Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Jul 2012 01:33:27 +0200
From:      Sofian Brabez <sbz@FreeBSD.org>
To:        =?iso-8859-1?Q?Cl=E9ment?= Lecigne <clemun@gmail.com>
Cc:        freebsd-security@freebsd.org, Zoran Kolic <zkolic@sbb.rs>
Subject:   Re: turtle rootkit
Message-ID:  <20120703233327.GA58368@freebsd.ifr.lan>
In-Reply-To: <CAKSJdAD7=eswaD%2BmcZ6jWdVrZxpGuuP3iaHFrgPT556pHEE6EA@mail.gmail.com>
References:  <20110830033854.GA1064@faust> <CAKSJdAD7=eswaD%2BmcZ6jWdVrZxpGuuP3iaHFrgPT556pHEE6EA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Hi,

On Tue, Aug 30, 2011 at 11:53:12AM +0200, Clément Lecigne wrote:
>
> What do you want? It's just a basic rootkit that hooks some specific
> entries inside the sysent table. It can be detected by checking if a
> device /dev/turtle2dev exists or by sending an ICMP echo request with
> a payload starting with a double '_' and if rootkit is loaded no reply
> will be returned.
>
> [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1
> HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes
> [main] memlockall(): No such file or directory
> Warning: can't disable memory paging!
>
> --- 127.0.0.1 hping statistic ---
> 1 packets tramitted, 0 packets received, 100% packet loss
>
> These tricks can be implemented inside rkhunter or/and chkrootkit.
>

It's implemented since rkhunter 1.4.0 [1], and now security/rkhunter port version [2]
is able to detect it during the check scan:

% sudo rkhunter --version | head -1
Rootkit Hunter 1.4.0
% sudo rkhunter --list rootkits | grep -i turtle2
    trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire,
% sudo rkhunter --check --sk
...
    Turtle Rootkit                                           [ Not found ]

Btw, the best way to avoid such rootkit is to use sysctl kern.securelevel in
order to avoid untrusted kernel modules loading at runtime (but can be bypassed at
boot time...)

Regards

[1] http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG?revision=1.226&view=markup
[2] http://docs.freebsd.org/cgi/getmsg.cgi?fetch=471258+0+current/cvs-all

--
Sofian Brabez

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAk/zgUYACgkQc2NR9CSH5X5NfQCfZ+benj+haRonNBzbraik9wPE
KmEAoMx3F/xnN3bzU9jCu1QbqH3YnVJP
=u3Op
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120703233327.GA58368>