Tales from Crisis, Chapter 3: The Italian rootkit job

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Tales from Crisis, Chapter 3: The Italian rootkit job
Botnet Crisis
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 21 aug2012
Editor/Conference Osxreverser
Link http://reverse.put.as/2012/08/21/tales-from-crisis-chapter-3-the-italian-rootkit-job/ reverse.put.as (reverse.put.as Archive copy)
Author osxreverser
Type

Abstract

The rootkit number of features is very small: it can hide processes, files, and itself. Two versions are available for 32 and 64bits kernels (this post is about the 32bits version using Snow Leopard). Implementation is very simple and has some flaws that I will describe later.

The main feature that got me interested was hiding itself from kextstat because this needs to be done by modifying the sLoadedKexts array (the old kmod list is not enough anymore since it’s deprecated). It doesn’t seem an easy job to find the location of this symbol and Crisis kind of cheats in doing it. What happens is that the userland backdoor module will solve the kernel symbols and pass them to the kernel module. Done this way it’s very easy to accomplish, although compatibility with future kernel releases might be in jeopardy if sLoadedKexts is modified.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1127,
   editor = {Osxreverser},
   author = {osxreverser},
   title = {Tales from Crisis, Chapter 3: The Italian rootkit job},
   date = {21},
   month = Aug,
   year = {2012},
   howpublished = {\url{http://reverse.put.as/2012/08/21/tales-from-crisis-chapter-3-the-italian-rootkit-job/ reverse.put.as}},
 }