Who is Using Cyberthreat Intel & How? Take Survey - Enter to Win iPad

Intrusion Detection FAQ: Knark: Linux Kernel Subversion

Jonathan Clemens, CCP, CISSP
Corporate Information Security, Intel

History

Knark is one of the second generation of a relatively new form of rootkit—a loadable kernel module (LKM) designed to mask the presence of system activity. The author places an explicit disclaimer in the code and readme file, indicating that it is not to be used for illegal activity. However, it is easily used for this purpose, and covert usage has indeed been reported to the author.

Knark was designed and coded by creed@sekure.net, based on http://www.dataguard.no/bugtraq/1997_4/0059.html heroin.c by Runar Jensen, with ideas from "Weakening the Linux Kernel" by plaguez in Phrack 52. After replacing most of heroin.c code, Creed decided to rename the program ‘Knark’—which means "drugs" in Swedish. Creed’s other programs can be found at http://www.sekure.net/~happy-h/, but that website is in Swedish only, and of limited use to those of us who do not read Swedish.

The first released version of Knark was 0.41, released about June, 1999, which is referenced in B4B0 #9: http://packetstorm.securify.com/mag/b4b0/b4b0-09.txt. Subsequently, 0.50 and 0.59 have been released. At the time of this writing, both are available at packetstorm.securify.com, and 0.59 is the most current revision.

Features

Knark, at version 0.59, has the following features:
  • Hide/unhide files or directories
  • Hide TCP or UDP connections
  • Execution redirection
  • Unauthenticated privilege escalation ("rootme")
  • Utility to change UID/GID of a running process.
  • Unauthenticated, privileged remote execution daemon.
  • Kill –31 to hide a running process.
By using execution redirection and file hiding in combination, an attacker can provide backdoor’ed versions of various system executables. Because the execution redirection is handled in the kernel, file checksum tools will not detect changes in the system binaries—the original binaries are left in place and untouched by Knark—nor will configuration-checking tools find anything wrong with the PATH environment.

Knark comes with another LKM, modhide, which hides the LKM most recently loaded prior to its invocation, making Knark invisible to lsmod.

Detection

Creed, the author of Knark, has also released a utility called knarkfinder.c http://jclemens.org/knark/knarkfinder.c for finding hidden processes. Whether it will continue to detect later versions of Knark and other programs that rely on hiding processes remains to be seen.

The most straightforward way to determine whether a system has had Knark installed is to run one of the utilities from the Knark package, such as rootme, from an unprivileged account and determine whether root access is granted. Since Knark currently has no authentication, any local user running that program will be granted root access if Knark is loaded.

Defenses

The simplest, most obvious, and arguably least helpful advice for avoiding a Knark installation on your systems is "don’t let an attacker get root." Assuming that a systems administrator has taken all normal steps to prevent such a compromise in the first place, two other steps may be appropriate:
  1. Build and use static kernels that do not take advantage of loadable kernel modules. In such an environment, knark and similar LKM’s are useless.
  2. Use lcap (http://pweb.netcom.com/~spoon/lcap/) to remove the capability to load LKM’s once the system has completed booting. This will, if implemented correctly, prevent an attacker from loading an LKM while a system is running. However, an attacker could, upon gaining root, modify the startup sequence to load and hide Knark before lcap is executed. Undoubtedly, scripts to do this and quite possibly root exploits to circumvent lcap will be widely available in the near future.
Future Development

According to http://thc.inferno.tusculum.edu/files/thc/slkm-1.0.html, and since Creed has not been contacted by the authors, it appears that the THC/Plasmoid Solaris LKM trojan effort is progressing in parallel, based on much of the same foundation of conceptual and architectural articles as Knark.

Since Pragmatic has also written an article for THC on Linux LKM’s http://www.infowar.co.uk/thc/files/thc/LKM_HACKING.html, it is quite plausible that Knark will be superceded by a third generation Linux LKM from THC. Given the consistent quality and popularity of THC’s other offerings, it seems plausible that such a program would soon eclipse Knark.

References:

Creed (pseud.), "Knark – kernel based Linux rootkit." B4B0, No. 9. Unspecified 1999. URL: http://packetstorm.securify.com/mag/b4b0/b4b0-09.txt (3 April 2000)

Creed (pseud.) and Clemens, Jonathan. Email exchange, 1-2 April, 2000. URL: http://jclemens.org/knark/creed_interview1.html (3 April 2000)

Jensen, Runar. "Malicious Linux Modules." 9 Oct 1997. URL: http://www.dataguard.no/bugtraq/1997_4/0059.html (3 April 2000)

Plaguez (pseud.), "Weakening the Linux Kernel." Phrack, No. 52. 26 January 1998. URL: http://packetstorm.securify.com/mag/phrack/phrack52/P52-18 (3 April 2000)

Plasmoid (pseud.), "Solaris Loadable Kernel Modules." Unspecified 1999. URL: http://thc.inferno.tusculum.edu/files/thc/slkm-1.0.html (3 April 2000)

Pragmatic (pseud.). "(nearly) Complete Linux Loadable Kernel Modules", March, 1999. URL: http://www.infowar.co.uk/thc/files/thc/LKM_HACKING.html (3 April 2000)

Spoon (pseud.). "LCAP" 22 December 1999. URL: http://pweb.netcom.com/~spoon/lcap (3 April 2000)