# Reptile rootkit details https://github.com/f0rb1dd3n/Reptile ## Environment - x86, x86_64 - Linux kernel 2.6.x/3.x/4.x - Debian/Ubuntu, RHEL/CentOS/Fedora ## Persistency Boot-time module loading using OS-specific startup files: - /etc/modules (debian/ubuntu) - https://github.com/linux-rootkits/Reptile/blob/master/setup.sh#L296 - /etc/rc.modules (redhat/centos/fedora) - https://github.com/linux-rootkits/Reptile/blob/master/setup.sh#L298 ## Detection evasion Rootkit is trying to evade from detection by: - hiding files by name - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L575 - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L619 - tampering contents of startup files while reading - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L638 - hiding kernel module by unlinking from `modules`-list - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L145 - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L157 ## Management interface Implemented via `kill(2)`: - hook`sys_call_table[__NR_kill]` - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L509 Supported commands are: - hiding/unhiding processes - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L518 - hiding/unhiding rootkit's module - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L514 - enabling/disabling of tampering file content function - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L524 - gaining root priveleges to calling process - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L528 ## Altering system behaviour Hooking of system calls by patching syscall-handlers in `sys_call_table[]`: - to write to read-only page `CR0/WP` technique used (x86-only) - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L681 - netfilter hook (`NF_IP_PRI_FIRST`) - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L356 - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L687 ## Hiding (tampering) of file contents Filtering of file content while reading: - hook `sys_call_table[__NR_read]` - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L282 - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L638 ## Hiding of files and directories Filtering of directory entries: - hook `sys_call_table[__NR_getdents]` - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L594 - hook `sys_call_table[__NR_getdents64]` - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L550 ## Hiding of processes and process trees Filtering PID-like numeric entries while listing `/proc`: - getdents/getdents64 hook used - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L619 - hidden tasks are marked using `task->flags` (bit `0x10000000`) - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L189 ## Backdoor/shell Reverse shell spawning by port-knocking-like technique: - magic packet with token used (`ICMP/UDP/TCP`) - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L356 - spawning root-shell connection to remote host - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L328 - https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L210