Tripwire Rootkit

Χͅ Tripwire ƘƘƘƘ ȻȻȻȻ <<<< ʘʘʘʘ HHHH ͰͰͰͰ ȻȻȻȻ ÒÒÒÒ ǦǦǦǦ Rootkit LLLL ĤĤĤĤ ɊɊɊɊ

͌͝Ǎ 1111 zzzz 1111 ZZZZ ···· ̫̫̫̫ ǥǥǥǥ ££££ ɋɋɋɋ E-mail: [email protected]

ŴŴŴŴ ŮŮŮŮ Mode Ȗ Kernel Mode+ λ ˸ ó ől Þ ĳ Ω ɋ ¤ZΩǻ ɾ ǻ Á ɯ Ȇ ɨ ĺ B ģ ̵ ől Ω ̇H Õɸʲ ȇɋÕɻ Ĝ ʙ̤ʲ ȇΩɋÕɻ Ĝ ζ ɞ ˊ ő ʈ ΩǮ ĺ ģ ϧ Ŏ š ñ$Ƭ ȷ Ò ȖΤ ˿ ő l Ωɻ ǟ Ɩ ɒ Ȗ¶ ĭ ʃ ʃ ó ɋÕǥ £ λ Μ Hɯ l ϣ H͎ ř Linux̠Windowsź θ ɋÕΩƥ à Ȗȗ ¤ʙˣ¾ Ŏ λ Kernel mode Rootkit ζ ʲ ȇɋÕ ɲ ʈɯ Ȇ X ą ̌ ΩȈ ƈ Ƕ Ĕ čRootkitǆ Έ Ĵ ɑ Ȗ̦c ß ɑ ėʲ ȇɄ$Ɍ ͼ Ü Ņ ǂ Ǌ ß Ɠ ʄ ǂ Ǌ .ɋÕ$H ėǥ £ λ ̤ Ò Χ ͅ ź ú ĴĤ Ɋ ϥ Linux ɋÕǥ £ λ Ωə { ̆ š Ĥ Ɋ ͎ ř User Mode Rootkit ̆ š ̨ ɸ ͣ > ̨ Ǽ X ź θ ɋÕ² ƙ >ėȔ User Mode έ Rootkit Ω΢ P ʍ ̜ ȖȈ ƈ š ñHĮ ȿ ΩͰ Rootkit ÿ ̤ ģ Ű Ω Ͱ Ȼ ʣ I Ƙ Û ʄ ¬ Ȼ < ʘʈͰ Ȼ >έȖÒǦ Rootkit B Ƙ Ȼ ɋÕƖ ɒ Chkrootkit < ʘͰ Ȼ ¶ + >έΩ RootkitÞ ͎ ř Ĵ ΩǑ v ̜ ̆ ŎÒ ʡͰ Ȼ ÒǦ Rootkitˎ ĴǤ ͑ Ò >έ Rootkit ʍ ̜ ˎ ¯ Tripwire ʈƘ Ȼ ɋÕƖ Ǧ Rootkit ǆ Έ Ĵ ßL Ͱ Ȼ ˸ ɸƋ ¬ ý 3 ̉ Ñ ɒ ΩǑ v ̜ Hϥ· Ɂ ȔI Ǽ X ėÒǦ Rootkit ̤ ķ έɋÕǥ £ λ H ɋÕǥ £ λ ˸ Ǯ ĺ Ωςϡ ʱ ® Ϳ Ω̰¶ Þ Ȗ>έP Rootkit ̤ζ ® Ϳ Ω̰¶ ʡȈ ƈ ΩƖ ɒ ǂ Ǌ ͪ 2ř ú ŎǼ X ÒǦ Rootkitˎ ĴǤ ͑ ÒǦ Rootkit ǆ Έ Ĵ ßL Ͱ Ȼ ˸ ε & Ű Å Ŕɾ ̓ 2. &&&& ϐϐϐϐ ̨̨̨̨ ƍ Ȼ ¢ HÝ Ͷ ̤Ǥ Ͱ Ȼ ʣ L ͟ ȿ ʫ H ς͎ ř Rootkit ̨ Ĝ ŷ { ΩŰ ǩ ̦ ΚɎď Ͱ Ȼ ɋÕRootkitLinux ĭ Ɩ ʍ ˛ ğ ʯ Ȗ¤Į ΩͰ Ȼ Ƕ Ĕ ź Ʌ͌ 2.1 Rootkit ̨ 1. ++ ɚɚ H ͎ ř Rootkit ΩǊ £ Ȗƀ ¬ ź cɅ͌ ř ͅ ģ \ Ȉ ƈ ɋÕΩ λ Ŏɚ ñ H ėɋ (1) Rootkit ΩǊ £ ² ¯| Ʊ Ȉ ƈ ș ÿ ̤ƌ ģ [6]ʙ Õǥ £ λ ɯ ¤΋Ĝ ͼ ɞ ˊ Ŗ = Ωˣ¾ ² Ĝ Ɖ Ů Ȉ ƈ ș ÿ Ʌ͌ č Ω< ź ɋÕ ė ɸʯ ϣ ǥ £ λ Ƌ Ʉɋ ș ÿ 1ȗ ɲ ͣ Rootkit ζ Τ ưź θ ɋÕǤ ʆ Õ Ω̦ĭ Ɩ ² ƙ Ƀ ² ͔ ̋ ̋ ² Ʊ 1 ΩǊ ͒ ͽ Ωų ͒ Ǥ ɻ Ĝ (Server Process)̠ǻ Á ΒřŮ ɡ ¤Į D P Ͱ Ȼ Ωȗ ɲ ϣ ϥź ͒ ͽ ʃ ʃ ² ƙ Į Ĕ Ü Ωƥ à i Hʄ ¬ θ ɋÕɢ ʈ̨ ε ͅ ² Ĥ Ɋ ʄ ¬ Linux ɋÕΩ ȗ ɲ ' ǜ ʈƘ ˖ Ȼ ¢ Ωų ͒ Ǥ ɻ ̦ĭ Ɩ V ¯ Tripwire [11],[13]Ƙ Ȼ < ʘʈͰ Ȼ ʙƖ Ĝ Į û ƀ ɄƱN ϜĮ Ĕ Ü Ωƥ à ɒ ΩǑ v ̜ ˎ HƊ ʈ ² ƙ ñ , Ωʄ ¬ λ ʲ ș ÿ 2Ƌ ¬ ȗ ɲ Ȉ ƈ λ ζ Ƌ ¬ ɋÕΩȗ ɲ Ŏģ ȇ̤HŮ ɕ Ω Ȥ Ɩ ɒ ė® Ϳ ΩΒ̊ ģ Ű ʙ Ű X ɻ Ĝ ͘ (code) ɻ Ĝ ͘ ̤Ǥ ʆ Ω͒ ͽ Ͱ Ȼ ʣ ² Ů B ʝ H Ȃͷ Ω ñÂ ͠ ̠ª « Ʊ Ϊ š ǁ ļ ɍ ŎŰ Ĩ X ¤Ω Rootkit D Ů ² ͎ ř Linux ș ÿ 3ɞ ˊ ˣ¾ Ƌ ¬ ȗ ɲ ɋÕɄζ Û ź θ ɋÕ¶ + Ω Rootkit i ñʗ ǟ ΢ P User ʯ ϣ root Ƌ ɸϥɋÕ̦ĭ Ɩ I ɳ ͘ ̤Į Ȉ ƈ ΩŹ ¾ i Hó Ȉ ƈ λ Þ ̆ š Ȉ ƈ Ω E ∩ E Sim ( S , S ) = i j Øɻ I ɞ ˊ Ȉ ƈ λ ΩƖ ɒ ¶ ĭ L i j + (1) E i E j ² ɞ ˊ Ŗ = Ωˣ¾ ɸ ʞ ĳ ʄ ¬ 2 root ϖ Ω Ƌ ș ÿ 4| ½ " Ȉ ƈ λ ʯ ϣ ɋÕĐ ʯ Ƌ Ʉ 2.3 ̦ĭƖʍ˛ğʯ Ɠ ʄ Ǌ ʈΩȗ ɲ ˰ ÿ ėÅ ͘ Ƀ ² ζ Ĕ ɕ m Forrest [14]ʃ Z λ Ƌ ¬ system call ʈª « Ʊ ̠ą ò "ɻ Ĝ (backdoor) ¼ ͒ ͽ ϔ š ñƀ Į Ωʍ ˛ Ʀ Ÿÿĵ Øɻ I Ʀ (2) Þ ͎ ř User mode Ȗ Kernel mode ʗ ǟ Rootkit ϣ ō ˞ Ģ ą ͒ ͽ Î š Ωú ˘ ʇ čH í · Ɂ ę Ωƀ ¬ ź Ʌ͌ ζ Į H í system call Ωª « B ˬ Ʉ Ɍ ͼ Ǒ User mode Rootkit ² Ű ϔ ɘ ʡΩ Rootkit$ Ü Ͷ ˸ ħ ̫ ʡÜ Ņ ϔ Ωʍ ˛ Ʀ Ŏĵ ɼ ħ ̫ ʡ ² Ű ˖ Ή ėȮ ʈʄ ¬ Ω< ʘʙʄ ¬ ) ͼ ² ζ Ω ϔ ʍ ˛ Ʀ $u Ϟ ¬ Θ Ω͒ ͽ H í Θ ȁ Ǭ ̠ɞ ˊ ͅ ɋÕI ϔ Ωƀ ¬ ɻ Ĝ ȖɋÕ H í ͒ ͽ Ƀ ϣ ϥέ ʈØÈ Ȫ ȿ Ɩ ɒ ʙƀ ¬ ñɞ ˊ Ȉ ƈ λ ɻ Ĝ "ɻ Ĝ ϥʄ ¬ λ v O ̦ĭ Ɩ I i Hh ʄ - ͝ ɻ Ĝ ȖǑ ɻ Ĝ [1],[7] ¬ λ Ωϔ Ū š ñª i Ϟ ¬ ͅ Ͱ Ȼ Ǥ Ȉ ƈ Ÿ Kernel mode Rootkit [5]ñ Kernel ˋ ˝ I Ű Ϟ ř ͅ ɛ Ǥ Ȉ ƈ Ͱ Ȼ È Ȫ Į Ž Ə ΁ B Į ɼ ͒ ͽ ² H ŎĮ Ω Rootkit2 User mode Rootkit ȋ Į ̲ ʄ ¬ λ ɮ ʡ Ǥ Ʊi HĐ ʯ Ƌ ¬ LKM(Loadable Kernel Module)Ω\ t ~ ɠ ɍ 2ř Ɩ ɒ Ω˿ ȫ Ʀ i H ɯ ɼ Ɩ ˸ i ó Ȉ ƈ λ ʈȈ ƈ ɋÕ>V ģ ñŰ Μ Ͱ Ȼ ɒ Į ė® Ϳ 5 Ɍ ͼ ϥI ϣ έΒ̊ Ωʈϕ ú ŎΜ Ω Rootkitʙƀ ¬ ñɞ ˊ ɻ ǟ ɞ ˊ ǻ Á Ĺ H Ȥ ɋÕ Ωƥ à Ÿ² V ¯2ř Ɩ ɒ Ω˿ ȫ Ʀ ʐɞ ˊ LKM Ω Ƌ ¬ LKM ͂ ɠ ̫ Ȣ L ɋÕI ɯ ɼ ̦ĭ Ɩ Į ė , Ωʄ ¬ λ ® Ϳ ȖȇÒƖ ɒ ΩΪ š Øi Hˎ Ĵ ² ƙ Į š ñÞ Ɗ ʈ ² ƙ > V ėől ĜĜĜĜ ŷŷŷŷ {{{{ ΩΩΩΩ ŰŰŰŰ ǩǩǩǩ 2.2 ú Ĵñ È Ȃ͈ ưǼ Β̊ Ωʈϕ Hi HǤ Ͱ Ȼ Ω̌ ʍ ˛ ķ ϔ Ň ² ̎ ʍ ˛ ̤ ʆ ől ΩͶ m Ĥ Ɋ g ƱɋÕ̦ĭ Ɩ ȖƖ ɒ Hʄ ¬ ͂ ÕΩδ ̜ ˷ ˾ b Ĝ ʈŰ ǩ ʙ̌ Ĝ ŷ { Ω˿ ȫ (hash)Ʀ ʈ̆ š ͣ ɸʄ ¬ OhKimΩĜ ² ζ ˙ l ʐ͘ú g ςφ ʍ ˛ ̆ š ̎ Ϳ ź Ʉ ŷ { Ű ǩ ) Ĝ Į ͔ Ω̌ ʍ ˛ Ĝ ŷ { Ű ǩ ʁ ΩŇ ² Ĥ Ɋ λ ΩD Đ ˫ ` Ŏĵ ɼ D Đ ˫ ` Ω ) ͼ Þ Π ͋ õ Ϟ Ω̦ĭ Ɩ ʍ ˛ 2ř Ɲ ǩ ͼ Ʊ ʍ ˛ Ʀ ķ ϔ Ň ζ ϕ Į ɼ Ģ ΩɄ ȑ i Hϣ ʡÈ ʃ ΩͰ Ȼ ʐ͘ OhKimÿ2004ě Ǥ X ǟ H í ͅ H̋ δ ̜

˷ ˾ Ωο ̒ ʈŰ ǩ ̌ Ĝ ŷ { [8]ʙǩ Ĝ čb Ĝ 2.4 ¤¤¤¤ ĮĮĮĮ ͰͰͰͰ ȻȻȻȻ ǶǶǶǶ ĔĔĔĔ (1)̤º ʙI S , S N Ϝʗ Ĺ K · Ɂ ̌ E ∩ E i j i j ¶ + Ͱ Ȼ rootkitΩǶ Ĕ i ΄ ñR1 ΢ [12] N Ϝʗ ̌ I Ò ř ̰¶ (item)Ä ̫ ΩƱ ̇Ŏ E 1 Ä , Ř Ğ Ͱ Ȼ ɷ ßĜ Ͱ Ȼ š ñͰ Ȼ ʍ ˛ Ͱ Ȼ E N Ϝ ̌ I Ò ř ̰¶ ΩǬ ̇Ȉ ʇ ʈɅ 2 Ǒ v ̜ Ͱ Ȼ ƱH ź Rǟ Ͱ Ȼ Ƕ Ĕ ΩŤ ˢ ɲ ʈ ř S = A,B,C,D S = A,C, D, E . E = {AB, AC, AD, 1 { } 2 { } 1 ź Ʌ͌ BC, BD,CD} E = 6E = {AC, AD, AE,CD,CE, DE} 1 2 1. Ä , Ř Ğ Ͱ Ȼ (Cross view based detection) E = 6 E ∩ E = AC, AD,CD E ∩ E = 3Ŏ S 2 1 2 { } 1 2 1 Ť ɲ i Ƙ Ȼ ɋÕƖ ɒ (File)ɻ ǟ (Process) Ȗ S ΩĜ ŷ { Sim(S , S ) ñ1/2 2 1 2 Ȗ ͘ (Registry key) ˢ ɲ u ƀ ¬ ͅ WindowsɋÕΩͰ Ȼ Ƕ Ĕ 2. ɷ ßĜ Ͱ Ȼ (Hardware detection) Ť ɲ ÒǦ Rootkit ʣ D Ů ¯Ͱ Ȼ Ü ɻ ̦ĭ Ɩ ʍ ˛ (1)i Į Ŗ = ΩCPUɸŀ ØDMAř ̦c ß' ǜ 2ř Ɲ ǩ ͼ Ωģ Ű ʈʹ # (2)ʘĮ ˫ ɻ { ΩͰ Ȼ ģ ͘ ˢ ɲ ʁ ϐ ˬ 1 ̎ Ωģ | \ ȖȂ X 3.1 ͰͰͰͰ ȻȻȻȻ ÜÜÜÜ ɻɻɻɻ LLLL ģģģģ ŰŰŰŰ 3. š ñͰ Ȼ (Behavioral detection) ε & ÿ Linux