I finally implemented another feature: Stealth Exchange of Packets.
When Rheya received commands over the DNS backdoor channel, it can now optionally not drop the packet after processing, but forward it to userspace like every other packet too. To not make it obvious they are rootkit packets, we exchenge their content with something unsuspicious.
This is a trace of 3 kelvin commands (connect, test, disconnect):
attacker, with kelvin client (rheya-log01.txt):
13:59:29.921992 IP 192.168.3.1.1234 > 192.168.3.2.53: 666+ A? ABCD.2.1.0.49967.6.encKey.xxx.ch. (50)Owned host with rheya is just seeing the following in his bind-logfile:
13:59:30.025742 IP 192.168.3.2.53 > 192.168.3.1.1234: 666 1/0/0 (88)
13:59:30.025874 IP 192.168.3.1.1234 > 192.168.3.2.53: 666+[|domain]
13:59:30.121066 IP 192.168.3.2.53 > 192.168.3.1.1234: 666[|domain]
13:59:30.121152 IP 192.168.3.1.1234 > 192.168.3.2.53: 666+ A? ABCD.2.2.21845.32219.xxx.ch. (45)
13:59:30.211366 IP 192.168.3.2.53 > 192.168.3.1.1234: 666 1/0/0 (72)
28-Mar-2009 13:59:27.655 queries: info: client 192.168.3.1#1234: query: www.broken.ch IN A +The standard setting is still to reply the rheya request in the kernel, and not let the packet touch userspace. But it could be suspicious if a proxy/sniffer/ids between the attacker and the real host, and the owned host, dont see the same amount of packets.
28-Mar-2009 13:59:27.753 queries: info: client 192.168.3.1#1234: query: www.broken.ch IN A +
28-Mar-2009 13:59:27.842 queries: info: client 192.168.3.1#1234: query: www.broken.ch IN A +
Todo:
I'll implement SNMP channel next, with all the needed features.
Then i'll start with a tcp channel.
Then it's release time.
Leave a comment