cool hit counter Be wary of backdoors that exploit malicious dynamic link libraries of the Linux preload type_Intefrankly

Be wary of backdoors that exploit malicious dynamic link libraries of the Linux preload type


0x00 Dynamic Link Library Preloaded Rootkit Overview

Dynamic link library preload mechanism is a way to provide the system to the user to run custom dynamic link library, in the executable program before running will be preloaded user-defined dynamic link library of a technology, this technology can rewrite the system's library functions, just need to redefine the same name in the preloaded link library library function, the program calls the library function, the redefined function that will short-circuit the normal library function, this technology can be used to rewrite the system has vulnerabilities in the library function, to repair the vulnerability of the purpose, such as get_host_byname lead to ghost vulnerability of such functions. This technique can also be used by an unsuspecting attacker to write a rootkit that hides files and processes by rewriting mkdir, mkdirat, chdir, fchdir, opendir, opendir64, fdopendir, readdir, readdir64 and other library functions related to system files, networks, and processes. Compared to normal userspace rootkits, the means are more stealthy and harder to detect, and compared to kernel module rootkits, they are more compatible and less difficult to write, combining these two advantages, making this type of rootkit more and more difficult to detect and kill year by year.

0x01 Techniques used by dynamic link library preloaded rootkit

1.linux dynamic link library preloading mechanism

In the process of dynamic link library loading in linux operating system, the dynamic linker will read the value of LD_PRELOAD environment variable and the contents of the default configuration file /etc/ld.so.preload, and preload the dynamic link libraries read, even if the program does not rely on these dynamic link libraries, the dynamic link libraries specified in LD_PRELOAD environment variable and /etc/ld.so.preload configuration file will still be loaded, their priority is higher than the file priority of the link library lookup path defined by LD_LIBRARY_PATH environment variable, so they can be loaded ahead of the dynamic libraries called by the user.

2.Global symbolic intervention

Global symbol intervention means that when an application calls a library function, if the library function called exists in more than one dynamic link library, i.e., there are functions with the same name, then the linker will only keep the first linked function and ignore the functions linked in later, so as long as there are global symbols in the pre-loaded global symbols and global symbols in the post-loaded common shared library, then it will overwrite the global symbols in the post-loaded shared library and in the target file.

3. Technical points exploited by rootkit

Because the dynamic link library preloading mechanism and global symbolic intervention of the two system mechanisms, can control the program runtime link (Runtime linker), allowing the user to load the custom dynamic link library before the program runtime priority, so that the malicious dynamic link library loaded before the normal dynamic link library, according to the global symbolic intervention of the sequence principle to "short-circuit" the normal function, the execution of the attacker defined malicious functions.

From the above chart we can see 3 types of utilization.

Load the malicious dynamic link library via the LD_PRELOAD environment variable.

Load the malicious dynamic link library through the /etc/ld.so.preload configuration file.

Modify the dynamic linker to achieve malicious functions, for example, modify the default configuration file path /etc/ld.so.preload in the dynamic linker for the attacker to customize the path, and then write the malicious dynamic link library to be loaded in it, of course, there are many other modifications, such as modifying the default environment variables, directly to write the dynamic link library to be hooked into the dynamic linker.

0x02 dynamic link library preload type rootkik

1.Loading malicious dynamic link libraries with LD_PRELOAD Step1. erect

The LD_PRELOAD environment variable is in effect in time, and the method for loading malicious dynamic link libraries using LD_PRELOAD is as follows.

LD_PRELOAD=/lib/evil.soThe value of LD_PRELOAD is set to the dynamic link library to be preloaded.

exportLD_PRELOAD exports environment variables to make this environment variable effective.

unsetLD_PRELOAD unset the LD_PRELOAD environment variable.

The rootkit used for testing is available for download at https://github.com/mempodippy/cub3.

Step2. detection

Print out the value of LD_PRELOAD directly (default LD_PRELOAD environment variable has no value), if there is a value in LD_PRELOAD, upload the file to a malware detection platform such as virustotal or microstep online to detect if the file is normal, or use homemade features for matching or manual strings or use ida to look at it to determine if it is a malicious program.

Step3. removal

Uninstalling a malicious dynamic link library installed using the LD_PRELOAD environment variable can be achieved by using the command unset LD_PRELOAD. As you can see in the image below, the hidden file evil.so is shown.

2.Loading malicious dynamic link libraries with /etc/ld.so.preload Step1. erect

Write the path of the malicious dynamic link library to the /etc/ld.so.preload (or create it if there is none) configuration file, as shown below Writing the path of the malicious dynamic link library to the /etc/ld.so.preload file takes effect, and the corresponding malicious dynamic link library file is hidden.

Step2. detection

Because malicious dynamic link library generally have the function of hiding /etc/ld.so.preload file, we use ordinary ls, cat and other commands can not read the contents of the corresponding configuration file, at this time we can use the static compilation of ls command, cat command (recommended to use the busybox comes with the command) to bypass the malicious dynamic link library preload, if there is no ls command cat command, sometimes the ls command and cat command to other arbitrary characters can also bypass the malicious dynamic link library hidden, mainly depends on the specific implementation of the malicious dynamic link library way.

