Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: A simple, highly commented, rootkit which attacks GCC and Python (github.com/mrrrgn)
94 points by mrrrgn on Nov 12, 2014 | hide | past | favorite | 13 comments



This module appears to use a simple brute force method for uncovering the address of the system call table, as opposed to hardcoding from System.map. There's another more elegant solution that could be of interest to readers: http://www.elliotbradbury.com/linux-syscall-hooking-interrup...

If you're looking for deeper case studies on Linux rootkits, the Suterusu rootkit is an interesting PoC: http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kern...

On the other hand, if you're looking for a guide on understanding LKMs from the ground up and how they can apply to rootkits, I strongly recommend Joseph Kong's excellent book Designing BSD Rootkits. It's FreeBSD-specific and dates to 2007, but it's not still outdated AFAIR: http://www.nostarch.com/rootkits.htm


This doesn't attack gcc or python, it's just a trivial kernel module that interposes SYS_read. There's no germline persistence a la trusting trust. e.g. if I compile gcc, compile the Linux kernel, and compile python all on a system with this "rootkit" installed, and put the newly built kernel and toolchains on a new system, that system is clean.

This isn't really anything other than a Hello World kernel module.


Hmmm, well, no, it's not a full on "Trusting Trust" attack; though it has a similar outcome insofar as producing dirty binaries from clean source goes.

The module is simple, with the only tricky part being replacing a system call. My goal here was to play around with the idea of modifying source code en route to a compiler/interpreter in a sneaky way. Nothing more sophisticated than that. :]


> if I compile gcc, compile the Linux kernel, and compile python all on a system with this "rootkit" installed, and put the newly built kernel and toolchains on a new system, that system is clean.

Umm, not necessarily. Instances of "World!" in your compiled kernel, toolchain and python have been replaced with "Mrrgan".


Nice!

The name is clearly a nod to the classic "Reflections on Trusting Trust" by Ken Thompson (http://cm.bell-labs.com/who/ken/trust.html).

I feel the presentation in the video would be clearer if it just cat'd the source files before running/compiling them, to keep the source on-screen.


Good advice, I may re-shoot the gif later and do that. Thanks! :)


As a side note, how did you generate that gif?


I used licecap, it's extremely awesome. https://github.com/lepht/licecap :]


There is a high chance that it will crash your system.

- Unlocked access to ->comm

- What if buf is less than 6 bytes or not NULL terminated?

- Only searching for sys_close() is not enough, it will also find any function pointer to sys_close() and then return a false syscall table.

Anyway, a nice hack. :-)


BTW: Thanks for downvoting this.


Not sure who downvoted; but I appreciated the suggestions! Someone submitted a patch with the changes and I merged it a few hours ago. Thank you! :)


This is OK for learners. But, it's not even middle grade.


I'm only a learner myself. Not a security expert or trying to claim that this is super 1337. It's just a neat thing to play with.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: