March 2009 Archives


I finally implemented another feature: Stealth Exchange of Packets.

When Rheya received commands over the DNS backdoor channel, it can now optionally not drop the packet after processing, but forward it to userspace like every other packet too. To not make it obvious they are rootkit packets, we exchenge their content with something unsuspicious.

This is a trace of 3 kelvin commands (connect, test, disconnect):

attacker, with kelvin client (rheya-log01.txt):
13:59:29.921992 IP > 666+ A? (50)
13:59:30.025742 IP > 666 1/0/0 (88)

13:59:30.025874 IP > 666+[|domain]
13:59:30.121066 IP > 666[|domain]

13:59:30.121152 IP > 666+ A? (45)
13:59:30.211366 IP > 666 1/0/0 (72)

Owned host with rheya is just seeing the following in his bind-logfile:
28-Mar-2009 13:59:27.655 queries: info: client query: IN A +
28-Mar-2009 13:59:27.753 queries: info: client query: IN A +
28-Mar-2009 13:59:27.842 queries: info: client query: IN A +
The standard setting is still to reply the rheya request in the kernel, and not let the packet touch userspace. But it could be suspicious if a proxy/sniffer/ids between the attacker and the real host, and the owned host, dont see the same amount of packets.

I'll implement SNMP channel next, with all the needed features.
Then i'll start with a tcp channel.
Then it's release time.

  • wrote script to compile rheya remotly on vm
  • listsession command implemented (used primarily for testing purposes)
  • bites data type, i wanted to make clear its just bytes (and not strings, like with char, which end with 0 byte)
  • dns channel: created new function to build domain name
  • dns channel: base64 encoding for answer data
  • implemented disconnect/quit command

  • Kelvin: --test command line option
  • Kelvin: fixed dns channel if no request data was sent
  • Kelvin: quit now leaves the screen in an usable state
  • Kelvin: Networking subsystem redesign
  • Beta UML Graph
Code cleanup finished. Will start working on real issues soon (snmp channel, stealth exchange of packets)

Main Page is:

Rheya Kernel Rootkit / Server:
  • udp channel erstellt, was ein fake Channel für alle UDP basierten Protokolle ist
  • Für den UDP Channel gibts jetzt eine Protokoll Identifikation durch den Destination Port
  • mögliche UDP/ICMP Protokoll Plugins sind nun einfach zu erstellen; einfach eine Identifikation() Methode schreiben, und ein Handler, welcher bloss auf einer Kopie des Packetes in einem normalen Buffer arbeiten kann und daraus das Reply Packet erzeugt. Alles andere ist nun transparent.
  • Es ist nun möglich, sicher mehr als 100 Bytes zu übertragen. Sollte nun bis zur MTU funktionieren (abhängigkeit von MBUF's gelöst).
  • Connections / Sessions implementiert

Client / Kelvin:
  • general Code Cleanup
  • Request nach Node umbenannt, wie Rheya
  • Node hat Request und Answer struct
  • Node speichert nicht mehr den Payload, sondern nur Metadaten
  • Connections / Session implementiert
  • Boost Linked lists anstatt FreeBSD lists
  • Linux (Gentoo) compatibility
  • Networking Thread mit pcap_loop() rausgeworfen, benutze wieder pcap_next(), wass den Client ziemlich vereinfacht
  • Code in öffentlichen SVN eingecheckt

Nächste Schritte:
  1. Dokumentation
  2. SNMP Channel
  3. Stealth exchange of Packet Content, für Networking Channels
  4. TCP Channels
  5. Datenmengen, welche grösser als die MTU ist übertragen

About this Archive

This page is an archive of entries from March 2009 listed from newest to oldest.

February 2009 is the previous archive.

April 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.