Jonathan Clemens, CCP, CISSP
Corporate Information Security, Intel
Knark is one of the second generation of a relatively new form of rootkit—a loadable kernel module (LKM) designed to mask the presence of system activity. The author places an explicit disclaimer in the code and readme file, indicating that it is not to be used for illegal activity. However, it is easily used for this purpose, and covert usage has indeed been reported to the author.
Knark was designed and coded by email@example.com, based on http://www.dataguard.no/bugtraq/1997_4/0059.html heroin.c by Runar Jensen, with ideas from "Weakening the Linux Kernel" by plaguez in Phrack 52. After replacing most of heroin.c code, Creed decided to rename the program ‘Knark’—which means "drugs" in Swedish. Creed’s other programs can be found at http://www.sekure.net/~happy-h/, but that website is in Swedish only, and of limited use to those of us who do not read Swedish.
The first released version of Knark was 0.41, released about June, 1999, which is referenced in B4B0 #9: http://packetstorm.securify.com/mag/b4b0/b4b0-09.txt. Subsequently, 0.50 and 0.59 have been released. At the time of this writing, both are available at packetstorm.securify.com, and 0.59 is the most current revision.
Knark, at version 0.59, has the following features:
Knark comes with another LKM, modhide, which hides the LKM most recently loaded prior to its invocation, making Knark invisible to lsmod.
Creed, the author of Knark, has also released a utility called knarkfinder.c http://jclemens.org/knark/knarkfinder.c for finding hidden processes. Whether it will continue to detect later versions of Knark and other programs that rely on hiding processes remains to be seen.
The most straightforward way to determine whether a system has had Knark installed is to run one of the utilities from the Knark package, such as rootme, from an unprivileged account and determine whether root access is granted. Since Knark currently has no authentication, any local user running that program will be granted root access if Knark is loaded.
The simplest, most obvious, and arguably least helpful advice for avoiding a Knark installation on your systems is "don’t let an attacker get root." Assuming that a systems administrator has taken all normal steps to prevent such a compromise in the first place, two other steps may be appropriate:
According to http://thc.inferno.tusculum.edu/files/thc/slkm-1.0.html, and since Creed has not been contacted by the authors, it appears that the THC/Plasmoid Solaris LKM trojan effort is progressing in parallel, based on much of the same foundation of conceptual and architectural articles as Knark.
Since Pragmatic has also written an article for THC on Linux LKM’s http://www.infowar.co.uk/thc/files/thc/LKM_HACKING.html, it is quite plausible that Knark will be superceded by a third generation Linux LKM from THC. Given the consistent quality and popularity of THC’s other offerings, it seems plausible that such a program would soon eclipse Knark.
Creed (pseud.), "Knark – kernel based Linux rootkit." B4B0, No. 9. Unspecified 1999. URL: http://packetstorm.securify.com/mag/b4b0/b4b0-09.txt (3 April 2000)
Creed (pseud.) and Clemens, Jonathan. Email exchange, 1-2 April, 2000. URL: http://jclemens.org/knark/creed_interview1.html (3 April 2000)
Jensen, Runar. "Malicious Linux Modules." 9 Oct 1997. URL: http://www.dataguard.no/bugtraq/1997_4/0059.html (3 April 2000)
Plaguez (pseud.), "Weakening the Linux Kernel." Phrack, No. 52. 26 January 1998. URL: http://packetstorm.securify.com/mag/phrack/phrack52/P52-18 (3 April 2000)
Plasmoid (pseud.), "Solaris Loadable Kernel Modules." Unspecified 1999. URL: http://thc.inferno.tusculum.edu/files/thc/slkm-1.0.html (3 April 2000)
Pragmatic (pseud.). "(nearly) Complete Linux Loadable Kernel Modules", March, 1999. URL: http://www.infowar.co.uk/thc/files/thc/LKM_HACKING.html (3 April 2000)
Spoon (pseud.). "LCAP" 22 December 1999. URL: http://pweb.netcom.com/~spoon/lcap (3 April 2000)