Virus and Rootkit Protection in Linux (Part 2)

The magazine of the Melbourne PC User Group
Virus and Rootkit Protection in Linux (Part 2)
Dennis Parsons

Dennis Parsons leads us carefully through improving the security of our Linux installation, teaches us how to recompile the Kernel and then explains about Rootkits and the protection we need in that area

In Part 1 we looked at installing a number of antivirus programs in Linux, some of which were capable of "on access" scanning. In this article we will be exploring how to recompile our kernel, and that will enable us to run Dazuko, the tool that provides the on access capability.

We will also examine rootkits. What are they; what are the available detection tools, and what should we do if we find our system compromised.

What Is The Kernel?

The kernel is the core of your Linux operating system and provides basic services such as those needed for the operating system to communicate with your hardware eg. CPU, RAM, hard drive/s and video card. It also controls the communication between the various parts of your operating system. Unlike other operating systems where the source code for the kernel will be a closely guarded secret, the source code for the Linux kernel is freely available, enabling the creation of customised kernels.

Why would you want to do this? It enables you to add capability to your kernel, or remove it for the sake of efficiency, reducing kernel size, or to meet the requirements of other components. The more capability you add to a kernel the bigger it becomes and the more resources it uses, which of course is not desirable. For the desktop user this is overcome by using a generic kernel with common capability built-in, and further capability added using kernel modules that can be loaded as needed. Sound, video and network cards are examples of hardware that have capability added by module, and this is due to the large variety of cards.

Figure 1. Kernel configuration using xconfig

Figure 2. Kernel configuration using menuconfig

Enabling On Access Scanning

As mentioned in Part 1, on access scanning of Linux is arguably not necessary at present, as the risk of your system becoming infected is small. It is not recommended for slower or production systems because of performance issues. But, even if you decide you don't need on access scanning, the exercise of recompiling your kernel is a useful lesson.

Recompiling Your Kernel

You need to recompile your kernel to make some minor changes to the way it operates. These changes are necessary for Dazuko to run on access scanning. Please note these instructions are specific to Mandriva/Mandrake Linux. For other distributions refer to http://www.dazuko.org/tgen.shtml.

Open a terminal window and su to root.
Install the kernel source to match the installed kernel.
uname -r
to display your kernel name - ensure the installed kernel and the source match.

From CD/DVD or download:
rpm -Uvh kernel-source-2.6-2.6.11-6mdk.i586.rpm (or use kpackage)

From online:
urpmi kernel-source (approx. 45 MB)
Change to the kernel source directory
cd /usr/src/linux
Edit the kernel configuration

make xconfig (graphical tool)

scroll down to "Rule Set Based Access Control (RSBAC)"
remove tick if selected

scroll down to "Security options"
tick "Enable different security models"

single click "Default Linux Capabilities"
(you want a dot, not a tick - see Figure 1)
File | Save

or

make menuconfig (a text based alternative to xconfig)

scroll down to "Rule Set Based Access Control (RSBAC)"
deselect it [ ]

scroll down to "Security options"
select "Enable different security models" [ * ]
modularise "Default Linux Capabilities" <M> (see Figure 2)

Exit and Save
Build the kernel (this will take some time, half an hour or more depending on processor speed)
make
Install kernel modules
make modules_install
Install the new kernel
make install
For Mandriva LE2005:

Edit /etc/modprobe.preload and add the following modules to load at boot
commoncap
capability

For Mandrake 10.1:

Due to a quirk the newly created security modules need to be copied to a different directory. This is all one command - note there is a space between security/* and /lib/modules on the next line. Also note the back quotes.

cp /lib/modules/`uname -r`custom/kernel/security/* /lib/modules/`uname -r`/kernel/security
Reboot and use the new kernel - select the one labelled
"custom" eg. 2681-12custom
If your system successfully boots set lilo to automatically use it when booting.

lilo -D 2681-12custom

(adjust to match the new kernel name you have - if you aren't sure which label to use run lilo and use the custom one)

Note: "make install" adds an entry for the new custom kernel (eg. 2681-12custom) to the boot menu. Your current kernel is retained and available by selecting "Linux" from the boot menu if you have trouble.

Installing Dazuko http://www.dazuko.org

Dazuko is needed to scan files on access and "operates by intercepting file access calls and passing the file information to a 3rd-party application", in this case antivirus software. Download the source file, dazuko-2.0.6.tar.gz at time of writing, compile and install it. For the exercise we'll assume the file was downloaded to /downloads. Please note the instructions are Mandriva/Mandrake specific.

