From: Creed Sent: Sunday, April 02, 2000 12:46 AM To: Clemens, Jonathan P Subject: RE: Knark On Sat, 1 Apr 2000, Clemens, Jonathan P wrote: > Creed, > > Thanks for your willingness to let me pick your brain. Again, I want to be > completely up front about this, in that I will be putting your answers > together for public posting. If you'd rather a specific answer not be > posted, I'll honor that, but I also will completely understand if you tell > me that it's none of my business. Hehe, ok :-) > 1. When/where/how did you come up with the idea for Knark? Was it based on > a post/article that someone else wrote, or did you come up with the idea > yourself? When did you actually start coding? > 2. Why the name, "knark"? Looking it up online, it seems to mean "drugged" > or "drugs"--but since I don't speak Swedish, the fine details of the > meaning are lost on me. The first idea came from heroin.c by Runar Jensen. It's a quite simple kernel-trojan, which makes it possible to hide processes in Linux 2.1 systems. By this time however (late 1997) I didn't know any C at all, I was just very impressed. Later (early 1998) I read an article in Phrack 52 about "trojanizing" the Linux 2.0 kernel. The included code didn't work at all for me, but it gave me some ideas. As I learned more C I started making small pieces of kernel-code, and after a while, I started adding features to heroin.c. But as heroin.c grew bigger, and most of the original code was replaced by my own, I decided to change the name to knark, which means "drugs" in Swedish. So "knark" is because of the original name, "heroin". > 3. If you keep such detailed records, what where the dates and revision > numbers for... > The first functional version? This was v0.41. I'm not sure which date, but I think it was in june 1999. > The first released version? v0.41 > What date were 0.50 and 0.59, the ones that are on Packetstorm, released? I don't remember. > Is there a more current version than 0.59? If so, when and where was it > released? v0.59 is the most current version. > 4. What are your future development plans for Knark? How fast is > development coming? Which features are you going to add in the near future? > Is there a knark-announce mailing list anywhere? (Actually, if you wanted > one, I have a majordomo server out on the web you could use...) I have no plans actually. And I haven't done anything with knark since v0.59, but this doesn't mean that development has stopped. If I come up with a good idea, then I'll just add it (if I can). One thing that has to be taken care of however is compile problems on some systems. > 5. How has the computer underground responded to Knark? Do you get a lot of > fan mail? How about the computer security community? Has anyone else from > the computer security community contacted you before me? I get fan mail, yes :-). And people contact me on IRC telling me I'm doing a great job. I also get mail from people coding their own kernel-trojans. > 6. I don't want to invade your privacy, but what would you like people to > know about you as a person. Are you, in fact, from Sweeden? What would you > like the computer security community to know about you as a person--age, > job, gender, nationality, anything? I'm a 18 years old male living in Sweden. I'm 100% Swedish. I'm still in school, and I have no job. I got my first computer when I was 14 years old, installed Linux and started learning C when I was 15, made my first functional buffer overflow exploit for Linux when I was 16, and I just kept going and read everything I could find about computer security/insecurity. And here I am now. > 7. What other tools or hacks have you coded? Have you written any technical > or political articles that you'd like me to mention? Are there any websites > for any of these tools or posts? I've made a few other programs and exploits. Most of these programs can be found on http://www.sekure.net/~happy-h (I hope you understand Swedish :-)), but don't expect to find anything interesting there. Most of the programs are old, and the code is ugly. Happy-H, the author of that page is a good friend of mine. He was with me from the beginning, answering my questions and helping me out. He isn't very active in the computer security scene anymore, but without him I'd probably be a so called "script kiddie" :-). > 8. Apparently, there's someone working on a Solaris-based project similar to > Knark. Are they basing their efforts on your work, or is it an independent > effort? I have no contact with the authors, so I haven't got a clue. > 9. If you know, how widespread is the use of Knark by the computer > underground? Have any users passed on stories to you of having success in > using Knark to avoid detection by system administrators? It seems to be quite widespread concidering the amount of mail I get about knark. And I've heard stories from people using knark "in the field". This isn't something I encourage, however. > 10. What advice would you give to system administrators to avoid getting > Knark used against them? The ability to load kernel modules is a security risk. Disabling this doesn't solve the problem however, since things can be done directly through /dev/mem. Don't let them get root access. That's a good solution. Using non-executable stack isn't a solution, but it will stop most of the script-kiddie attacks for sure. > 11. What other hacks, programs, or loadable kernel modules (aside from > modhide, of course) do you think will be especially effective in combination > with Knark? Which exploits do you think will be used in combination with > Knark? I prefer not to answer that quiestion. > 12. Which distribution(s) of Linux do you use and recommend? Which one do > you think is the most secure? Least secure? I've always used Slackware, but I've used RedHat and Debian too. For the moment I'm using Slackware 3.6.0 (old stuff) with kernel 2.2.13, but this is just because I'm too damn lazy to upgrade it. I don't want to say that "this distribution is more safe than that". I use Slackware because it suits my needs, nothing else. > 13. Who has helped out with Knark? Is there any partner, mentor, or friend > whom you'd like to share some of the credit with? Knark is pretty much my own work, except for some small pieces of ancient heroin.c code, by Runar Jensen (as mentioned before). > 14. What other references to Knark on the Internet should I look at? I don't really think there are any. At least, I haven't seen anything. > I'm going to be putting together a list of ways to detect Knark when it's > present on systems--nothing personal, of course, but it is part of my job to > try and make sure things like Knark can be detected by system administrators > who take the time to look for them. I expect that you'll be collecting code > and ideas from those who use Knark, who have an interest in making sure that > it reamins hidden. I'm interested in a free flow of information, and would > like to hear your feelings on that. I think it will benefit both the Knark > community, and the security professionals community--of couse, the poor > fools who haven't even got a clue what a rootkit is will never know the > difference. I've attached a program called knarkfinder.c. It doesn't really detect knark, but it compares the process directories in /proc with the process information in the kernel, by reading /dev/kmem. It will only tell you if there are hidden processes, so it isn't a good approach. I actually made a patch to knark to avoid detection, by patching read calls on /dev/kmem. One problem is that, when a "detection"-program becomes publically available, it's usually possible to somehow modify the module to avoid that type of detection. Therefore you should find an odd detection method, and then keep the program to yourself. > Again, my compliments on a very fascinating and intriguing tool. It's such > an elegant concept; I suspect you're the envy of a lot of wannabe's who wish > they had the initiative and skill to code such a program. I've just been > looking at the actual code for a couple of days, but may have more specific > questions on it as I get into "Knark"-ing my own systems. Thank you. I'll answer your questions if I can.