Checking System Utilities - cleaner version

[Don Erickson]

I've cleaned up the testutils.pl script and the instructions, and am
re-posting this to get a cleaner copy in the archives.

-

I've been thinking about this rootkit detection and exposure issue, and
here are my thoughts:

To me, in determining the integrity of any system, the core question is,
have the system utilites been compromised?  In the equestrian sporting
world there is a saying, "Pretty is as Pretty does."  From this
philosophy, what do the utilites say, and is there a difference between
the output of the utilities on the machine and "known clean" utilities?
I can't get completely past the feeling that any other test is just window
dressing, and while they are all useful tools, it seems to me that any of
them could possibly be compromised with a sophisticated enough rootkit.
When you are root, _in theory_ you can rewrite md5sums, dates, and even
remote hosts used to retrieve live trusted sums.  I know of no rootkits
that currently do this, but I can imagine how it might be possible.

Anyways, with help from a "Building a live CD" article in this month's
Linux Journal, here is the procedure that I have come up with to test
system utilities on any machine without a reboot:

You need a knoppix cd and about 2 gig of space to use the utilities on the
knoppix cd.  Here's the recipe:

Drop the KNOPPIX cd into the tray.  Download the cloop-utils package, on
debian this is

# apt-get install cloop-utils

Mount the Knoppix cd:

# mount /dev/cdrom /mnt

Extract the compressed knoppix filesystem (this will take a while)

# extract_compressed_fs /mnt/KNOPPIX/KNOPPIX > /tmp/knoppix-compressed

Then mount the extracted filesystem.

# mkdir /tmp/knoppix; mount -o loop /tmp/knoppix-compressed /tmp/knoppix

Okay, now you're set.  Is there a difference in the output of the current
system utilities and that of the knoppix cd utilities?  Here's a perl
script to check:


-------8<------------------------------------------
#!/usr/bin/perl
# testutils.pl Don Erickson 2005
########################################################################
#
# This script will test the output of commonly trojaned programs.
#
# The live Knoppix disc must be cloop mounted at /tmp/knoppix/
#
#######################################################################
@testthese = ("ps ax",
		"df",
		"netstat",
		"ifconfig",
		"ls -R",
		"iptables -L",
		#"du / -x --exclude=tmp"
		);

$i=0;
$outfile="/tmp/testresults.txt";
$sysout="/tmp/sysout";$knoppixout="/tmp/knoppixout";

open(OUTFILE,">$outfile") || die "Can't open $outfile";
close(OUTFILE,"$outfile");
open(OUTFILE,">>$outfile");

foreach (@testthese) {

    $testpath = `which $testthese[$i]`;$testpath =~ s/\n//;
    $testargs = $testthese[$i];$testargs =~ s/^[^ ]+//;
    $testthis = $testpath.$testargs;

    print "Testing output of '$testthis'\n";
    print OUTFILE "\n########\nDiff of $testthis :: '<' = system '>' = knoppix\n\n";
    print "System...";
    system("$testthis > $sysout");
    print "done.  Knoppix...";
    system("env LD_LIBRARY_PATH=/tmp/knoppix/lib /tmp/knoppix$testthis > $knoppixout");
    print "done.\n";
    system("env LD_LIBRARY_PATH=/tmp/knoppix/lib /tmp/knoppix/usr/bin/diff $sysout $knoppixout >> $outfile") == 0;
    $i++;

}

print OUTFILE "Tests concluded.\n";
print "Tests concluded.\n";
print "Read the results in $outfile\n";
exit;


--------->8-----------------------------


Obviously this script can be edited to test the output of any utility that
you wish to check, just add the command to the @testthese array.  I'm sure
that there are lots of lists of "normally rewritten utilities" for most
rootkits on the web.  The 'du' test is commented out as this one will take
a chunk of time to run.  The results will show expected differences, but
any seriously funny stuff should reach out and grab you by the throat.

If anybody sees any flaws in my thinking here, feel free to point them
out.  At this point I don't see why this wouldn't work, and while
trojaned kernel modules are getting more common in rootkits, I can't
think of how a trojaned utility could hide from this type of scrutiny.


Regards,

-Don