Friday, April 17, 2009

A new Linux rootkit technique presented

Anthony Lineberry, a Linux expert, announced during his presentation, "Alice in User-Land: Hijacking the Linux Kernel via /dev/mem", at the Black Hat security conference now taking place in Amsterdam that he will shortly be publishing the libmemrk library. He says Libmemrk works in both 32-bit and 64-bit environments.

This offers rootkit developers a new way to hide files or processes, or interfere with network traffic. The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory. For example XServer and DOSEmu, both use it. Lineberry says introducing rootkits via /dev/mem is also less obvious than the established route via loadable kernel modules (LKMs).

The library relieves a rootkit programmer of the "laborious" work of translating virtual memory addresses to physical ones and identifying a memory range that can be exploited for the attack. An attacker can't overwrite the existing system calls and replace them with his own code until the suitable ranges, normally used by the kernel, have been located. The real contents written into memory by the kernel are meanwhile shifted into a buffer.

The detailed steps required for a successful attack, which are handled by libmemrk, are described by Lineberry in his white paper, Malicious Code Injection via /dev/memPDF. However, Lineberry states there that an attack fails in virtual environments because the hypervisor behaves differently from unvirtualised hardware. Lineberry asks his audience to bear in mind that, regardless of libmemrk, the whole attack must be hand-programmed in assembly language. In future, Lineberry intends that libcc will be used in order to at least reduce the impact of this hurdle.


No comments: