Many eyes make security vulnerabilities shallow
-
-
@izzion Nice how they got through writing the entire article without using the word "virus".
-
@Watson For it to be a computer virus, it needs to spread to other systems on its own.
-
@Watson said in Many eyes make security vulnerabilities shallow:
@izzion Nice how they got through writing the entire article without using the word "virus".
Interesting side note: while everyone has heard of computer virus / anti-virus software, actual viruses have become extremely rare.
-
I know it's much easier to justify post-factum than to actually detect such infection in practice, but when I was given a backdoored machine as a demonstration, it had an actual kernel module as a rootkit, not a shared object to
$LD_PRELOAD
. We had to take apart a filesystem image of the machine in order to find where it was hiding.Any statically linked binary would defeat
$LD_PRELOAD
. Running a binary with a wrong architecture (i686/amd64) would even be noisy about it. (ERROR: ld.so: object 'rootkit.so' from LD_PRELOAD cannot be preloaded: ignored.
)Gentoo's sandbox comes with an
$LD_PRELOAD
library to guard well-behaving applications from modifying parts of the filesystem they are not supposed to touch. They handle statically linked binaries by means ofptrace
(i.e. acting as a debugger), but a dynamically linked binary could thwart it by performing a syscall instruction manually.
-
@topspin said in Many eyes make security vulnerabilities shallow:
@Watson said in Many eyes make security vulnerabilities shallow:
@izzion Nice how they got through writing the entire article without using the word "virus".
Interesting side note: while everyone has heard of computer virus / anti-virus software, actual viruses have become extremely rare.
There are less easy-to-find vulnerabilities now that Microsoft's got their shit together.
Also, it's harder to make money off viruses in the traditional ways (harvesting clicks / ad views / Amazon referral sales) now. So if a real remote-execution vulnerability is found by a black-hat, it makes sense to sell to a government or other large organization. Then it's used for more lucrative targets, not consumer PCs.
-
@aitap said in Many eyes make security vulnerabilities shallow:
Any statically linked binary would defeat $LD_PRELOAD. Running a binary with a wrong architecture (i686/amd64) would even be noisy about it. (ERROR: ld.so: object 'rootkit.so' from LD_PRELOAD cannot be preloaded: ignored.)
It would still be possible to hide in the filesystem by installing a kernel module to hide the files. Even a statically linked executable has to poke a filesystem through the OS.
But it does open up an avenue for detecting the intrusion in data centers; if you periodically shut down the machines for maintenance, boot to a temporary OS image, run a filesystem listing, and compare to what had been listed by the same machine running normally. Discrepancies in the listing would be a dead giveaway.
-
@acrow said in Many eyes make security vulnerabilities shallow:
@topspin said in Many eyes make security vulnerabilities shallow:
@Watson said in Many eyes make security vulnerabilities shallow:
@izzion Nice how they got through writing the entire article without using the word "virus".
Interesting side note: while everyone has heard of computer virus / anti-virus software, actual viruses have become extremely rare.
There are less easy-to-find vulnerabilities now that Microsoft's got their shit together.
Also, it's harder to make money off viruses in the traditional ways (harvesting clicks / ad views / Amazon referral sales) now. So if a real remote-execution vulnerability is found by a black-hat, it makes sense to sell to a government or other large organization. Then it's used for more lucrative targets, not consumer PCs.
That's not what I was talking about. Most malware nowadays are worms / trojans / straight-up malware executables installed through social engineering.
Very rarely (I think, I'm very much not an expert) is malware still a piece of executable code that doesn't live by itself but infects other processes. You might have some malware installed, but yourexplorer.exe
probably doesn't have a virus.
-
@acrow said in Many eyes make security vulnerabilities shallow:
It would still be possible to hide in the filesystem by installing a kernel module to hide the files.
I agree, but once you have a kernel module in the system, why bother using a less stealthy technique?
DeOffence in depth?
-
@aitap said in Many eyes make security vulnerabilities shallow:
DeOffence in depth?You joke, I assume. But at the same time, why not? Hiding in a .so library only until you can infect the kernel, maybe? Intercept the root password if someone types it in, and get the keys to the kingdom that way.
Alternatively, if the kernel module is discovered and removed, but the investigation fails to notice your dynamic library, you could squawk out a warning that the hack has been discovered.
Of course, it'd have to be a rather dense sysadmin to not nuke and repave the system after finding the kernel module. But we've seen denser.
-
@acrow with two or more separate vectors, you could also for instance have the kernel module restore a removed SO or vice versa, a la the seminal "Robin Hood / Friar Tuck" approach.
(Well. With two things at the same privilege level you could. An SO probably can't install a module.)
-
@Gribnit said in Many eyes make security vulnerabilities shallow:
An SO probably can't install a module.
That depends on whether it ever gets loaded into an executable with root privileges...
-
@dkf said in Many eyes make security vulnerabilities shallow:
@Gribnit said in Many eyes make security vulnerabilities shallow:
An SO probably can't install a module.
That depends on whether it ever gets loaded into an executable with root privileges...
What this calls for is a securityd d d d
-
@Gribnit said in Many eyes make security vulnerabilities shallow:
@acrow with two or more separate vectors, you could also for instance have the kernel module restore a removed SO or vice versa, a la the seminal "Robin Hood / Friar Tuck" approach.
That's a neat trick. But I'm not sure if it's all that useful. Even if a sysadmin didn't nuke and repave after the initial infection, and just removed the offending piece, finding that the module/.so gets magically re-installed is sure to prompt a swift nuking.
-
@acrow said in Many eyes make security vulnerabilities shallow:
Hiding in a .so library only until you can infect the kernel, maybe? Intercept the root password if someone types it in, and get the keys to the kingdom that way.
Alternatively, if the kernel module is discovered and removed, but the investigation fails to notice your dynamic library, you could squawk out a warning that the hack has been discovered.These are all sensible scenarios. I can even imagine situations where LD_PRELOAD is an only option, for example, when the target is a container (which isn't supposed to load modules, right?) and you don't want to compromise the host machine, or when the kernel has module support disabled or refuses to load them for some other reason.
I should be arguing against the presentation of the backdoor as undetectable, not the technique itself.
-
@Rhywden said in Many eyes make security vulnerabilities shallow:
@Watson For it to be a computer virus, it needs to spread to other systems on its own.
Pendantry : That makes it a worm, not a virus.
-
@topspin said in Many eyes make security vulnerabilities shallow:
@Watson said in Many eyes make security vulnerabilities shallow:
@izzion Nice how they got through writing the entire article without using the word "virus".
Interesting side note: while everyone has heard of computer virus / anti-virus software, actual viruses have become extremely rare.
Indeed, yet fun-gal infections are on the rise....
-
@TheCPUWizard If you're going to get involved with fun gals, at least use protection.
Also, I once caught a fungal (yeast) infection from my wife. It wasn't fun.
-
@HardwareGeek Too Much Information.