash in Surat well certainly give us in some years ago tubewolf discussion of pre-loaded and route catch them on air boss here what was discussed the other question are you seeing any other solar systems where we like to because

there's a bogo so it's interesting that you actually ask that because and there was a bunch of gnats cgi-bin exploits release 2014 maybe 20 30 and and me and one of my friend to be set up high off and and we would actually see that there would be a bunch of guys scanning and you know the sort of like pennies things these these are NASA's things and trying to install Jing something yeah um don't thing is there easel and generally is statically compiled so your leaves bash or whatever and but they are they were trying to install these rivets on arm NASA's and brothers and but I mean I don't know but one thing I've discussed

and with some colleagues and work is the idea of using it on a droid for example or even

oh wow also it's kind of security yes msu Linux will and stop it the one problem you'll have a bad is if you rude already in just disable selinux and normally notice unless they're paying attention gr said was we know because you can set in force too permissive and it should stop it which you got interviewed for unfortunately and gr sec does break it a lot better than but I can't remember how and but yeah thank you and anyone else

okay thank you very much