Information Security

Blogroll

AMol NAik
Andrew Case
Andre M. DiMino
Attila Axt
Bruce Schneier
Didier Stevens
Eric Romang
Francois Ropert
Gal Badishi
Gianluca Brindisi
Haroon Meer
Krzysztof Kotowicz
Lvdeijk
Michael Ligh
Mila Parkour
Miroslav Stampar
Pedro Vilaca
Rich Lundeen
Rob Fuller

Creative Commons License


Best view with Chromium devel without JavaScript enabled

13th September 2012

Post

Cr0security Rootkit Analysis

Just quick ‘n dirty dynamic analysis

Modinfo

filename:       cr0security.ko
license:        GPL
author:         cr0security.com

C&C

=========================================
Welcome to Cr0security TCPD Console
==========================================
available commands:
bcs - shd - who - psa - prt - help - exit
description:
bcs - back connect to your current ip via port 7778 (setup netcat to listen on 7778)
shd - seed command : view /etc/shadow
psa - seed command : ps aux | tail
who - seed command : show who is logged on
prt - print your command’s result
help - print this help
exit - exit this console
console >

active internet connections

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name        
tcp        0      0 0.0.0.0:3737            0.0.0.0:*               LISTEN      -  

no PID no cry, let’s acquire the memory

sysfs not hijacked,so we can see the rootkit exist

% python vol.py —filename cr0security.lime —profile=LinuxServerx86 linux_check_modules         
Volatile Systems Volatility Framework 2.2_rc1
Module Name
—————-
cr0security

how being inserted

% python vol.py -f cr0security.lime —profile=LinuxServerx86 linux_bash -H 0x810eee0
Volatile Systems Volatility Framework 2.2_rc1
Command Time         Command
—————————— ———-
—*snip*—

#1347451275          insmod cr0security.ko

—*snip*—

ps

% python vol.py -f cr0security.lime —profile=LinuxServerx86 linux_psaux             
Volatile Systems Volatility Framework 2.2_rc1
Pid    Uid    Arguments                                                      
—*snip*—

10243  0      insmod cr0security.ko                                            Wed, 12 Sep 2012 19:01:14 +0000

—*snip*—

offset

% python vol.py -f cr0security.lime —profile=LinuxServerx86 linux_pslist
Volatile Systems Volatility Framework 2.2_rc1
Offset     Name                 Pid             Uid             Start Time
————— —————————— ———————- ———————- —————
—*snip*—

0xf61cfaa0 insmod               10243           0               Wed, 12 Sep 2012 19:01:14 +0000

—*snip*—

weird offset made by rootkit

% python vol.py -f cr0security.lime —profile=LinuxServerx86 linux_pidhashtable
Volatile Systems Volatility Framework 2.2_rc1
Offset     Name                 Pid             Uid             Start Time
————— —————————— ———————- ———————- —————

—*snip*—

0xf6c02550 ????0???w?           -1025472120     4133601804      Sat, 15 Sep 2012 18:06:49 +0000

—*snip*—

now time to analyze

% python vol.py —filename cr0security.lime —profile=LinuxServerx86 linux_dump_map -p 10243 -O cr0elf
Volatile Systems Volatility Framework 2.2_rc1
Writing to file: cr0elf
Wrote 393216 bytes

hijacked syscall

% strings cr0elf | grep sys_
sys_kill
sys_write
sys_unlink
sys_unlinkatsys_open
sys_rename
should_i_disable_sys_kill
proto_sys_call
find_sys_call_table
_sys_errlist
_sys_nerr
sys_sigabbrev
_sys_siglist

cr0security rootkit doesn’t modify the syscall table but use debug registers to hook
transparently syscalls.

% strings cr0elf | grep asli
rmdir_asli
chdir_asli
write_asli
kill_asli
unlink_asli
open_asli
unlinkat_asli
rename_asli

Tagged: MalwareDigital ForensicPython

() 

ABOUT THE AUTHOR
            
Teguh is an idealist pwner living encrypted in Indonesia.
He is passionate about security and currently defeating the CWE top 25.
He also can be found on Google+, Twitter, GitHub, Shelfari and your libc.