2012-11-21

Unix/Darbe-A is a new kernel rootkit based /proc file system., modification is made in order to support kernel 2.6.x

analiz@server:/tmp$ uname -a

Linux server 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:32:50 UTC 2012 i686 i686 i386 GNU/Linux

analiz@server:/tmp$ lsmod

Module Size Used by

security 13046 0 <--- Linux Kernel Module ??? What is the task?

vsock 47098 0

rfcomm 37291 4

bnep 17711 2

analiz@server:/tmp$ ./kontrol

Sistem yetki unitesi

Kullanim: ./kontrol <sifre>

What is the meaning of the word "sifre"? - it is not an english word? ~<sifre> comes from the Turkish. In English it means "password"

analiz@server:/tmp$ gdb ./kontrol

GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04

(gdb) r sifre <- run

Starting program: /tmp/kontrol sifre

Bir Bulutla KI$ Gelmez! < -- Turkish sentence

[Inferior 1 (process 3314) exited with code 01] <-----------Anti debug ???

analiz@server:/tmp$ ./kontrol password

Sifre yanlis! <--? Wrong Password.

analiz@server:/tmp$ objdump -s ./kontrol | grep sifre

80c5b30 3c736966 72653e20 0a0a2000 66616272 <sifre> .. .fabr <--??* fabr??

analiz@server:/tmp$ objdump --start-address=0x80c5b30 --stop-address=0x80c5b50 -s ./kontrol

./kontrol: file format elf32-i386

Contents of section .rodata:

80c5b30 3c736966 72653e20 0a0a2000 66616272 <sifre> .. .fabr <---- fabrika ??

80c5b40 696b6100 0a536966 72652079 616e6c69 ika..Sifre yanli

analiz@server:/tmp:/tmp$ ./kontrol fabrika <--- pass is fabrika

# id <--- ?? upss.. #root#

uid=0(root) gid=0(root) groups=0(root)

Linux Kernel Module(security.ko) has been injected into the system, control program(./kontrol fabrika) makes a normal user to root.