From the above chart we can see 3 types of utilization.
Load the malicious dynamic link library via the LD_PRELOAD environment variable.
Load the malicious dynamic link library through the /etc/ld.so.preload configuration file.
Modify the dynamic linker to achieve malicious functions, for example, modify the default configuration file path /etc/ld.so.preload in the dynamic linker for the attacker to customize the path, and then write the malicious dynamic link library to be loaded in it, of course, there are many other modifications, such as modifying the default environment variables, directly to write the dynamic link library to be hooked into the dynamic linker.
0x02 dynamic link library preload type rootkik
1.Loading malicious dynamic link libraries with LD_PRELOAD Step1. erect
The LD_PRELOAD environment variable is in effect in time, and the method for loading malicious dynamic link libraries using LD_PRELOAD is as follows.
LD_PRELOAD=/lib/evil.soThe value of LD_PRELOAD is set to the dynamic link library to be preloaded.
exportLD_PRELOAD exports environment variables to make this environment variable effective.
unsetLD_PRELOAD unset the LD_PRELOAD environment variable.
The rootkit used for testing is available for download at https://github.com/mempodippy/cub3.
Print out the value of LD_PRELOAD directly (default LD_PRELOAD environment variable has no value), if there is a value in LD_PRELOAD, upload the file to a malware detection platform such as virustotal or microstep online to detect if the file is normal, or use homemade features for matching or manual strings or use ida to look at it to determine if it is a malicious program.
Uninstalling a malicious dynamic link library installed using the LD_PRELOAD environment variable can be achieved by using the command unset LD_PRELOAD. As you can see in the image below, the hidden file evil.so is shown.
2.Loading malicious dynamic link libraries with /etc/ld.so.preload Step1. erect
Write the path of the malicious dynamic link library to the /etc/ld.so.preload (or create it if there is none) configuration file, as shown below Writing the path of the malicious dynamic link library to the /etc/ld.so.preload file takes effect, and the corresponding malicious dynamic link library file is hidden.
Because malicious dynamic link library generally have the function of hiding /etc/ld.so.preload file, we use ordinary ls, cat and other commands can not read the contents of the corresponding configuration file, at this time we can use the static compilation of ls command, cat command (recommended to use the busybox comes with the command) to bypass the malicious dynamic link library preload, if there is no ls command cat command, sometimes the ls command and cat command to other arbitrary characters can also bypass the malicious dynamic link library hidden, mainly depends on the specific implementation of the malicious dynamic link library way.
As shown below, you can tell if there are malicious dynamic link libraries loaded via the /etc/ld.so.preload configuration file by looking at the contents of the /etc/ld.so.preload file using the normal cat command compared to the cat command in busybox.
Because the malicious dynamic link library has the function of hiding the file, so the cleanup needs to use the basic command of static compilation to perform the corresponding operation, and the cleanup procedure is shown below.
First clear the /lib/evil.so file viewed in the /etc/ld.so.preload file above so that it cannot be preloaded properly, then clear the contents of the malicious file in /etc/ld.so.preload, some malicious dynamic link libraries will modify the hidden permissions of that file, as well as ordinary read and write permissions, so you need to look at it and then clear it, up to this point that is a successful removal. (Since I haven't configured preloaded libraries here before, I just clear them, if you have a business that configures preloaded libraries you need to clear the specific line instead of just clearing it).
3.Modifying dynamic linkers to achieve malicious functionality Step1. erect
There are various ways to modify the dynamic linker for malicious purposes, here we use a rootkit that replaces the default preload configuration file /etc/ld.so.preload path in the dynamic linker to achieve a more stealthy malicious dynamic link library preload, installed by modifying the configuration file path /etc/ld.so.preload in the dynamic linker to a custom path, and then writing the absolute path of the malicious dynamic link library to be preloaded in that path. The name of the malicious rootkit used for testing is Vlany,download at https://github.com/mempodippy/vlany .
Modifying the default dynamic linker for the purpose of achieving malicious functionality can break the integrity of the original dynamic linker, and we can use a file integrity check to check if that dynamic linker has been modified.
First get the file path of the dynamic linker on the system, then determine the integrity of that dynamic linker file. The test system here is centos, which comes with rpm checksum. The 5 in the figure below means that the md5 of the file has changed, and the T means that the modification time has changed.
If we know that the dynamic linker has been modified, (excluding the system upgrade) then we can determine that the dynamic linker has a high security risk, we need to further confirm the modification, if the attacker modifies the dynamic linker but the way to achieve the malicious function is not to modify the pre-load configuration file, but to modify the default environment variables, or directly based on the open source code to implant the malicious function into the dynamic linker and then recompile the generated malicious dynamic linker, then the following detection methods may not be effective, need to analyze the situation.
Use the strace command to see if the preload configuration file is the /etc/ld.so.preload file, as shown below, the dynamic link library preload configuration file is /sbin/. XsknPn3F instead of the original configuration file, we can then confirm that there is a rootkit on the system that modifies the dynamic linker.
Use the cat command that comes with busybox to view the file, as the file cannot be viewed using the normal cat command, being hidden by the pre-loaded library functions.
To remove a rootkit that modifies a dynamic linker, you need to replace the modified dynamic linker with the same version of the dynamic linker from the same system in order to achieve complete removal. Temporary relief is provided by removing the malicious dynamic linker seen during the above detection process and by clearing the contents of the corresponding dynamic linker configuration file.
x03 Summary of common test methods
According to the dynamic link library preloading mechanism, it is known that preloaded malicious dynamic link library is only effective for programs that need to use dynamic library functions, malicious dynamic link library basic functions to hide files, according to the characteristics of the hidden file function, so we detect the idea is that applications try not to use dynamic libraries, you can bypass this file hiding function.
Use the ordinary ls command to view files in a specific directory, use the static compiled base command to view files in a specific directory, must see the file /etc/ld.so.preload classic directory /lib/ to determine whether there are hidden files, emergency response is recommended to use busybox, or their own static compiled ls and other commands.
The dynamic link library preloading mechanism reads the contents of the preloaded configuration file and then loads the corresponding dynamic link library in the configuration file. Based on this feature, it is possible to determine whether there is a malicious dynamic link library by tracking the files loaded during the execution of common commands.
strace document tracking.
When the executable runs, it will first access the dynamic link library preload configuration file, then read the dynamic libraries in the corresponding configuration file and preload them, and then go to load the normal required link libraries. By tracing the relevant files opened by system/bin/ls, you can find the preload configuration file and the preloaded dynamic link library, if the malicious dynamic link library has anti-strace measures, you can modify the strace name or use the LD_PRELOAD environment variable to preload an irrelevant dynamic link library, and then strace for tracing, which can bypass the anti-strace measures detected by the malicious dynamic link library according to the executable name.
File integrity check: some attackers achieve the purpose of malicious function by modifying the dynamic linker, but this practice will break the integrity of the dynamic linker, by testing the integrity of the dynamic linker can detect the modification of dynamic linker type rootkit.
x04 reference link
1、Pythonbased mysql and excel interconversion 2、Study Notes for Machine Learning Techniques Course 7 BlendingandBagging HsuanTien Lin National Taiwan University 3、Why must distributed have a consistency scheme 4、redis328 linux cluster installation primary
5、SoftBanks Masayoshi Son wants to start a robot revolution