Corporate Information Security, Intel
History
Knark is one of the second generation of a relatively new form of rootkitâa loadable kernel module (LKM) designed to mask the presence of system activity. The author places an explicit disclaimer in the code and readme file, indicating that it is not to be used for illegal activity. However, it is easily used for this purpose, and covert usage has indeed been reported to the author.
Knark was designed and coded by creed@sekure.net, based on http://www.dataguard.no/bugtraq/1997_4/0059.html heroin.c by Runar Jensen, with ideas from "Weakening the Linux Kernel" by plaguez in Phrack 52. After replacing most of heroin.c code, Creed decided to rename the program âKnarkââwhich means "drugs" in Swedish. Creedâs other programs can be found at http://www.sekure.net/~happy-h/, but that website is in Swedish only, and of limited use to those of us who do not read Swedish.
The first released version of Knark was 0.41, released about June, 1999, which is referenced in B4B0 #9: http://packetstorm.securify.com/mag/b4b0/b4b0-09.txt. Subsequently, 0.50 and 0.59 have been released. At the time of this writing, both are available at packetstorm.securify.com, and 0.59 is the most current revision.
Features
Knark, at version 0.59, has the following features:
- Hide/unhide files or directories
- Hide TCP or UDP connections
- Execution redirection
- Unauthenticated privilege escalation ("rootme")
- Utility to change UID/GID of a running process.
- Unauthenticated, privileged remote execution daemon.
- Kill â31 to hide a running process.
Knark comes with another LKM, modhide, which hides the LKM most recently loaded prior to its invocation, making Knark invisible to lsmod.
Detection
Creed, the author of Knark, has also released a utility called knarkfinder.c http://jclemens.org/knark/knarkfinder.c for finding hidden processes. Whether it will continue to detect later versions of Knark and other programs that rely on hiding processes remains to be seen.
The most straightforward way to determine whether a system has had Knark installed is to run one of the utilities from the Knark package, such as rootme, from an unprivileged account and determine whether root access is granted. Since Knark currently has no authentication, any local user running that program will be granted root access if Knark is loaded.
Defenses
The simplest, most obvious, and arguably least helpful advice for avoiding a Knark installation on your systems is "donât let an attacker get root." Assuming that a systems administrator has taken all normal steps to prevent such a compromise in the first place, two other steps may be appropriate:
- Build and use static kernels that do not take advantage of loadable kernel modules. In such an environment, knark and similar LKMâs are useless.
- Use lcap (http://pweb.netcom.com/~spoon/lcap/) to remove the capability to load LKMâs once the system has completed booting. This will, if implemented correctly, prevent an attacker from loading an LKM while a system is running. However, an attacker could, upon gaining root, modify the startup sequence to load and hide Knark before lcap is executed. Undoubtedly, scripts to do this and quite possibly root exploits to circumvent lcap will be widely available in the near future.
Future Development
According to http://thc.inferno.tusculum.edu/files/thc/slkm-1.0.html, and since Creed has not been contacted by the authors, it appears that the THC/Plasmoid Solaris LKM trojan effort is progressing in parallel, based on much of the same foundation of conceptual and architectural articles as Knark.
Since Pragmatic has also written an article for THC on Linux LKMâs http://www.infowar.co.uk/thc/files/thc/LKM_HACKING.html, it is quite plausible that Knark will be superceded by a third generation Linux LKM from THC. Given the consistent quality and popularity of THCâs other offerings, it seems plausible that such a program would soon eclipse Knark.
References:
Creed (pseud.), "Knark â kernel based Linux rootkit." B4B0, No. 9. Unspecified 1999. URL: http://packetstorm.securify.com/mag/b4b0/b4b0-09.txt (3 April 2000)
Creed (pseud.) and Clemens, Jonathan. Email exchange, 1-2 April, 2000. URL: http://jclemens.org/knark/creed_interview1.html (3 April 2000)
Jensen, Runar. "Malicious Linux Modules." 9 Oct 1997. URL: http://www.dataguard.no/bugtraq/1997_4/0059.html (3 April 2000)
Plaguez (pseud.), "Weakening the Linux Kernel." Phrack, No. 52. 26 January 1998. URL: http://packetstorm.securify.com/mag/phrack/phrack52/P52-18 (3 April 2000)
Plasmoid (pseud.), "Solaris Loadable Kernel Modules." Unspecified 1999. URL: http://thc.inferno.tusculum.edu/files/thc/slkm-1.0.html (3 April 2000)
Pragmatic (pseud.). "(nearly) Complete Linux Loadable Kernel Modules", March, 1999. URL: http://www.infowar.co.uk/thc/files/thc/LKM_HACKING.html (3 April 2000)
Spoon (pseud.). "LCAP" 22 December 1999. URL: http://pweb.netcom.com/~spoon/lcap (3 April 2000)
