HSC
Network Security Consulting Agency Since 1989 - Specialized in Unix, Windows, TCP/IP and Internet
 Text mode: access to the page content
Hervé Schauer Consultants
You are here: Home > Resources > Tools > rkscan
Go to: HSC Trainings
Search:  
 Version française
   Services   
o Skills & Expertise
o Consulting
o ISO 27001 services
o Audit & Assessment
o Penetration tests
o Vunerability assessment (TSAR)
o Forensics
o ARJEL
o Training courses
o E-learning
   Conferences   
o Agenda
o Past events
o Tutorials
   Resources   
o Thematic index
o Tips
o Lectures
o Courses
o Articles
o Tools (download)
o Vulnerability watch
   Company   
o Hervé Schauer
o Team
o Job opportunities
o Credentials
o History
o Partnerships
o Associations
   Press and
 communication 		  
o HSC Newsletter
o Press review
o Press releases
o Publications
   Contacts   
o How to reach us
o Specific inquiries
o Directions to our office
o Hotels near our office
|>|rkscan  
blah Resources
See also...
o Babelweb
o BlueBerry
o Delphes
o Dislocker
o Dns2tcp
  o filterrules
o IDSwakeup
o jis & wis
o nstreams
o passe-partout
  o Patator
o PktFilter
o Net::RawSock
o skyrack
o smbsniff
  o SSLTunnel
o SSToPer
o Subweb
o Webef
o WifiScanner
  o WSPP
o xml-logs
o Introduction
o Usage
o How it works

Rkscan is a rootkit Scanner for loadable kernel.

Rkscan is written by Stéphane Aubert.

> Download

Rootkit Scanner for loadable kernel-module rootkits (Analysis and detection tool for KNARK and ADORE).

rkscan is a kernel-based module rootkit scanner for Linux, it detects Adore (v0.14, v0.2b and v0.24) and knark (v0.59).

Introduction

When running on a computer, rootkits allows an unprivileged user to hide files, hide process, run commands as root... that's why they are called rootkits!

krk (Kernel-based RootKits) are still rootkits but now they don't need to change the ls, ps or find binaries because they are intercepting system calls.

krk seem to be very difficult to detect while running on a rooted computer.

rkscan is a small scanner to help sysadmins to detect infected computers by:

. KNARK version 0.59 

     knarf is written by Creed <creed@sekure.net>
     and can be found on packetstrom.securify.com

. ADORE versions 0.14, 0.2b and 0.24 

     Adore is written by Stealth
     and can be found on http://spider.scorpions.net/~stealth/

rkscan.c is given at the end of the mail and will be available on <URL: http://www.hsc.fr/ressources/outils/>

(Only in a few days ... I am at SANS NS2000 in Monterey :) I have written this first version during Dave Dittrich's course on DDOS, thanx Dave for this course!)

Don't forget:
There are differents technics to protect yourself against krk, the best one is certainly to disable the kernel-module support.

Usage

Just run: ./rkscan

Example:

!! Don't run the following command unless you know what you are doing. 

 # insmod adore.o
 # exit

 % ./rkscan
 -=-      Rootkit Scanner      -=-
 -=- by Stephane.Aubert@hsc.fr -=-

 Scanning for ADORE version 0.14, 0.2b and 0.24 ...
  #ADORE rootkit is running with ELITE_CMD=50666 !

 Scanning for KNARK version 0.59 ...

 KNARK rootkit NOT DETECTED on this system.

 Done.
 % ./ava U U
 Checking for adore  0.12 or higher ...
 Adore 0.14 installed. Good luck.
 Adore 0.14 de-installed.

How it works

Adore v0.14 uses a setuid call to detect if its module is loaded: 

  #define ELITE_CMD 31337
  int adore_installed() {
      return setuid(ELITE_CMD+2);

  }
  ...
  printf("Checking for adore  0.12 or higher ...\n");
  if ((version = adore_installed()) <= 0) {
      printf("Adore NOT installed. Exiting.\n");
      exit(1);
  }

Adore v0.24 uses a setuid call to detect if its module is loaded: (ELITE_CMD is fixed in the Makefile to 61855) 

  adore_t *adore_init()
  {
     adore_t *ret = calloc(1, sizeof(adore_t));
     ret->version = setuid(ELITE_CMD+2);
     return ret;
  }

Knark uses a settimeofday call to detect if its module is loaded: 

  #define KNARK_GIMME_ROOT 9000
  ...
  if(settimeofday((struct timeval *)KNARK_GIMME_ROOT,
                      (struct timezone *)NULL) == -1) {
      perror("settimeofday");
      fprintf(stderr, "Have you really loaded knark.o?!\n");
      exit(-1);
  }

So the main problem is to find the ELITE_CMD or KNARK_GIMME_ROOT values that can have been changed.

That why we need a scanner to test each possible values.

Future version of these rootkits will certainly use crypto or just something like the following lines in oder to hide themself more and more. 

  #define ELITE_CMD 31337
  #define KEY_1 42843
  #define KEY_2 89843
  #define KEY_3 11343
  #define KEY_4 17323
  #define KEY_5 64543
  /* may be more */

  int ItIsMe() {

    setuid(KEY_1);   /* put a global var to the first state (state=1;)  */
    setuid(KEY_2);   /* action: state=(state==1?2:0);                   */
    setuid(KEY_3);   /* and so on ...                                   */
    setuid(KEY_4);   /* and so on ...                                   */
    setuid(KEY_5);   /* and so on ...                                   */
  }
  int adore_installed() {
    ItIsMe();
    return setuid(ELITE_CMD+2); /* ok if state==5 and ELITE_CMD is good */
  }

And it will be more and more difficult to scan these krk :(

It's time to rebuild you kernel and disable module support!

Last modified on 23 October 2002 at 13:09:23 CET - webmaster@hsc.fr
Information on this server - © 1989-2010 Hervé Schauer Consultants