
New Linux userland rootkit with anti-debugging, new backdoors and pcap hiding - adamnemecek
http://blackhatlibrary.net/Azazel
======
martius
I think it was mentioned on a comment, but just to make it clear:

A rootkit is not a virus nor a way to obtain privileges on a Linux box, but a
set of tools providing various features to keep hidden a root access to the
hacked box.

This rootkit provides various backdoors allowing to get root ssh access and
advanced anti-detection features, but as far as I know, this package won't
hurt you badly as far as you don't manipulate it with a privileged user.

~~~
ubershmekel
Maybe I misunderstood the grammar somehow, but did you just say:

> This rootkit provides various backdoors allowing to get root ssh access

followed by:

> this package won't hurt you badly

Allowing root ssh is the ultimate death of your machine's security. Having
this installed hurts you badly.

~~~
StavrosK
> Allowing root ssh is [...] your machine's security.

Taking stuff out of context is fun!

He said it won't hurt you badly as long as you don't run it as root. From
that, I understand that it can't install itself unless it's run as a
privileged user.

~~~
ubershmekel
Thanks for that, I guess I misread a bit.

So what he's saying is that there's no privilege escalation exploit packaged
with this rootkit. Gotcha.

Still I wouldn't mention "this package won't hurt you" along with such a tool.
Many userland exploits exist.

~~~
martius
Sorry, I wrote my comment quickly, this is what I meant.

I said that "it won't hurt you" as a reaction to people saying "I won't even
click on that link" in some comments.

------
adamnemecek
The site seems to be getting hammered by HN so here's the google cache
[http://webcache.googleusercontent.com/search?q=cache:8o5FkN6...](http://webcache.googleusercontent.com/search?q=cache:8o5FkN6LOuYJ:blackhatlibrary.net/Azazel+&cd=1&hl=en&ct=clnk&gl=us)

~~~
e12e
And link to source on github:
[https://github.com/chokepoint/azazel](https://github.com/chokepoint/azazel)

------
voltagex_
>Azazel hooks ptrace() and returns -1, hence denying any debugging from
occuring. The message displayed to the sysadmin is really more of a joke than
anything and will definitely set off alarms that something is wrong.

Okay, that's interesting - how would you remove this hook?

~~~
caf
Use statically-linked utilities compiled elsewhere.

~~~
jet1
Can you explain in a more newbie friendly language? How do you detect this?
Then how do you remove this? This type of high level tools becoming more
mainstream as time passes. Today there is not much generic anti-tools for this
or the upcoming ones!

~~~
Tuna-Fish
Firstly, this is not some virus or worm that works it's way onto your machine.
It's a payload that someone puts there possibly among other things. This means
that if you have this on your machine, or if you have reason to think you have
this on your machine, simple removal is not an acceptable solution. Whoever
put the rootkit on the machine could have done almost anything else while he
did it, and you are not guaranteed to find it all. If you find this on your
machine, you need to produce a _data-only_ backup of the machine, kill the
partitions, and set it up again.

As these rootkits are designed by rather smart people to overcome all existing
tools, there simply cannot be generic tools that catch them all. If you get
hit by a bunch of script kiddies using outdated tools, things like rkhunter
and chkrootkit can help. Modern rootkits are almost by definition undetectable
by them. If it's actually new, the way you find out about it is typically
either a separate NID box between the machine and the wall that alerts, or the
behaviour of the box changing.

~~~
keithpeter
So for a low traffic Web server like application, we might be running the OS
itself (/) from a read only filesystem (e.g. making a 'live' CD-ROM or USB
image) and having read/write only for user files and logs?

End user here: I just have a Linux laptop, interested in servers on the 'wild'
web

~~~
rbanffy
Booting from an unchangeable image is the Joyent SmartOS approach, IIRC.

------
lucb1e
The title suggests there is a new virus for Linux, but I see a wiki listing
features from the malware and even linking to source code on Github. Was this
thing engineered as some sort of demonstration? Or how else did they get the
source code?

~~~
Sanddancer
Yeah, it's a demonstration of various techniques used in more modern rootkits.
As such, certain bits and pieces, like its masking of ptrace() is set to an
obvious message. The blog post regarding the release --
[http://www.chokepoint.net/2014/02/detecting-userland-
preload...](http://www.chokepoint.net/2014/02/detecting-userland-preload-
rootkits.html) \-- is much more useful than this wiki page in discussing how
certain things are accomplished.

------
voltagex_
> Running "make install" will inject the live kit into your system. While
> removal is not impossible, it's an unnecessary and painful procedure, not to
> mention you may forget to remove it.

Why even have an install step for this? Actually, why does it exist?