Open a terminal window and su to root.
cd /downloads
Extract the Dazuko source
tar zxvf dazuko-2.0.6.tar.gz
cd dazuko-2.0.6
Configure the source compiling
./configure
Build the Dazuko module
make
Install the module
cp dazuko.ko /lib/modules/`uname -r`/kernel/security (again, note the back quotes)
depmod -a
Edit /etc/modprobe.preload and add the following module to load at boot
dazuko
(Note it must be inserted before "capability", if that is present)
Reboot, noting it should boot with your new kernel.

Note: Every time you install a new kernel version, which isn't often, you'll need to repeat the above procedures to recompile a new kernel and Dazuko.

Using AntiVir for On Access Scanning

Both AntiVir and ClamAV can use Dazuko to enable on access scanning, however ClamAV requires you to compile it from source and edit the configuration file to have this capability; that is too extensive for this article, so we will concentrate on AntiVir.

Open a terminal window and su to root
Change to the AntiVir installation directory,
eg. cd /home/downloads/antivir-workstation-pers
Reinstall AntiVir-select defaults if you don't understand an option
./install
Select "kernel" (k) when asked "How should AvGuard be installed?"
Select to start AvGuard automatically
Select the number of daemons to run - three is suggested
Select to scan files on opening, closing and execution
Choose to "log only" when an alert occurs
For the include path enter the root directory "/"
For the exclude path enter nothing
Select scanning inside compressed files
Elect to receive e-mail notification and choose your normal Linux account as recipient
Choose to log to a custom file - select a path and suitable file name
eg. /home/dennis/logs/AntiVir.log

on access scanning can be temporarily disabled by stopping the avguard daemon
avguard stop

To restart it:
avguard start

To permanently discontinue using on access scanning:

avguard stop
Run the AntiVir install script again and select "no install" (n) when asked "How should AvGuard be installed?"
Edit /etc/modprobe.preload and remove dazuko

Rootkits

What Is a Rootkit?

It is a set of programs designed to enable unrestricted and hidden remote root access to your system. In other words giving someone full root or superuser access to your system via the Internet, all without your knowledge.

Unless your computer is part of a large organisation (government, military, large corporation) where breaking in may have "bragging rites" associated with it, then a rootkit will have been installed with malicious intent. While your system might be the target of that malicious intent (collecting passwords or credit card information), it is more likely it will actually be directed elsewhere - used to serve Spam, host "phishing" Web sites or used to attack other more interesting or important systems.

An interesting, if somewhat technical article on the use of compromised systems can be found at: http://www.honeynet.org/papers/phishing/

Note that rootkits aren't restricted to just Linux - they exist in some form or another for all operating systems, including Microsoft Windows. While we concentrate on Linux for specifics, the general ideas apply broadly.

Where Do Rootkits Come From?

There are two main ways a rootkit can become installed on your system. Your system could be "cracked" - an intruder breaking in over a network, such as the Internet, by exploiting a security weakness and manually installs it. Or the "cracking" could be done in person by someone gaining physical access to your computer, although this approach is not very likely at home.

Provided that you keep your system fully updated by regularly checking for updates and use a firewall you are fairly safe. The firewall could be a physical device such as an ADSL router or a software firewall such as Firestarter http://www.fs-security.com, Shorewall http://www.shorewall.net or other firewall included with your operating system.

If you're running a publicly available server, for instance a Web server, extra precautions need to be taken such as assuring appropriate file permissions are set to prevent undesired file uploads.

There is still the risk of a cracker exploiting an unknown security issue to gain access but there is little more the average home user can easily do to protect themselves against this relatively small risk.

The other way a rootkit could be installed on your system is by the user installing compromised software - a package or tarball that has the rootkit already added. The most effective way to protect yourself is to download from major mirror sites and to verify the package checksum, "rpm -K package .rpm" or observe the output when using urpmi. This won't protect you from the package being compromised prior to creation or distribution to mirrors, but fortunately that scenario is very rare.

How Do Rootkits Work?

Generally by replacing legitimate programs such as "ps", "top", "passwd", "du" and "netstat", programs that would normally detect and reveal the presence of an intruder. They are replaced with versions that conceal the presence of the rootkit, the activities of the cracker and the activities of the programs they've installed. The cracker can then come and go as he pleases and the owner of the system is none the wiser when using any of the substituted programs unless he knows what to look for or uses a detection tool.

How Do I Detect a Rootkit?

