基於Tripwire檢測工具以偵測變形Rootkit之研究









Tripwire

























































Rootkit

















































































E-mail: [email protected]

















                    !" #   $ %& ' Linux(Windows) * +,- . !/ 0 1  2 3 4 5 6 7 8 9:Rootkit; < = >?

@ ABC D ELinux+,F G H I J K  L M  N 2 ) * + , O P Q R S  User Mode Rootkit? T U V W  X Y Z [ \  ] ^ _ ` Chkrootkita bX Y c d QeRootkitf & ' A Qe Rootkit  g h i jTripwire 1k Y +,l m n o h %Ep q r\ N 2 Rs Rootkit U t u vc f !Qew Rootkit Ux t u vc y z ' @  N 2  s Rootkiti A { |  s Rootkit; < = >} X Y ~ ?B€  ‚ ƒ „ … † ‡ Y ˆ %‰ Š U{ X Y Z [ } ‹ Œ  ?



 X Y +,ŽRootkitŽLinux

1.

















'    5 6 +, H ‘ ’  R+ ,F G H 
“” • – — ˜ ™ š› O œ  ž Ÿ a ) ?+, ¡ R ¢£ $ F G H ¤ ¥ ¦+ ,§ ¨© l O P ª O « ¬ ­ ­ O  ® ¯ ° ± ²?³Ÿ ´ µ
¶ · Z w  X Y / 0 $ E) * +,B¸ 1M €  O BC D _ ` Linux+, ¨© l ¹ j Tripwire [11],[13]k Y a b1X Y ºl m n o h i %»  O P ¼ ½ ¤ _ ` H ¾ ¿?U%Ÿ À BÁ  l m Rt u ²Ã V W º X Y Z [ O Ä Ÿ  Å  ÆÇ ?

È ‚ É 2
 Rootkit · Ÿ O & ' Linux ) * +,c d  Rootkit Ê Ë Ì Í Î w :User

Mode!Kernel Moded H ~ Ï  f Ð  +

,¢¾ ¿+,Ñ Ò ºU¾ ¿+,Ñ Ò x – — 

 Ñ Ó Žl m !c © Ô Ô Ï +,F G H Õ %
ºš› ƒ H Kernel mode Rootkitx ¾ ¿+, Ö × !¨Ø > Ö × R¾ ¿¦Ù • Ú Û Ü Ý  Þ _ Ü Ý ß+, RF G H Uà á ?⠏ § ã  BC D & ' User Mode RootkitK  L M ¢Ë ä Q e Rootkit Î w Žg h !5 6  %¶ Œ X Y a b1X Y Qe!s Rootkit  k Y +,l m n o h K å æX Y sRootkiti A{ |  s Rootkit ; < = >} X Y ~ ¢ç ` è é ê ë ì e+,F G H %í +,F G H ~  îï ð æ5 6 l m Ü Ý ?

2.

































%ñ î& ' RootkitL M Žœ ò J W ó Ž¨ © l g ô õ £ !
¶ X Y 7 8 )  ö÷ :

2.1 Rootkit








%ñ & ' RootkitÝ G !ø ` ) ùö÷ : (1) RootkitÝ G O jú ® 5 6 û ü Uý  [6]º 5 6 û ü ö÷ 9ñ : û ü 1:/ 0 Ë ä :Rootkitx þ
) * +,Ž{       Ñ Ò (Server Process)(    Ô Ô O P ¶  Ú § - . Ê %_ ` / 0  1k  ñ  Y ˆ    Ñ Ò ¶  ø ¦ ¶  Ú § - . ? û ü 2:ç ` / 0 :5 6 H x ç ` +,/ 0 V W 2 Ñ Ò  (code) Ñ Ò  U{      (   ®     ? û ü 3:– — š› : ç ` / 0  +,¦x ^ £ $ root¤ ¥ ¢E+,¨© l \   U¶

