Recon 2011

Jonathan Stuart
Day Sunday - 2011-07-10
Room Grand Salon
Start time 11:00
Duration 01:00
ID 107
Event type Lecture
Track Main

Advances in rootkit technology - Atmosphere

A network-covert, remote FreeBSD hidden kernel-thread rootkit

Atmosphere is a FreeBSD 9.0 remotely activated and used rootkit, running fully in kernel space. Communication between host and user are over a covert TCP/IP channel, which uses encryption.

Services provided include the ability to do anything the kernel can do: code execution in kernel-space (CPL0 on x86), remote activation of services that syscalls use within UIOSYSSPACE (system memory), such as the virtual file system - VFS - the pulling of vnodes and vnode attributes about files, file hiding, process hiding, the socket layer (soconnect, sosend, etc.), which can be used to provide a network tunnel, cdevs, ptrace, sniffing of network traffic via mbuf inspection in ipinput(), ipoutput(), and ipforward().

A hidden kernel thread is used for the rootkit. In essence, everything the kernel can do, the rootkit can do for the remote user, via an API that runs over covert TCP/IP packet exchanges (RC4/Arcfour encryption is also provided). The goal is to provide as much access to the system while minimizing the footprint (e.g., no processes running, no execve(), no binaries added to the filesystem), etc.

In-kernel FreeBSD remote rootkit running as a hidden kernel thread, with covert TCP/IP channel using RC4 for communications, using system call proxying (which, when possible, never leaves the kernel, since most system calls can be called from the kernel in FreeBSD by setting the iospace to UIO_SYSSPACE). Access to the filesystem, the network layer, devices, the states of processes, will all be be provided over the covert channel, which is examined via hooks in ip_input() which peek directly into mbufs (generic memory structures, but primarily used for network traffic. Somewhat similar to skbuffs on Linux).