Solyaris #10: Packet Exchange

| | Comments (0) | TrackBacks (0)

I finally implemented another feature: Stealth Exchange of Packets.

When Rheya received commands over the DNS backdoor channel, it can now optionally not drop the packet after processing, but forward it to userspace like every other packet too. To not make it obvious they are rootkit packets, we exchenge their content with something unsuspicious.

This is a trace of 3 kelvin commands (connect, test, disconnect):

attacker, with kelvin client (rheya-log01.txt):
13:59:29.921992 IP > 666+ A? (50)
13:59:30.025742 IP > 666 1/0/0 (88)

13:59:30.025874 IP > 666+[|domain]
13:59:30.121066 IP > 666[|domain]

13:59:30.121152 IP > 666+ A? (45)
13:59:30.211366 IP > 666 1/0/0 (72)

Owned host with rheya is just seeing the following in his bind-logfile:
28-Mar-2009 13:59:27.655 queries: info: client query: IN A +
28-Mar-2009 13:59:27.753 queries: info: client query: IN A +
28-Mar-2009 13:59:27.842 queries: info: client query: IN A +
The standard setting is still to reply the rheya request in the kernel, and not let the packet touch userspace. But it could be suspicious if a proxy/sniffer/ids between the attacker and the real host, and the owned host, dont see the same amount of packets.

I'll implement SNMP channel next, with all the needed features.
Then i'll start with a tcp channel.
Then it's release time.

0 TrackBacks

Listed below are links to blogs that reference this entry: Solyaris #10: Packet Exchange.

TrackBack URL for this entry:

Leave a comment

About this Entry

This page contains a single entry by dobin published on March 28, 2009 1:15 PM.

Solyaris #9: Update & Code Cleanup was the previous entry in this blog.

Steampunk ?! is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.