5 6  › Ê %Ï 5 6 H f K  5 6  Ñ \ – — 5 6 H l m c © } ƒ í O – — ˜ ™ š› ¢  ñ  Ð _ ` root  ¤ ¥ ? û ü 4: ! ƒ ": 5 6 H £ $ +,# £ ¤ ¥ ¦ Þ _ Ý 1/ 0 $ T% R&  ª O x  '  ® (3 ( ƒ "Ñ Ò (backdoor)? (2) f & ' User mode!Kernel modeÌ Í Rootkit

ø ` )  ö÷ :

User mode RootkitO ‚ ) * æRootkit O ‚ + , R- 1_ ` a bº_ ` . • O x / 0 (– —  +,\ « ) ø ` Ñ Ò !+, l m ºø ` – — 5 6 H Ñ Ò Žƒ "Ñ Ò Ž 1 2 Ñ Ò !3 4 Ñ Ò [1],[7]?

Kernel mode Rootkit [5]Kernel5 6 \ ‚ 7 ¶ RootkitzUser mode Rootkit8 ¶ ç ` LKM(Loadable Kernel Module) ~ Ê Ï 5 6 H 15 6 +,Q¹  ‚ Õ X Y  Rootkitºø ` – — Ñ Ó Ž– —   9 :Ž– — LKMà  Žç ` LKM; < = > !¿l m   ?

2.2      





































 X Y 4 Bg ô ì ) ? O ¼ @ g ô U %_ ` ; ,A B C D E Ò 1W ó º4 Bœ ò J O x F G :H@ I îJ g ô K  @ u ) ¦ K L ? O C D H · M N O P Q · M N O  g ô R ì ) ? x S ¶ Q T U V ? OhKimT2004W { 2  Í  X  %­ A B C D Y Z 1W ó 4 Bœ ò J [8]?ºó Ò 9E Ò (1)U[ º\ S<sub>i</sub>,S Ì 9 \ p q 4 Bj Ei∩Ej Ì 4 B\ á  ' vc (item)] ^ ®  1 E <sub>E2</sub> _ 4 B\ á  ' vc ` a b 1ö: ³_S1=

{

_A,B,C,D

}

Ž_S2=

{

_A,C,D,E

}

ß_{E =1 {AB,AC,AD,} } , ,BDCD BC  ₆ 1 = E _{E =2 {AC,AD,AE,CD,CE,DE}} 6 2 = E _E1∩E2=

{

_AC,AD,CD

}

 ₃ 2 1∩ E = E _S1 ! 2 S œ ò J _{( , )} 2 1 S S Sim 1/2? 2 ) , ( j i j i j i _{E E} E E S S Sim + ∩ =

2.3








À c Forrest [14]Ô d H ç ` system call1  e    « )  ø ¶ g ô R fTP Ñ \ R $ g h T 3 _   i  @ j b 9: X p q k x ¶  X system call   l ¦m Ù • n Ú  Š ~ n ^ æÚ Û « ) g ô R ?P Q n ^ æ « ) g ô R o p ` _ q B   X q BŽ  X   ª $ Er 1s t Œ u ? E_ ` H v w x y ¨© l \ Ê %z ’ Á _ _ ` H ) {  | Ê p `  X Y BZ  5 6 f '  }  5 6 X Y s t ¶ ~  €  ¶ Q   O   _ ` H ‚ æBZ  Ê %# £ ? ƒ „ … È z' l m # † R Ê %’ Á ‡ Q l m ¶ Rt u ˆ Ù • E\ $ e²Ã 1‰ @ Õ %Á  +,§ - . ?fO ¹ jz' l m # † R } ƒ +,\ ‡ Q ¨© l ¶ R¼ ½ ¤ _ ` H t u Ê %i A’ Á O P ¶   f »  O P Q ¹ R  ? @ A’ s Ɗ
N ²Ã 1‰ %Ê %{    Š c BC D I +,¨© l !l m # † (hash)R 1K  Ë ä ¢_ ` OhKimœ ò J W ó . Ò ¶ ’ « ¬ 4 Bg ô œ ò J W ó . • f ‹ Œ §  p ¨© l g ô z' Ž ó •  Ê %$ æs  X Y :H?

