[oclug] knark attack

Fri Jan 12 22:34:15 EST 2001

Knark is a very powerful LKM (Loadable Kernel Module) rootkit.
Once installed (properly), it is very hard to detect (tripwire
is useless) as it can be used to create a fantasy world for the
admin.

Knark is a kernel-level rootkit, and has all the powers of the
kernel. Nothing on your system can be trusted.
Once installed (by default) knark generates a set of lists
in /proc/knark (hidden) containing the files, network 
connections and pids to be hidden *by the kernel*. Also,
commands can be redirected -- i.e. /bin/passwd can be 
redirected to a hidden file such as /dev/trojan-passwd.
Any call to execute can be remapped!! Even if you run tripwire
to detect changes in critical binaries, the originals will not
be changed, and tripwire is therefore useless to detect the 
trojans.  The smart cracker will replace standard programs
(passwd, login, ps, netstat, syslog etc.) with trojans and 
hide all traces that anything is amiss.

Some other interesting things about knark.
[defaults may be changed]

commands:
rootme: user will get root-level access.
taskhack: change uid, euid, suid, fuid of any process to root
rexec: execute commands remotely on a knark server (built in spoofing)

helper utilities:
hidef: hides files
ered: configures command redirection
nethide: hides network connections

signal:
sending signal 31 to any process will cause it to be hidden.

So in other words, knark is a very advanced and dangerous rootkit.
Be thankful you were hit by a sloppy cracker who didn't cover his/her
tracks and format+reinstall the system (as well as any trusted systems)

some urls of interest:
http://packetstorm.securify.com/UNIX/penetration/rootkits
http://www.tmk.com/ftp/decus-sig-tapes/vlt99b/vmslt99b/sec/lkm_hacking.txt

Cheers,
Ross

> Back to work for a few days only to find that our newly upgraded (to 6.2)
> system has been cracked by something called knark.
> 
> It all began (I think) with a connection on an illegal port. This was
> reported by rshd and rlogind in the log file. 
> The next day, the /var/log directory was gone.
> Then I could not use by tape backup anymore.
> In desperation I rebuilt the system yesterday evening. I walk to console
> this morning to find a message saying:
> 
> caine: setting eth0 to promescuious mode
> 
> I examined the logs and there was some weird messages ine the messsages
> file.
> 
> Then I  found a file called rk24.tar.gz dumped ate the root of the
> filesystem. Creation date was more or less the same as the caine program,
> and the weird log entry.
> 
> I immediatly brought the system to a non-networked stated and now I am
> asking you guys: How to I secure my system???
> 
> Thanks,
> 
> MGL
> _______________________________________________
> oclug mailing list
> oclug at lists.oclug.on.ca
> http://www.oclug.on.ca/mailman/listinfo/oclug
> 