3.3 KiB
3.3 KiB
Reptile rootkit details
https://github.com/f0rb1dd3n/Reptile
Environment
- x86, x86_64
- Linux kernel 2.6.x/3.x/4.x
- Debian/Ubuntu, RHEL/CentOS/Fedora
Persistency
Boot-time module loading using OS-specific startup files:
- /etc/modules (debian/ubuntu)
- /etc/rc.modules (redhat/centos/fedora)
Detection evasion
Rootkit is trying to evade from detection by:
- hiding files by name
- tampering contents of startup files while reading
- hiding kernel module by unlinking from
modules-list
Management interface
Implemented via kill(2):
- hook
sys_call_table[__NR_kill]
Supported commands are:
- hiding/unhiding processes
- hiding/unhiding rootkit's module
- enabling/disabling of tampering file content function
- gaining root priveleges to calling process
Altering system behaviour
Hooking of system calls by patching syscall-handlers in sys_call_table[]:
- to write to read-only page
CR0/WPtechnique used (x86-only) - netfilter hook (
NF_IP_PRI_FIRST)
Hiding (tampering) of file contents
Filtering of file content while reading:
- hook
sys_call_table[__NR_read]
Hiding of files and directories
Filtering of directory entries:
- hook
sys_call_table[__NR_getdents] - hook
sys_call_table[__NR_getdents64]
Hiding of processes and process trees
Filtering PID-like numeric entries while listing /proc:
- getdents/getdents64 hook used
- hidden tasks are marked using
task->flags(bit0x10000000)
Backdoor/shell
Reverse shell spawning by port-knocking-like technique:
- magic packet with token used (
ICMP/UDP/TCP) - spawning root-shell connection to remote host