Checking System Utilities

Don Erickson derick at zeni.net
Sat Mar 5 10:47:42 CST 2005 

I've been thinking about this rootkit detection and exposure issue, and
here are my thoughts:

To me, in determining the integrity of any system, the core question is,
have the system utilites been compromised?  In the equestrian sporting
world there is a saying, "Pretty is as Pretty does."  From this
philosophy, what do the utilites say, and is there a difference between
the output of the utilities on the machine and "known clean" utilities?
I can't get completely past the feeling that any other test is just window
dressing, and while they are all useful tools, it seems to me that any of
them could possibly be compromised with a sophisticated enough rootkit.
When you are root, _in theory_ you can rewrite md5sums, dates, and even
remote hosts used to retrieve live trusted sums.  I know of no rootkits
that currently do this, but I can imagine how it might be possible.

Anyways, with help from a "Building a live CD" article in this month's
Linux Journal, here is the procedure that I have come up with to test
system utilities on any machine without a reboot:

You need about 2 gig of space to use the utilites on a knoppix cd, and a
knoppix cd.  Here's the recipe:

Drop a KNOPPIX cd into the tray.  Download the cloop-utils package, on
debian this is

# apt-get install cloop-utils

Mount the Knoppix cd:

# mount /dev/cdrom /mnt

Extract the compressed knoppix filesystem (this will take a while: go
bake a cake or something)

# extract_compressed_fs /mnt/KNOPPIX/KNOPPIX > /tmp/knoppix-compressed

Then mount the extracted filesystem.

# mkdir /tmp/knoppix; mount -o loop /tmp/knoppix-compressed /tmp/knoppix

Symlink the libraries to the knoppix directory:

Okay, now you're all set.  Does the output of the utilites match?

# ps ax > /tmp/sysout; env LD_LIBRARY_PATH=/tmp/knoppix/lib \
/tmp/knoppix/bin/ps ax > /tmp/knoppixout; \
diff /tmp/sysout /tmp/knoppixout

Obviously these commands must be edited for any utility that you wish to
check, I'm sure that there are lots of lists of "normally rewritten
utilities" for most rootkits on the web and a script could be written
check them all.  ps ax will show expected differences, but any seriously
funny stuff should reach out and grab you by the throat.

If anybody sees any flaws in my thinking here, feel free to point them
out.  At this point I don't see why this wouldn't work, and I can't
imagine how a rootkit could hide from this type of scrutiny.


Regards,

-Don

More information about the Kclug mailing list