~~~
awestroke
You're supposed to install it on a VM to study it, and then throw away the VM

~~~
voltagex_
I think I may do this at some stage.

------
4ad
> Website is offline No cached version of this page is available.

...and we broke it.

This is, for all intended purposes, a static page. When will people learn to
put a caching nginx in the front... that's all it takes, really.

~~~
StavrosK
The phrase is "for all intents and purposes", although your variation also
fits, very interesting!

~~~
fzltrp
Curiously, I use that variation as well. I tried to look it up to find out
where I could have picked it up, but couldn't get any interesting results.
Does anyone else uses that?

~~~
DougBTX
Similar: [http://eggcorns.lascribe.net/english/32/intensive-
purposes/](http://eggcorns.lascribe.net/english/32/intensive-purposes/)

~~~
drjesusphd
But "intended purposes" actually makes sense in context.

~~~
DougBTX
Yes, that's one of the defining features of an "eggcorn", that it does make
sense. Or even more sense than the original. Here's a more thurough
definition:
[http://eggcorns.lascribe.net/about/](http://eggcorns.lascribe.net/about/)

------
mwcampbell
I wonder if all-statically-linked Linux distros will become popular on the
server as a defense against userland rootkits like this.

~~~
saljam
That would be cool. Are there any? I'm aware of sta.li, but it doesn't seem to
be there yet.

As a matter of fact, is it possible to get stuff like nsswitch working without
dynamic linking on Linux?

------
jden
Just a quick test with LTTng (lttngtrace part of lttngtop) :
[http://pastebin.com/rvebt7rp](http://pastebin.com/rvebt7rp)

I know kernel tracing is cheating for this kind of backdoor, but it can be
easy ;-)

------
guard-of-terra
I thought that Vernor Vinge greatly exaggerated hackability when he wrote Fire
in the Deep, but now I see he was right and I was wrong. Go read it now.

Scary.

~~~
sillysaurus2
[http://www.amazon.com/Fire-Upon-Deep-Zones-
Thought/dp/081251...](http://www.amazon.com/Fire-Upon-Deep-Zones-
Thought/dp/0812515285)

------
Cacti
I don't even want to click on this.

~~~
IsTom
It's a wiki with a link to github repo. You need to compile it first.

------
doomwad
What are some applications for this?

~~~
yoha
Security research, malware analysis, etc

------
hiphopyo
Will this work on OpenBSD?

~~~
weland
No, this is very much Linux-only.

~~~
hiphopyo
But in theory could something similar have been developed for OpenBSD?

~~~
kryptiskt
There is even a book about designing FreeBSD rootkits:
[http://www.amazon.com/Designing-BSD-Rootkits-Introduction-
Ha...](http://www.amazon.com/Designing-BSD-Rootkits-Introduction-Hacking-
ebook/dp/B002MZAR6I/)

~~~
marios
OpenBSD does not have loadable kernel modules, so the techniques described for
FreeBSD most likely do not apply.

As for the Azazel rootkit, it uses LD_PRELOAD. According to the ld.so
manpage[1] it is ignored for setuid/setgid executables. This looks like the
behaviour is not exactly that of the Linux ld.so so perhaps this limits the
rootkit's impact.

[1] [http://www.openbsd.org/cgi-
bin/man.cgi?query=ld.so&section=1](http://www.openbsd.org/cgi-
bin/man.cgi?query=ld.so&section=1)

~~~
throwaway2048
openbsd does have loadable kernel modules

[http://www.openbsd.org/cgi-bin/man.cgi?query=lkm](http://www.openbsd.org/cgi-
bin/man.cgi?query=lkm)

LD_PRELOAD and friends are also ignored on linux for setuid/setgid binaries,
otherwise privilege escalation would be trivial, just start any dynamicly
linked setuid binary with LD_PRELOAD and go to town.

~~~
dmm
OpenBSD's kernel modules are for development only. They require a securelevel
change and a reboot to enable.

------
m00dy
lol , is ptrace() hooking only technique that backdoor has as a anti-debugging
feature? If so , i will shit to my pants.

------
esac
someone from blackhatlibrary.net here?

~~~
bha_mutiny
Ping.

edit: Just created this account to answer this question. Otherwise I'm only on
HN to lurk.