2.4   



















c d X Y rootkit7 8 Ê  Ë ‘° Î [12]: ] ’ “ ” X Y Ž• >Ò X Y Ž X Y Žg ô X Y n o h X Y ?%§ ã ‘Í X Y 7 8 – — 0 1 )  ö÷ :

1. ] ’ “ ” X Y (Cross view based detection)
– 0 :Ê k Y +,l m (File)ŽÑ Ó (Process)

!Z  (Registry key)?

— 0 :o ø `  Windows+,X Y 7 8 2. • >Ò X Y (Hardware detection)

– 0 : (1)˜ ¶ ˜ ™ CPU¢™ DMA' ¨Ø > ? (2)b¶  N Ñ J X Y  H?
— 0 :š › l ° @  B œ ! ž ? 3.  X Y (Behavioral detection)
– 0 : (1)~ Ÿ   ¡ Qe(% e¢ £ (; < = >? (2) š Ÿ 8 r ºg ô (¢ £  æp q r\ ?
— 0 : (1)UV N  ¤ ¥  Š ¦ N Ɗ §  U ¨ (false positive)? (2)Ù • ¡ © g N ¢ £ (; < = >? 4. g ô X Y (Signature based detection)

– 0 :

(1)  ¥ ¬   ©
¶ Qe¢ £ (; < = >? (2) x   U ¨ (false positive)(ª « ¨ (false

negative)? (3)o š r ¬ r ¢ £  (g ô æp q r\ Þ Ê X Y 2 r ¢ £ (; < = >?
— 0 : (1) ° @ p q r? (2)Ù • X Y % ew ¢ £ (; < = >? 5. n o h X Y (Integrity based detection)

– 0 : (1)Ê  
+,l m O P R­ ® ? (2) š 8 r g ô (¢ £  æp q r\ ? (3)Ê ¶ Œ X Y +,O P R¼ ½ ¤ _ ` H  ?
— 0 : (1)Ù •   ¯ ; < ¢ £ (; < = > ? (2)³+,l m t u ° ± ßƊ ² ³ U ¨ ? ´  § ã Ë ä zs ⠏ ’ ~ ¶ Œ X Y ! µ ¶ · #  BO | BC D î_ ` g ô X Y !n o h X Y 1 V W X Y Z [  % _ ¶ Œ X Y  s Rootkit?

3.









Tripwire

























































Rootkit

BC D UV W ⠏ Tripwirek Y a b%X Y s Rootkit Z [ · Ÿ jX Y ¸ Ñ Ž¨© l g ô z' Ž ó • V W 1¹ º ?

3.1      





































B €  T Linux + , § : Chkrootkit ! TripwireÌ ® X Y a b¢V W 2 X Y sRootkit  X Y Z [  & ' P Ì ® X Y Z [  ¨ l (Response)1  « = ¢ì e+,F G H ~ Ÿ y ƒ \ » G ? % ñ ¼ ½ B C D U { 2 } ⠏ Tripwirek Y a b%X Y sRootkit} X Y Z [  ºX Y ¸ Ñ 9¾1U[ : ¾1+,X Y ¸ Ñ ¹ jChkrootkit Detectionk Y +, ¢% X Y æRootkitf K  û _ ` B€  U{ 2 } X Y Z [ \  Tripwire Detection Ê i % X Y  s  Rootkit9¾2U[ ¿ºœ À û ü 9ñ U[ : ¾2⠏ Tripwire} X Y ¸ Ñ û ü 1:TTripwire Detection œ ¦š Ÿ ^ ! Ý ßl (Policy File)¢V N Ÿ ' +,l m y Á Q k  u ) îAà ßÄ æÝ ßl Å? û ü 2: Ý ßl ! n } ƒ K c Ý ßl ÅÆ 1 ! â Æp q r(baseline database)º x K c Ý ßl à ßîl m p = · # ñ

1{  ­ ƒ z' } ` ?â Æp q ro š !  Ð Þ Ê  š Ÿ Ç Ð _ ` Tripwire

¦? ! â Æp q ro š Ÿ îºÅÆ8

r Þ Ê ?

