1. LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services

2. Definition ● Rootkit – Software toolkit designed to hide the presence of a intruder inside a compromised system. ● Two types of rootkits: User mode and Kernel mode. ● Rootkits may contain trojans, backdoors, sniffers, scanners, rootshell exploits, attack bots, IRC bots, keystroke loggers, log scrubbers and other hacking tools.

3. Rootkits found on UA systems ● T0rn ● MYRK ● Bobkit ● EPY ● Diablow ● Knark – KLM ● RVDA - KLM

4. Uncovering Rootkits ● Use chkrootkit. (http://www.chkrootkit.org) ● Image system drive and examine rootkit on a secure system of the same or similar OS. ● If not possible, then import original system binaries and/or libraries to perform the examination. ● Do not trust anything on the compromised system ● Look for hidden files and directories. ● Look for trojans in boot-up scripts. ● Compare system binaries with distribution copies.

5. Preventing Rootkits ● Use network and host based firewalls (ipchains or iptables) and TCP Wrappers. ● Disable unused and unnecessary network services. ● Remove unused and unnecessary software packages. ● Patch OS and applications on a regular basis. ● Stay current on security vulnerabilities. ● Compile and use statistic kernel without KLM support. ● Use host based IDS like Tripwire.

6. Live Demonstration ● T0rn Rootkit ● Author: Surrey, 21 year old from Surbiton, England; arrested by Scotland Yard in September, 2002. ● Analysis available at: ● http://www.securityfocus.com/infocus/1230

7. Live Demonstration ● RVDA Rootkit ● It is a KLM rootkit. ● Found on a UAF CS test server running RH 7.2. ● Functions only on a unpatched kernel. ● Source code is very small. ● Romanian in origin?