Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar.

Slides:



Advertisements
Similar presentations
Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
Advertisements

Computer Technology Timpview High School. A collection of local, regional, national, and international computer networks that are linked together to exchange.
The Free Software Desktop Project By: Joshua Anglero
COEN 250 Computer Forensics Unix System Life Response.
COMP1214 Systems & Platforms: Operating Systems Concepts Dr. Yvonne Howard – Rikki Prince – 1.
Operating System Structures
Thank you to IT Training at Indiana University Computer Malware.
MySQL Installation Guide. MySQL Downloading MySQL Installer.
Cambridge Technicals Unit 12 P3 -Security risks.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Internet Information Server 6.0. IIS 6.0 Enhancements  Fundamental changes, aimed at: Reliability & Availability Reliability & Availability Performance.
PlanetLab What is PlanetLab? A group of computers available as a testbed for computer networking and distributed systems research.
December, 2008 CS-591 Securing Servers: International Capture the Flag 1 Nadine Sundquist CS591-F2008 University of Colorado, Colorado Springs Dr. C. Edward.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
Operating System Security : David Phillips A Study of Windows Rootkits.
How an attacker can maintain control over their victim’s system without being discovered.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Security Issues and Challenges in Cloud Computing
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Windows Security and Rootkits Mike Willard January 2007.
Vijay krishnan Avinesh Dupat  Collection of tools (programs) that enable administrator-level access to a computer or computer network.  The main purpose.
Cs238 Lecture 3 Operating System Structures Dr. Alan R. Davis.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Linux Kernel Rootkits Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.
Linux Operations and Administration
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Protecting Your Computer & Your Information
APT29 HAMMERTOSS Jayakrishnan M.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
CS 1308 Computer Literacy and the Internet. Introduction  Von Neumann computer  “Naked machine”  Hardware without any helpful user-oriented features.
Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover Principal Software Engineer Core Research Group, Symantec Research.
Honeypot and Intrusion Detection System
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Introduction of Internet security Sui Wang IS300.
1 Implementation of Security-Enhanced Linux Yue Cui Xiang Sha Li Song CMSC 691X Project 2—Summer 02.
CS470, A.SelcukThe Big Picture1 The Big Picture Practical, Economic, Legal Considerations CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
1 What is a Kernel The kernel of any operating system is the core of all the system’s software. The only thing more fundamental than the kernel is the.
LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services.
INVITATION TO COMPUTER SCIENCE, JAVA VERSION, THIRD EDITION Chapter 6: An Introduction to System Software and Virtual Machines.
Attack Plan Alex. Introduction This presents a step-by-step attack plan to clean up an infected computer This presents a step-by-step attack plan to clean.
CAP6135: Malware and Software Vulnerability Analysis Rootkits Cliff Zou Spring 2012.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Operating System What is an Operating System? A program that acts as an intermediary between a user of a computer and the computer hardware. An operating.
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
Instructor: Dr. Harold C. Grossman Student: Subhra S. Sarkar
A Study on Linux Operating System Ying Jiang ID:
COEN 250 Computer Forensics Unix System Life Response.
1 MSTE Visual SourceSafe For more information, see:
Protecting The Kernel Data through Virtualization Technology BY VENKATA SAI PUNDAMALLI id :
Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.
VMM Based Rootkit Detection on Android
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
A presentation by John Rowley for IUP COSC 356 Dr. William Oblitey Faculty member in attendance.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Botnets A collection of compromised machines
Malware Reverse Engineering Process
Linux.
Rootkit A rootkit is a set of tools which take the ability to access a computer or computer network at administrator level. Generally, hackers install.
Botnets A collection of compromised machines
Chap 10 Malicious Software.
Chap 10 Malicious Software.
Presentation transcript:

Phalanx – A Self-injecting Rootkit Instructor: Dr. Harold C. Grossman Students: Jinwei Liu & Subhra S. Sarkar

Introduction History Objectives Phalanx’s standing in Rootkit classification Features Notable infections Detection mechanisms Prevention mechanisms Availability Agenda © 2011 Jinwei Liu & Subhra S. Sarkar

Phalanx is a self-injecting kernel rootkit designed for sniffing into user SSH credentials for Linux 2.6 branches. This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. Moreover, Phalanx allows continued privileged access to the compromised system while hiding its presence from administrators by subverting standard OS functionality. Introduction © 2011 Jinwei Liu & Subhra S. Sarkar

1. First surfaced in Originally developed by rebel 3. Beta 1: Backdoor, file hiding, process hiding 4. Beta 2: Socket hiding, improved process hiding 5. Beta 3: TTY-Sniffer, improved obfuscation 6. Current version: Beta 6 (with additional functionalities) History © 2011 Jinwei Liu & Subhra S. Sarkar

The objectives of Phalanx fall into the following categories 1. HID: User space object hiding 2. PE: Privilege escalation 3. REE: Re-entry/backdoor 4. REC: Reconnaissance 5. NEU: Defense neutralization Objectives © 2011 Jinwei Liu & Subhra S. Sarkar

Rootkits can be broadly classified into the following categories 1. Type 0 rootkit 2. Type 1 rootkit (a) Hooking lookup Tables (b) Code patching (c) Hooking CPU registers Phalanx’s standing in rootkit classification © 2011 Jinwei Liu & Subhra S. Sarkar

3. Type 2 rootkit (a) Kernel object hooking (b) Direct kernel object manipulation 4. Type 3 rootkit (a) Virtual machine based (b) Hardware assisted virtual machine based From the above classification, its clear that Phalanx falls in Type 1 rootkit category. Phalanx’s standing in rootkit classification contd. © 2011 Jinwei Liu & Subhra S. Sarkar

1. Harvest SSH keys and other credentials 2. Creates hidden directory /etc/khubd.p2 or by some other name for collecting user information. Sometimes the directory name might be different to hide detection. 3. Uses methods to hide its running processes 4. Doesn’t show up in process listing using “ps” or ls /proc. However, it’s directory on /proc is accessible. Features © 2011 Jinwei Liu & Subhra S. Sarkar

1. Linux servers of kernel.org for distributing Linux Kernel Image were compromised in July, SRFC breach at University of Cambridge in April, Several attacks were launched in August, 2008 on servers running on Linux Notable infections © 2011 Jinwei Liu & Subhra S. Sarkar

1. Try doing “cd” inside /etc/khubd.p2 even though running “ls” command won’t list it. 2. “/dev/shm/” may contain files from attack. 3. Any directory by name “khubd.p2” is not displayed in “ls” directory listing, but the directory can be accessed using “cd” command. 4. Checking reference count in /etc/ against the number of directories shown by “ls” command. Detection mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar

1. Proactively identify and examine systems where SSH keys are used as part of automated processes. 2. Encourage users to use keys with passphrases 3. Review access paths to Internet facing systems and ensure that the systems are fully patched. Prevention mechanisms © 2011 Jinwei Liu & Subhra S. Sarkar

Phalanx can be downloaded for free for educational purposes from the following URL Author: rebel Current version available for download: beta 6 Release date: Nov 17, Availability © 2011 Jinwei Liu & Subhra S. Sarkar

Below is the list of references and-spyware/Troj~Phalanx2-A.aspx cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac ks 6. based-attacks-phalanx2-rootkit / and-spyware/Troj~Phalanx2-A.aspxhttp:// cert.gov/current/archive/2008/08/26/archive.html#ssh_key_based_attac kshttp:// based-attacks-phalanx2-rootkit / References © 2011 Jinwei Liu & Subhra S. Sarkar

Thank You © 2011 Jinwei Liu & Subhra S. Sarkar

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.