Thursday, September 15, 2011

A Cyber-space Weapon - Chkrootkit

Rootkit is the perfect utility, that makes a hackers life easy. An ‘opportunity for mal-ware writers’ is probably an apt definition of a rootkit. These tools enable administrator-level access to a computer or computer network. Root-kits have become more common and their sources increasingly difficult to identify. They leverage security exploits and trojans to deceive a user into trusting the installation is not malign.
Root-kits comprise of a set of trojanized system utilities and daemons. It comes with additional programs and Kernel Modules, that are designed to conceal the very presence of malicious programs. Rootkits are used to hide different utilities which the intruder uses to gather data or to abuse of the system.

CHKROOTKIT - An anti rootkit software

Chk-rootkit is a simple and feature-full Unix-based program to check the system for known rootkits, which is basically a utility to help detect sniffers, Trojans, worms, and other back-door programs. It is basically a shell script that makes use of simple linux commands to check for any discrepancies. Using it is as simple as “download, untar, make and execute” in most cases. You can have chkrootkit installed through the steps given below.
-> Download the tar file to a folder say, ‘/opt’
cd /opt/; wget
-> Compute and check MD5 message digest of the download as part of the security feature. This helps to verify the integrity of the tar balls or source code.
md5sum chkrootkit.tar.gz
-> Unpack the tar file
tar xvzf chkrootkit.tar.gz
-> Change to the directory into which it was unpacked
cd chkrootkit-*
-> Compile the installation with the following command
make sense
-> chkrootkit can be run as
Chkrootkit can be set up as a ‘Daily automated system scan job’ that emails you a daily report, or it can be set up as a ‘Cron job’ at whatever schedule you may prefer.

Chkrootkit as Daily Automated System scan

Create a file and insert the content as given below.
vi /etc/cron.daily/
cd /opt/chkrootkit*/
./chkrootkit | mail -s “Daily chkrootkit from Servername(replace with server name)” “”
Change the permission
chmod 755 /etc/cron.daily/
Run the test report
cd /etc/cron.daily/

Chkrootkit as Scheduled Cron

Add the following cron entry for root, using crontab
3 3 * * * (cd /opt/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" "")
Chkrootkit can easily identify a trojaned system command, while it looks for known “signatures” in system binaries. But in some cases, it is possible that the attacker has modified the rootkit sources, to change its signatures and thereby avoid chkrootkit detection. Chkrootkit checks for all known signatures inside a file. Hence, it can’t automatically determine if it has been trojaned. In such cases we may need to run the chkrootkit in the ‘expert’ mode. The expert flag, -x, outputs strings taken from the binary files it analyzes.
./chkrootkit -x | more
In this mode we can examine suspicious strings in the binary programs that may indicate a trojan.
Rootkits represents a looming threat of the future. It is important that we do not allow an attacker to mask intrusion. Chkrootkit is an Intrusion Detection System that helps to prevent potential harm that can be caused due to the existence of loopholes in the system. It makes life easier by helping distinguish the malicious from the legitimate. However, we still await a tool that would heal injuries, and prepare your server for the next battle in the Cyber-Space!