A Hybrid Root-kit for Linux Operating System

Hacking has been around almost since the first computers were connected together. Every day many new vulnerabilities/exploits are released and many computers become compromised. This is good for an attacker because there is a constant stream of new vulnerabilities/exploits that can be leveraged to break into computers. However, with newly published exploits comes a newly released patch for those exploits (usually). This is the reason that attackers have developed back-doors commonly referred to as root-kits. A root-kit is a post-compromise tool that an attacker uses to maintain access and often collects information from users such as passwords, credit card information, social security numbers, and other sensitive information. The importance of a root-kit is that once the vulnerability which was used to exploit the system is patched, the attacker can still get back in through a backdoor . The purpose of this paper was to explore the area of root-kits by taking the role of an attacker and actually developing a root-kit that targets the Linux 2.6 kernel. By doing this we were are able to gain a great amount of insight into the internal workings of the kernel as well as its shortcomings with regards to security by developing a Linux Kernel Module (LKM) key-logger. We also look into some common techniques used by root-kits for providing a backdoor to the attacker. Then we investigate some come and simple techniques that root-kits utilize for stealth (it is imperative that the users/administrators do not know the system is compromised). Finally, we look at a simple and elegant solution for infecting a compromised computer with the root-kit we developed.