û ü 3:  Tripwiren o h k  (Integrity Check) x K c â Æp q rU· # ÅÆ!I k  ' È y z' »  O P ¶ l m Rt u ? û ü 4:À c k  :H»  l m O P ¶ Rt u ? 9H¶ 
t u [ Qï æ% ¹ ½ ¤ H ¾ ¿+,l m ß  û ü 5¿É } 9H š f ž r ¬ ¯ +,l m ß  û ü 3? û ü 5:Tripwiren o h  ¨ l x Ê Tripwirek Y  :H% ¨ l (Report File)1¨ Ë ? û ü 6:& ' Tripwiren o h k   ¨ l Åp = 1y Ì« ) u vc ̷͎ # t u p q rÍ!ÌO P š Ÿ Î ¿Ý ßl Í»  vc Ï  ö÷ ? û ü 6.1:¹ jTripwiren o h k   ¨ l 1»  +,l m O P « ) t u 9H O Ð [ O ¹ j«  ¤ ¥ UK   u ) ßÄ  K  û ü 6.3¿É } ß X ¦K  û ü 6.2!û ü 9? û ü 6.2:¹ jTripwiren o h k   ¨ l »  ¼ « ) t u vc ¢îº· #  ƒ „ ! t u p q r\ ?+,F G H Ê Et u p q r\ N 2 Rs Rootkit U t u  v c  f !
¶ Rootkitt u vc z' i A»  t u vc \ O P ¶ UÀ ÑT 3.2 Ò \ î& ' p q rz' )  Ó ã ? û ü 6.3:Tž " K  n o h k  !p q r8 r Ñ \ ¶ ¦x ¬ Ô  Q r  k  ' È Ž l m ( 8 k  v c (property)?T8 r p q \ 9š Î « Ý ßl ß  û ü 8¿É } o š 8 r g ô p q rß  û ü 7? û ü 7: ¶ r k  ' È Žl m (8 k  vc  ßîº8 r æg ô p q r\ ? û ü 8: ¶ r k  ' È Žl m (8 k  vc  ßîº8 r æÝ ßl \ ? û ü 9:¹ jTripwireT+,\ UX Y æ¼ « ) t u K   « = x ¨© æ ¨ l (Response)? û ü 10:î ¨ l (Response)= > ç ` è é ê ë ; Õ Ö +,F G H (System Admin)~ Ÿ {  +,F G H y ƒ \ » G ?

3.2
 





































BC D _ ` OhKim [8]œ ò J W ó . • (Oh & Kim, 2004)¹ jTripwiren o h k   ¨ l »  ¼ « ) t u vc ¢îº· #  ƒ „ ! t u p q r\ ?+,F G H Ê Et u p q r\ N 2 RsRootkitUt u vc f !
¶ Rootkit t u vc z' i A»  t u vc \ O P ¶ UÀ Ñ%ñ & ' p q rz' )  Ó ã : k  : · Ÿ " × R (Sim_Threshold)STŽ Q e Rootkit p q r K_D Ž  s (Metamorphic)Rootkitp q rM_D? k 2 :ßœ ò g ô Ø¢îºÔ • ßr\ ? û ü 1:K c p q rK_D!p q rM_D\ 4 B1 W ó ºœ ò J º) • 9ñ : 2 ) , ( j i j i j i E E E E S S Sim + ∩ = º\ Si, SjË © s!QeRootkit |EiÙEj|ß Ì Rootkitg ô \ á  ' vc (item)U] ^ ® |Ei||Ej|( s !QeRootkitg ô \ á  vc ` ? û ü 2:î4 B^ £ $ Ø^ Ú  Si? û ü 3:K c œ ò J z' : k Ì ® g ô O P ‹  "× R ? û ü 4:îSjg ô œ ò J ‹  "× R STßV X  ØC¿É } @ s ¶ œ ò J x F G º: HU% Û g h ßV Outlier? û ü 5:K ºØ^ CÅ( Sjg ô 1!Si) » ©  ³¶  X g ô ßK ¾2} û ü 6.38 r Ý

