awesome-linux-rootkits/details/reptile.md

# Reptile rootkit details

https://github.com/f0rb1dd3n/Reptile

## Environment

- x86, x86_64
- Linux kernel 2.6.x/3.x/4.x
- Debian/Ubuntu, RHEL/CentOS/Fedora

## Persistency

Boot-time module loading using OS-specific startup files:
 - /etc/modules (debian/ubuntu)
   - https://github.com/linux-rootkits/Reptile/blob/master/setup.sh#L296
 - /etc/rc.modules (redhat/centos/fedora)
   - https://github.com/linux-rootkits/Reptile/blob/master/setup.sh#L298

## Detection evasion

Rootkit is trying to evade from detection by:
 - hiding files by name
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L575
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L619
 - tampering contents of startup files while reading
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L638
 - hiding kernel module by unlinking from `modules`-list
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L145
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L157

## Management interface

Implemented via `kill(2)`:
 - hook`sys_call_table[__NR_kill]`
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L509
 
Supported commands are:
 - hiding/unhiding processes
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L518
 - hiding/unhiding rootkit's module
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L514
 - enabling/disabling of tampering file content function
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L524
 - gaining root priveleges to calling process
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L528

## Altering system behaviour

Hooking of system calls by patching syscall-handlers in `sys_call_table[]`:
 - to write to read-only page `CR0/WP` technique used (x86-only)
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L681
 - netfilter hook (`NF_IP_PRI_FIRST`)
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L356
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L687

## Hiding (tampering) of file contents

Filtering of file content while reading:
 - hook `sys_call_table[__NR_read]`
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L282
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L638

## Hiding of files and directories

Filtering of directory entries:
 - hook `sys_call_table[__NR_getdents]`
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L594
 - hook `sys_call_table[__NR_getdents64]`
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L550

## Hiding of processes and process trees

Filtering PID-like numeric entries while listing `/proc`:
 - getdents/getdents64 hook used
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L619
 - hidden tasks are marked using `task->flags` (bit `0x10000000`)
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L189

## Backdoor/shell

Reverse shell spawning by port-knocking-like technique:
 - magic packet with token used (`ICMP/UDP/TCP`)
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L356
 - spawning root-shell connection to remote host
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L328
   - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L210
Update reptile.md 2018-07-02 15:55:36 -04:00			`# Reptile rootkit details`
Create reptile.md 2018-07-02 11:20:13 -04:00
			`https://github.com/f0rb1dd3n/Reptile`
Update reptile.md 2018-07-02 12:14:03 -04:00
			`## Environment`

Update reptile.md 2018-07-02 15:49:15 -04:00			`- x86, x86_64`
Update reptile.md 2018-07-02 12:14:03 -04:00			`- Linux kernel 2.6.x/3.x/4.x`
Update reptile.md 2018-07-02 15:58:19 -04:00			`- Debian/Ubuntu, RHEL/CentOS/Fedora`
Update reptile.md 2018-07-02 12:14:03 -04:00
			`## Persistency`

			`Boot-time module loading using OS-specific startup files:`
Update reptile.md 2018-07-02 12:17:31 -04:00			`- /etc/modules (debian/ubuntu)`
Update reptile.md 2018-07-02 15:55:36 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/setup.sh#L296`
Update reptile.md 2018-07-02 12:17:31 -04:00			`- /etc/rc.modules (redhat/centos/fedora)`
Update reptile.md 2018-07-02 15:55:36 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/setup.sh#L298`
Update reptile.md 2018-07-02 15:49:15 -04:00
Update reptile.md 2018-07-02 12:14:03 -04:00			`## Detection evasion`

			`Rootkit is trying to evade from detection by:`
Update reptile.md 2018-07-02 12:17:31 -04:00			`- hiding files by name`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L575`
			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L619`
Update reptile.md 2018-07-02 12:14:03 -04:00			`- tampering contents of startup files while reading`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L638`
			- hiding kernel module by unlinking from `modules`-list
			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L145`
			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L157`
Update reptile.md 2018-07-02 12:14:03 -04:00
			`## Management interface`

Update reptile.md 2018-07-02 15:57:33 -04:00			Implemented via `kill(2)`:
			- hook`sys_call_table[__NR_kill]`
			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L509`
Update reptile.md 2018-07-02 15:49:15 -04:00
Update reptile.md 2018-07-03 16:35:29 -04:00			`Supported commands are:`
Update reptile.md 2018-07-02 12:14:03 -04:00			`- hiding/unhiding processes`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L518`
Update reptile.md 2018-07-02 12:14:03 -04:00			`- hiding/unhiding rootkit's module`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L514`
Update reptile.md 2018-07-02 12:14:03 -04:00			`- enabling/disabling of tampering file content function`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L524`
Update reptile.md 2018-07-02 12:14:03 -04:00			`- gaining root priveleges to calling process`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L528`
Update reptile.md 2018-07-02 12:14:03 -04:00
Update reptile.md 2018-07-02 12:17:54 -04:00			`## Altering system behaviour`
Update reptile.md 2018-07-02 12:14:03 -04:00
Update reptile.md 2018-07-02 12:17:31 -04:00			Hooking of system calls by patching syscall-handlers in `sys_call_table[]`:
			- to write to read-only page `CR0/WP` technique used (x86-only)
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L681`
Update reptile.md 2018-07-02 12:32:29 -04:00			- netfilter hook (`NF_IP_PRI_FIRST`)
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L356`
			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L687`
Update reptile.md 2018-07-02 12:14:03 -04:00
			`## Hiding (tampering) of file contents`

Update reptile.md 2018-07-02 12:40:41 -04:00			`Filtering of file content while reading:`
			- hook `sys_call_table[__NR_read]`
Update reptile.md 2018-07-02 15:52:43 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L282`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L638`
Update reptile.md 2018-07-02 12:14:03 -04:00
			`## Hiding of files and directories`

Update reptile.md 2018-07-02 12:40:41 -04:00			`Filtering of directory entries:`
			- hook `sys_call_table[__NR_getdents]`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L594`
Update reptile.md 2018-07-02 12:40:41 -04:00			- hook `sys_call_table[__NR_getdents64]`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L550`
Update reptile.md 2018-07-02 12:14:03 -04:00
			`## Hiding of processes and process trees`

Update reptile.md 2018-07-02 12:18:51 -04:00			Filtering PID-like numeric entries while listing `/proc`:
			`- getdents/getdents64 hook used`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L619`
Update reptile.md 2018-07-02 12:22:48 -04:00			- hidden tasks are marked using `task->flags` (bit `0x10000000`)
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L189`
Update reptile.md 2018-07-02 12:14:03 -04:00
Update reptile.md 2018-07-02 12:38:46 -04:00			`## Backdoor/shell`
Update reptile.md 2018-07-02 12:32:29 -04:00
			`Reverse shell spawning by port-knocking-like technique:`
Update reptile.md 2018-07-02 12:40:41 -04:00			- magic packet with token used (`ICMP/UDP/TCP`)
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L356`
Update reptile.md 2018-07-02 12:32:29 -04:00			`- spawning root-shell connection to remote host`
Update reptile.md 2018-07-02 15:49:15 -04:00			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L328`
			`- https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L210`