Adore is an open source Linux kernel rootkit that uses a loadable kernel module to hide from the user. This kind of rootkit has been around for some years, so as the technology becomes known, the level of resistance for the rootkit drops. Adore-ng is used here as an example, but it should not be used in environments where you want to stay undetected for a while. Having said that, Adore can do any of the following well enough to warrant consideration as a rootkit:
Run on kernel 2.4.x and 2.6.x.
Hide files and directories.
Hide processes.
Hide sockets (no matter whether listening, connected, etc.).
Provide ULL-capable backdoor.
Utilize the VFS layer instead of sys_call_table.
Hide itself from /proc and /sys filesystems.
Filer syslogs; logs generated by hidden processes never appear on the syslog Unix socket.
Filter wtmp, utmp, and lastlog; writing of xtmp entries by hidden processes do not appear in the file, except if you force it by using special hidden and authenticated process (a sshd backdoor is usually only hidden, thus xtmp entries written by sshd do not make it to disk).
Relink LKMs (a.k.a. LKM infection) as described in phrack #61, to make it possible to be automatically reloaded after reboots (kernels 2.4 and 2.6).
Configuration and installation of Adore is very straightforward if the required packages are present. On Linux kernel 2.4.x, use the following for one shot installation:
'./configure && make && ./startadore'
and to support persistence over reboot, use:
'./configure && make && ./relink'
For Linux kernel 2.6.x, edit the Makefile.2.6.gen manually to fit your needs. Then, for one shot installation use:
'make && ./startadore'
To support persistence over reboot, use:
'make && ./relink' to support persistence over reboot
Note that correctly configuring and keeping those Adore builds separate is very important since two builds might not be compatible.
When building your version of Adore, be sure to change your ADORE_KEY to your own value to make scanning more difficult.
Adore provides an application called Ava to control the different rootkit features. Ava allows you to hide/unhide files or processes and execute commands as root, provides information about the host, and uninstalls Adore:
Usage: ./ava {h,u,r,R,i,v,U} [file or PID]
I print info (secret UID etc)
h hide file
u unhide file
r execute as root
R remove PID forever
U uninstall adore
i make PID invisible
v make PID visibleDue to the architecture of most Unix systems, where everything "should" be a file, having the ability to hide files and processes is all that is needed to hide a remote administration toolkit.
There are many rootkits for Linux and different Unix variants; Adore-ng is just one, but it's easy to find, and it provides source code, so this make it a good study case.
As specified in the Windows portion of this chapter, the goal of the rootkit is not to provide remote administration features, but instead is rather a stealthy way to keep files and processes running. The hidden applications could be a remote administration toolkit, a monitoring system, or an information-gathering application. So the hidden rootkit technology is just a part of a bigger toolkit that allows hackers to use a remote system.
If you are interested in rootkits, the web site www.rootkit.com is a great source of information on new evasion and exploitation techniques.