ßl (policy)(8 r p q r% Tripwire ) ƒ \ k Y } ` ¿É } ßQeg ô  ¢ š 8 r Ý ßl (policy)(8 r p q r? 1» © O P x   Ý ß³Ý ß  î# Ý ßrP ß æû ü 3? @ A’ s Ɗ
N ²Ã 1‰ %Ê %{    Š c BC D I +,¨© l !l m # † (hash)R 1K  Ë ä ¢_ ` Oh Kim œ ò J W ó . Ò ¶ ’ « ¬ 4 Bg ô œ ò J W ó . • f ‹ Œ §  p ¨© l g ô z' Ž ó •  Ê %$ æs  X Y :H?

4.

























































Ü Ý %…‰ Š ÷ U{ } ⠏ Tripwire k Y a b %X Y s Rootkit Z [ O Ê { ‹ X Y } Œ  ?… ‰ 5 6 %Qe Rootkit9:arkŽBalaurŽDicaŽ FuckitŽt0rn!sRootkit9:cb-rootkitŽtoolkitŽ bashdoor1K  Y ˆ f Ë © %
¶ Þ vX Y a b9:Chkrootkit [1]ŽRkhunter [9]Žrootcheck [10] !BZ [ K  Y ˆ zs ?%cb-rootkit Rootkitb  Ë © _ ` Þ vX Y a b!BZ [ K  Y ˆ zs ö ÷ 9ñ : cb-rootkit: %cb-rootkitS Linux+,ºÊ  +,¢ £ $ +,p = ‚ ƒ n  S ƒ "9¾3U[ ? %X Y a b!BZ [ 1 +,E\ x 
+, ¶ Q l m Q¹ R Rootkit U­ ® o ¶ BZ [ Ê X Y æA Rootkit S + ,\ 9¾ 7 U[   ChkrootkitŽRkhunterŽRootcheck … Ê X Y æ+, ï ð æ­ ® fˆ X Y æSHV5ŽShowteeARootkit K §  U » 9¾4 (ßÆ)Ž¾5(ßÆ)Ž¾6(ß Æ)U[ ? ¾3%cb-rootkitS +,à á ¾4%ChkrootkitX Y cb-rootkità á ¾5%RkhunterX Y cb-rootkità á ¾6%RootcheckX Y cb-rootkità á ¾7%BZ [ X Y cb-rootkità á ¹ j§ ã Rootkit X Y :H

¶ X Y Z [ ¢  ~ n Ú  X Y æ
¶ (  s  Rootkit@ ºX Y Z [ O %
¶ Rootkit U­ ®  g ô 1z' … È ~ T+,\ N 2 R Rootkit U­ ® ¨© l fO ˆ Ù • « ¬ » © ARootkitÆ Š §  U » jAÊ %’ Á æB€  U{ 2 ⠏ Tripwirek Y a b%X Y sRootkitZ [ ¬ ¶

1 !ºâ X Y Z [ zs

   Rootkit

Chkrootkit Rkhunter Rootcheck   

ark O O X O Balaur
O
O Dica
_O
O Fuckit
O X O t0rn O
O O cb-rootkit


O toolkit X O X O bashdoor X X X O O 
 X  
   
¶ÞÍXYabã~XY2+,ïðæ Rootkit ­ ® f O ˆ  ~n Ú » © º Rootkit  §  XYabU »  B €  { 2} ̨ © l g ô z 'Ž ó • ÍÊ ij Rootkit t u v c !¨ © l g ô 1 z '¹ j … ‰ : H $ e ºâ Þv
¶XYab?  9 B €  U { 2} ̨ © l g ô z 'Ž ó • Í? T– ä h z s \ B €  z s ’ ChkrootkitŽ RkhunterŽRootcheckÞv XYabTRootkits XY: H § B €  㶹   N – å  ¬ ¯ B €  { 2Ì⠏ Tripwire k Yab% XY s RootkitZ [ͬ ¶œ  – ä h ?

