Recently in Solyaris Category

I implemented the http channel, and the http proxy feature.

Let me give you an example of the proxy feature works:

First, we open a connection in kelvin to the http channel (the details doesnt interest us here).
I also activate the http proxy option ("proxy_on").




To illustrate the standard behaviour, lets send a http request to the http server of the rootkitet box (192.168.3.2):

dobin@unreal ~ $ export http_proxy="localhost:8080"
dobin@unreal ~ $ wget  -O - --no-cookies -S http://192.168.3.2:/index.html | cat
--2009-04-24 19:33:56--  http://192.168.3.2/index.html
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8080... connected.
Proxy request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Fri, 24 Apr 2009 15:33:55 GMT
  Server: Apache/2.2.11 (FreeBSD) mod_ssl/2.2.11 OpenSSL/0.9.7e-p1 DAV/2
  Last-Modified: Fri, 17 Apr 2009 22:58:53 GMT
  ETag: "5c220-2c-467c81fe40540"
  Accept-Ranges: bytes
  Content-Length: 44
  Connection: close
  Content-Type: text/html
Length: 44 [text/html]
Saving to: `STDOUT'

100%[========================================>] 44          --.-K/s   in 0s     
2009-04-24 19:33:56 (15.4 MB/s) - `-' saved [44/44]

<html><body><h1>It works!</h1></body></html>

As you can see, wget retrieves index.html from the standard apache installation, with cookies disabled, and prints the http header and html sourcecode to stdout. It uses our local rheya proxy (localhost:8080). No cookies sent or received, as this is just a normal .html file.

Now, we want to call the "test" method in Kelvin. The "test" commands just transfers 100 bytes of data to rheya, and expects 100 bytes in return in the reply.


Kelvin creates the solyaris request, and is waiting (blocks) to receive an suitable HTTP request. Nothing has been sent for this command until now.

We generate the http traffic with the same wget command from earlier:

dobin@unreal ~ $ wget  -O - --no-cookies -S http://192.168.3.2:/index.html?ABCD | cat
--2009-04-24 19:37:24--  http://192.168.3.2/index.html?ABCD
Resolving localhost... 127.0.0.1, ::1
Connecting to localhost|127.0.0.1|:8080... connected.
Proxy request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Fri, 24 Apr 2009 15:37:23 GMT
  Server: Apache/2.2.11 (FreeBSD) mod_ssl/2.2.11 OpenSSL/0.9.7e-p1 DAV/2
  Last-Modified: Fri, 17 Apr 2009 22:58:53 GMT
  ETag: "5c220-2c-467c81fe40540"
  Accept-Ranges: bytes
  Content-Length: 44
  Connection: close
  Content-Type: text/html
  Set-Cookie: statusCode=1; requestID=0; dataLen=100; data=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
Length: 44 [text/html]
Saving to: `STDOUT'

100%[========================================>] 44          --.-K/s   in 0s
2009-04-24 19:37:24 (17.0 MB/s) - `-' saved [44/44]

<html><body><h1>It works!</h1></body></html>

The only difference between this wget request and the one earlier is the "Set-Cookie:" line.

What happened?

As you can see, rheya replied with an "Set-Cookie" line, which is the answer for our solyaris request. The line was inserted in the kernel, after apache created its reply (the standard page doesnt include any cookies, of course).

The reason it inserted the "Set-Cookie" line was because Kelvin intercepted the http request from wget in its proxy, and transparently added a "Cookie:" line, which's content is the solyaris request it generated.


Additional to wget, Kelvin also interpreted the http reply, and found the answer for his rheya "test" request:



This is just the PoC. There are a lot of rough edges, which will be cleaned out in the next few weeks.

Of course, instead of wget, one can also use a normal browser like firefox, or even a web site crawler, to automate the transfer of data to and from the rootkit.

Rheya:

• SNMP Channel implemented
  
• cleaned node (removed m, static answer)
• Implemented basic fragmentation handling
• Function names cleanup
• Fixed various crashes
• Collect port statistics
  

Kelvin:

• Rudimentary implementation of SNMP Channel
  
• removed anyoption, now use boost::program_options
• Various updates and bugfixes
• Updated and bugfixed DNS Channel
  
• Use Boost::ASIO for SNMP UDP channel in kelvin, instead of packet sniffing
• Works without config file, again
• Works on FreeBSD 6
• ChannelChardev works again

There's still lot of things to do. Wont release in the next few months.

I finally implemented another feature: Stealth Exchange of Packets.

When Rheya received commands over the DNS backdoor channel, it can now optionally not drop the packet after processing, but forward it to userspace like every other packet too. To not make it obvious they are rootkit packets, we exchenge their content with something unsuspicious.

This is a trace of 3 kelvin commands (connect, test, disconnect):

attacker, with kelvin client (rheya-log01.txt):

13:59:29.921992 IP 192.168.3.1.1234 > 192.168.3.2.53: 666+ A? ABCD.2.1.0.49967.6.encKey.xxx.ch. (50)
13:59:30.025742 IP 192.168.3.2.53 > 192.168.3.1.1234: 666 1/0/0 (88)

13:59:30.025874 IP 192.168.3.1.1234 > 192.168.3.2.53: 666+[|domain]
13:59:30.121066 IP 192.168.3.2.53 > 192.168.3.1.1234: 666[|domain]

13:59:30.121152 IP 192.168.3.1.1234 > 192.168.3.2.53: 666+ A? ABCD.2.2.21845.32219.xxx.ch. (45)
13:59:30.211366 IP 192.168.3.2.53 > 192.168.3.1.1234: 666 1/0/0 (72)

Owned host with rheya is just seeing the following in his bind-logfile:

28-Mar-2009 13:59:27.655 queries: info: client 192.168.3.1#1234: query: www.broken.ch IN A +
28-Mar-2009 13:59:27.753 queries: info: client 192.168.3.1#1234: query: www.broken.ch IN A +
28-Mar-2009 13:59:27.842 queries: info: client 192.168.3.1#1234: query: www.broken.ch IN A +

The standard setting is still to reply the rheya request in the kernel, and not let the packet touch userspace. But it could be suspicious if a proxy/sniffer/ids between the attacker and the real host, and the owned host, dont see the same amount of packets.

Todo:
I'll implement SNMP channel next, with all the needed features.
Then i'll start with a tcp channel.
Then it's release time.

Done:

• wrote script to compile rheya remotly on vm
• listsession command implemented (used primarily for testing purposes)
  
• bites data type, i wanted to make clear its just bytes (and not strings, like with char, which end with 0 byte)
  
• dns channel: created new function to build domain name
• dns channel: base64 encoding for answer data
• implemented disconnect/quit command

• Kelvin: --test command line option
• Kelvin: fixed dns channel if no request data was sent
• Kelvin: quit now leaves the screen in an usable state
• Kelvin: Networking subsystem redesign
• Beta UML Graph