A Virtual Machine Introspection Based Architecture for Intrusion ...

• LKM-based rootkits, like Adore [44] and Knark [7],are popular representatives of the second generationof Linux kernel module (LKM) based backdoors.Mechanism-wise they differ little from earlybackdoors such as heroin.c; their attack vector isstill direct installation into the kernel via the loadablemodule interface and they modify the kernelby directly patching the sys_call_table, whichmakes them detectable through sys_call_tableintegrity checking tools such as StMichael andSanhaim. Unlike first-generation backdoors whichoften performed only one task, these backdoors canperform many tasks, such as hiding files, hiding processes,permission elevation, hiding the state of thepromiscuous mode flag on the NIC, and a variety ofother tasks an attacker might desire. These moduleshave ushered in a move away from user-level rootkitsthat are more easily detectable through integritychecking programs like tripwire, long a mainstayof HIDS, and toward entirely kernel-based rootkitsthat are significantly harder to detect.• SUCKIT is a recently introduced “Swiss army”kernel-based rootkit along same lines as adore andknark. What makes SUCKIT particularly interestingis that it has been built with the intent of installationit through the /dev/kmem interface in orderto allow subversion of systems where LKM supporthas been disabled. It also modifies the int0x80 handler directly instead of tampering with thesys_call_table, thereby allowing it to avoiddetection by kernel integrity checking based IDSessuch as StMichael. SUCKIT is also particularly importantas an indicator of things to come. As HID-Ses to detect kernel-based subversion become morecommon and easy attack vectors for kernel subversionare disabled (such as the LKM support), kernelbackdoors can be expected to evolve in response.While SUCKIT currently contents itself with evadingsystems like StMichael or Sanhaim, there is noparticular reason it could not simply scan the kernelfor the presence of these systems and evisceratethem directly. Furthermore, a host of points to interposein the kernel exist, which while not as trivialto interpose upon as the sys_call_table interface,are just as potent a mechanism for attack [25].Given their number, these interposition points makethe overhead of polling based integrity checking thatcurrent kernel IDS systems rely upon infeasible. Finally,the stealth of this class of malicious code couldclearly be greatly increased using common techniquesfrom the virus community. Thus, while thisclass of attacks is still relatively easy to address withexisting HIDS mechanisms, we cannot expect thatthis will hold true in the foreseeable future. A completedescription of SUCKIT as well as other nonLKM based kernel backdoors is presented in Phrack[40, 32].• Ramen [8] is a Linux worm in the tradition of UNIXworms dating back to the original RTM work thatbrought down the Internet in the 80s. It relies onbuffer overflows in common services to penetrate theremote host. Once the host has been penetrated, itinstalls itself and begins scanning for new targets toinfect. HIDS and NIDS tools typically attempt to detectRamen by looking for files named ramen.tgzor looking for its signature in network traffic, respectively.