5.









B C D V W   ⠏Tripwirek Yab% XY s Rootkit Z [P ® XYZ [)` Ê XY
¶Q e Rootkit ~XY sRootkitij 3

ÍXY7 8 ~Ÿ 8 Ô ¬  +, Ú i ) ~

¶Œ { æ +,F G H } »  ~ !Linux+,} l m n o h º$ æ  Q C D ç è 9 ñ U [ : 1. RootkitÎ w Žg h !5 6   } Ë ä :

¹ j C D ƒ Ê $ e
¶ Rootkit Î w (User mode!Kernel mode)5 6 g h !  % 
º 5 6 Ý G Ê {  F G H 8 é  ’ Á Rootkit? 2. ê ë   ì p  Linux+,U _ `RootkitXYZ

[:

B C D _ ` Linux +,¨ © l  1 ‰ p q¢ K U C D  Rootkit Î w 1 V W ºXYZ [o     p  Linux +,U _ ` Rootkit

XYZ [? 3. ij ºXYZ [} +,¨ © l n o h 1 »  O P ¶    ¢ Ê å æXY sRootkit: _ `Tripwire1 k Y+,¨ © l n o h i j º»  O P ¶R S  Rootkit  R % ½ ¤ _ `H ¾ ¿ f À c t u p qr p q1 »  O P O   sRootkitt u ? 4. _ `B Z [Ê Ï+,F G H ~Ÿ  î ïðæ 5 6 Linux+,l m Ü Ý : ⠏§ í Þv  H o  !‹ Œ $ æA ⠏Tripwirek Yab% XY sRootkit} XYZ [Q å æXY sRootkit ~Ï+,F G

H ~ î ïðæ5 6 +,l m Ü Ý ?

































[1] B. Andreas, “UNIX and Linux based Rootkits Techniques and Countermeasures”, https://www.dfn-cert.de/team/bunten/rootkits_first 2004.pdf

[2] Chkrootkit, http://www.chkrootkit.org

[3] S. Jha and M. Hassan, “Building Agents for rule-based intrusion detection system,” Computer

Communications, Vol. 25, No. 15, pp. 1366-1373,

2002

[4] S. T. King and P. M. Chen, “Backtracking Intrusions,” ACM Transactions on Computer

Systems(TOCS), Vol. 23, No. 1, pp. 51-76, 2005.

[5] C. Kruegel, W. Robertson and G. Vigna, “Detection Kernel-Level Rootkits Through Binary Analysis,” Proceedings of the 20th Annual

Computer Security Applications Conference (ACSAC), 2004.

[6] W. E. Kuhnhauser, “Root kits: An operating systems viewpoint,” ACM SIGOPS Operating

Systems Review, Vol. 38, No. 1, pp. 12-23, 2004.

[7] J. Levine, B. Culver and H. Owen, “A Methodology for Detecting New Binary Rootkit Exploits,” Proceedings IEEE SouthEastCon 2003, 2003.

[8] S.J Oh and J.Y. Kim, “A Hierarchical Clustering Algorithm for Categorical Sequence Data,”

Information Processing Letters, Vol. 91, No. 3, pp.

135-140, 2004.

[9] Rkhunter, http://www.rootkit.nl/. [10] Rootcheck,

http://www.ossec.net/en/rootcheck.html

[11] R. F. DeMara and A. J. Rocke, “Mitigation of network tampering using dynamic dispatch of mobile agents,” Computers & Security, vol. 23, no. 1, pp. 31 – 42, 2004.

[12] Security Focus

http://www.securityfocus.com/infocus/1854 [13] Tripwire, http://www.tripwire.com.

[14] A. Somayaji, and S. Forrest, Automated Response Using System-Call Delays”. Proceedings of the