Generally it is hard to tell by casual observation whether or not you've been "rooted" (had a rootkit installed), but it is possible. You might notice some unusual files, unexplained hard drive activity or maybe some unexpected network activity. However, unless you're very aware of your system most of these things would pass unnoticed, particularly as the signs would probably be fairly minor. Fortunately there are tools available to help you with the task of identifying them. They aren't perfect so there are no guarantees that they will identify every problem, and false positives do occur.

Rootkit Hunter   http://www.rootkit.nl

This is a fairly new project but has a good reputation as being an effective tool.

To install, as root:

   tar zxvf rkhunter-1.2.7.tar.gz
   cd rkhunter
   ./installer.sh

To manually update:

   /usr/local/bin/rkhunter - versioncheck (checks for new version)
   /usr/local/bin/rkhunter - update (as root user)

To scan:

   /usr/local/bin/rkhunter -c - createlogfile

To run a daily check:

   create the file /etc/cron.daily/rkhunter
   #!/bin/sh
   (
   /usr/local/bin/rkhunter - versioncheck
   /usr/local/bin/rkhunter - update
   /usr/local/bin/rkhunter - cronjob - report-warnings-only
   ) | /bin/mail -s "rkhunter daily scan" dennis
            (Note: replace "dennis" with your Linux username.)

Make the script executable: chmod +x rkhunter

Or you can add the three rkhunter commands to the root crontab (crontab -e) at times to suit you.

chkrootkit     http://www.chkrootkit.org

This is another well respected project of long standing.

To install, as root:

   tar zxvf chkrootkit.tar.gz
   cd chkrootkit-0.45
   make sense   (requires the kernel source to be installed)
   cd ..
   cp -r chkrootkit-0.45 /usr/local/chkrootkit

To scan:

/usr/local/chkrootkit/chkrootkit

To scan daily: Note: all one command.

   "crontab -e": 30 5 * * * (/usr/local/chkrootkit/chkrootkit 2>&1 | mail -s
     "chkrootkit daily scan" dennis)   (as Root user)

Again, replace "dennis" with your Linux username. There is no update option for chkrootkit.

What To Do If I'm "Rooted"?

Firstly, as a certain book says in large friendly letters, DON'T PANIC! Just because Rootkit Hunter or chkrootkit indicates there is a problem doesn't mean there actually is. False positives are possible so you need to investigate further.

Are you using the latest version with any updates? Manually check the Web sites to compare what you have running with their latest versions. Update and run the scan again.

Do both programs indicate the problem? Noting it's possible for a rootkit to interfere with some aspects of the detection processes.

Is it a known false positive? Use Google to search newsgroups for any hints. It could be a bug in a new version.

Ask around. Post a message on the Melb PC newsgroups - we may not be experts with rootkits but might be able to suggest further courses of action. Post a message on an appropriate external newsgroup.

At some stage you must take your system offline to prevent it being used to do any more damage if it is compromised - the earlier in the process the better.

Using the command "lsof" may confirm that a particular rootkit is indeed active on your system. lsof (list open files) provides a comprehensive list of processes running on your system and by which user, network connections and currently open files. By finding out the characteristics of the rootkit you suspect you have you can then search through the output of lsof for matches.

The output from lsof is extensive so redirect it to a file:

   lsof > lsof.out

If it really does appear that you have a rootkit, then there is only one sensible course of action available - reformat your drive and reinstall. It's a drastic but necessary measure because if you were to attempt to manually replace all the files altered by the attacker you may very well miss something, plus you don't know what else has been compromised. The average home user just doesn't have the knowledge or expertise required to safely clean a system. Neither do they have the skills necessary to perform any sort of meaningful analysis of the attack, which is often suggested as part of the post-rootkit process. That is more aimed at IT departments with professional system administrators (sysadmins).

Backup your home directory and any other data you wish to keep. Hopefully you've taken note of any configuration changes you've made to your system because you'll need to reintroduce them. Once you've made and checked your backups reinstall Linux, choosing to format all partitions, apply updates and copy your backed-up home directory to the fresh installation. Changing all your passwords is highly recommended.

Further Reading

"Rootkits" and hiding files/directories/processes after a break-in

http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
http://www.chkrootkit.org/links

About the Author
Dennis Parsons has been using computers in various forms since 1977. He studied applied maths and physics at the University of Adelaide before becoming professionally involved in aviation 15 years ago. He was introduced to Linux in 1999 by a fellow Melb PC member, has been using it ever since and enjoys encouraging others to do the same.

Reprinted from the July 2005 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]