As shown below, you can tell if there are malicious dynamic link libraries loaded via the /etc/ld.so.preload configuration file by looking at the contents of the /etc/ld.so.preload file using the normal cat command compared to the cat command in busybox.

Step3. removal

Because the malicious dynamic link library has the function of hiding the file, so the cleanup needs to use the basic command of static compilation to perform the corresponding operation, and the cleanup procedure is shown below.

First clear the /lib/evil.so file viewed in the /etc/ld.so.preload file above so that it cannot be preloaded properly, then clear the contents of the malicious file in /etc/ld.so.preload, some malicious dynamic link libraries will modify the hidden permissions of that file, as well as ordinary read and write permissions, so you need to look at it and then clear it, up to this point that is a successful removal. (Since I haven't configured preloaded libraries here before, I just clear them, if you have a business that configures preloaded libraries you need to clear the specific line instead of just clearing it).

3.Modifying dynamic linkers to achieve malicious functionality Step1. erect

There are various ways to modify the dynamic linker for malicious purposes, here we use a rootkit that replaces the default preload configuration file /etc/ld.so.preload path in the dynamic linker to achieve a more stealthy malicious dynamic link library preload, installed by modifying the configuration file path /etc/ld.so.preload in the dynamic linker to a custom path, and then writing the absolute path of the malicious dynamic link library to be preloaded in that path. The name of the malicious rootkit used for testing is Vlany,download at https://github.com/mempodippy/vlany .

Step2. detection

Modifying the default dynamic linker for the purpose of achieving malicious functionality can break the integrity of the original dynamic linker, and we can use a file integrity check to check if that dynamic linker has been modified.

First get the file path of the dynamic linker on the system, then determine the integrity of that dynamic linker file. The test system here is centos, which comes with rpm checksum. The 5 in the figure below means that the md5 of the file has changed, and the T means that the modification time has changed.

If we know that the dynamic linker has been modified, (excluding the system upgrade) then we can determine that the dynamic linker has a high security risk, we need to further confirm the modification, if the attacker modifies the dynamic linker but the way to achieve the malicious function is not to modify the pre-load configuration file, but to modify the default environment variables, or directly based on the open source code to implant the malicious function into the dynamic linker and then recompile the generated malicious dynamic linker, then the following detection methods may not be effective, need to analyze the situation.

Use the strace command to see if the preload configuration file is the /etc/ld.so.preload file, as shown below, the dynamic link library preload configuration file is /sbin/. XsknPn3F instead of the original configuration file, we can then confirm that there is a rootkit on the system that modifies the dynamic linker.

Use the cat command that comes with busybox to view the file, as the file cannot be viewed using the normal cat command, being hidden by the pre-loaded library functions.

Step3. removal

To remove a rootkit that modifies a dynamic linker, you need to replace the modified dynamic linker with the same version of the dynamic linker from the same system in order to achieve complete removal. Temporary relief is provided by removing the malicious dynamic linker seen during the above detection process and by clearing the contents of the corresponding dynamic linker configuration file.

x03 Summary of common test methods

According to the dynamic link library preloading mechanism, it is known that preloaded malicious dynamic link library is only effective for programs that need to use dynamic library functions, malicious dynamic link library basic functions to hide files, according to the characteristics of the hidden file function, so we detect the idea is that applications try not to use dynamic libraries, you can bypass this file hiding function.

Cross-attempt.

Use the ordinary ls command to view files in a specific directory, use the static compiled base command to view files in a specific directory, must see the file /etc/ld.so.preload classic directory /lib/ to determine whether there are hidden files, emergency response is recommended to use busybox, or their own static compiled ls and other commands.

The dynamic link library preloading mechanism reads the contents of the preloaded configuration file and then loads the corresponding dynamic link library in the configuration file. Based on this feature, it is possible to determine whether there is a malicious dynamic link library by tracking the files loaded during the execution of common commands.

strace document tracking.

When the executable runs, it will first access the dynamic link library preload configuration file, then read the dynamic libraries in the corresponding configuration file and preload them, and then go to load the normal required link libraries. By tracing the relevant files opened by system/bin/ls, you can find the preload configuration file and the preloaded dynamic link library, if the malicious dynamic link library has anti-strace measures, you can modify the strace name or use the LD_PRELOAD environment variable to preload an irrelevant dynamic link library, and then strace for tracing, which can bypass the anti-strace measures detected by the malicious dynamic link library according to the executable name.

File integrity check: some attackers achieve the purpose of malicious function by modifying the dynamic linker, but this practice will break the integrity of the dynamic linker, by testing the integrity of the dynamic linker can detect the modification of dynamic linker type rootkit.

x04 reference link

https://github.com/mempodippy/vlany

https://github.com/mempodippy/cub3


Recommended>>
1、Pythonbased mysql and excel interconversion
2、Study Notes for Machine Learning Techniques Course 7 BlendingandBagging HsuanTien Lin National Taiwan University
3、Why must distributed have a consistency scheme
4、redis328 linux cluster installation primary
5、SoftBanks Masayoshi Son wants to start a robot revolution

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送

    已发送

    朋友将在看一看看到

    确定
    分享你的想法...
    取消

    分享想法到看一看

    确定
    最多200字,当前共

    发送中

    网络异常,请稍后重试

    微信扫一扫
    关注该公众号