Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#33 Jynx undetected

main
closed-fixed
nobody
Rkhunter (37)
5
2014-04-18
2012-07-27
tpv5f9
No

The most recent stable version of rkhunter failed to detect Jynx on my machine. The rootkit was not installed in one of the typical locations "/xochikit" or "/omgxochi", but resided in "/var/local/^^", instead. Reading "/var/local" with "ls" was prevented by the rootkit (resulted in an error). Also, "/etc/ld.so.preload" was made invisible by the rootkit. I was able to detect the rootkit, by running "ldd" against any executable, which listed the library "ld_poison.so" as a prerequisite. "lsof | grep ld_poison" showed that the library was loaded by many processes. Furthermore, launching 32-bit executables showed an error that "ld_poison.so" could not be loaded, because the OS was 64-bit and the library obviously, too. 32-bit executables ran fine, regardless. I suggest that the detection mechanism of rkhunter be extended by the methods which allowed me to detect the presence of the rootkit. I am sorry, I cannot provide logs, because the OS has been wiped. If you have any questions, I will do my best to answer them, though.

Discussion

  • John Horne
    John Horne
    2012-08-09

    Can I ask how ' "/etc/ld.so.preload" was made invisible'?

    I suspect that if the SCANROOTKITMODE was set to thorough, then the rootkit would have been detected. However, use of that option is not recommended.

    Perhaps extend the shared_libs check to run ldd against a common binary and check the output against a list of known bad libraries? And/or run lsof and again check against the list. Perhaps use a '.dat' file??

     
  • tpv5f9
    tpv5f9
    2012-08-13

    The rootkit (in particular ld_poison) overwrites functions necessary for directory listings, e.g., stat(). I assume it made /etc/ld.so.preload invisible simply by omitting it from the result of certain functions.

    Your suggested methods of detecting the particular rootkit on my system sound like they would work. I am not sure, though, what you mean by '.dat' file.

    Thanks for looking into this and your effort in general!

     
  • unSpawn
    unSpawn
    2014-04-18

    Fixed with rkhunter-1.4.2 ClamAV sig RKH_jynx.ldb.

     
  • unSpawn
    unSpawn
    2014-04-18

    • status: open --> closed-fixed
    • Group: --> main