ɋÕ ʐõ Chkrootkit Ȗ Ť ɲ Tripwire ʗ Ʊ Ͱ Ȼ < ʘɸģ Ű X Ͱ Ȼ ÒǦ Rootkit (1)˸ ά ě ͵ >έ̠ έΩʠ Õ ̠ǆ Έ Ĵ ß Ω Ͱ Ȼ ʣ ͎ ř ĵ ʗ Ʊ Ͱ Ȼ ʣ Ω û Ɯ Ɩ (2)H ʁ Ů ȋ έ ʙʍ ˛ ̠ʠ Õ ͘ ʡ· Ɂ ȔI (Response)ʈª « ̫ ɸķ έɋÕǥ £ λ ˸ ά ͪ ˢ ɲ K Ω Ĉ £ H [ × Ĥ Ɋ ̤ Ǥ X L Χ ͅ (1)̤ģ ˫ Ωš ñ̑ ϟ H ͈ Ċ ˫ Ȃ͈ Ŀ ģ Ʉ Ɯ Tripwire Ƙ Ȼ < ʘHͰ Ȼ ÒǦ Rootkit L Ͱ Ȼ ʣ (false positive) ʙͰ Ȼ Ü ɻ čĹ 1 ̤º (2)Ɍ ͼ ͵ Ɖ ʍ ˫ Ωʠ Õ ̠ǆ Έ Ĵ ß 4. ʍ ˛ Ͱ Ȼ (Signature based detection) Ť ɲ (1)Ǯ ĺ B ϟ ͔ ě Ɖ ¤Į >έΩʠ Õ ̠ǆ Έ Ĵ ß (2)H ζ ɯ « Ʉ Ɯ (false positive)̠ͧ Ɯ (false negative) (3)u ʁ έ ʺ έ Ωʠ Õ ͘ ̠ʍ ˛ ʡ· Ɂ ȔI Ɠ i Ĺ 1 ɋÕͰ Ȼ Ü ɻ Ͱ Ȼ X έ Ωʠ Õ ̠ǆ Έ Ĵ ß V ¯ Chkrootkit Detection Ƙ Ȼ ɋÕB ɸ Ͱ Ȼ ˢ ɲ ʡ RootkitÞ ̆ ș ʄ ¬ ε & ̤Ǥ X L Ͱ Ȼ ʣ (1)̲ 1 ̎ Ω· Ɂ Ȕ I Ω Tripwire Detection i ˎ H Ͱ Ȼ Ò Ǧ Ω (2)Ɍ ͼ Ͱ Ȼ έP Ωʠ Õ ̠ǆ Έ Ĵ ß RootkitčĹ 2 ̤º ʙĜ Κ ș ÿ č ̤º 5. Ǒ v ̜ Ͱ Ȼ (Integrity based detection) Ť ɲ (1)i Ǯ ĺ Ωɯ ¤ɋÕƖ ɒ ² ƙ ėΊ ¹ (2)H ʁ ȋ έ ʍ ˛ ̠ʠ Õ ͘ ʡ· Ɂ ȔI (3)i Į ȿ ΩͰ Ȼ ɋÕ² ƙ ė , ʄ ¬ λ ˢ ɲ (1)Ɍ ͼ ě Ɂ ǆ Έ ʠ Õ ̠ǆ Έ Ĵ ßš ñ (2)řɋÕΩƖ ɒ ® Ϳ ņ ǯ .Ȃ͈ ̶ Ʉ Ɯ

ǵ õ ź Ω ͣ 2È Χ ͅ ñ ˸ Į ȿ Ͱ Ȼ Ȗ Ĺ 2 Χ ͅ Tripwire L Ͱ Ȼ Ü ɻ Ǝ Ž ŧ Đ ģ ² ª Ĥ Ɋ ςʄ ¬ ʍ ˛ Ͱ Ȼ ȖǑ v ș ÿ 1ÿ Tripwire Detection | \ Ʉʁ Ů Û | ½ ̜ Ͱ Ȼ ʈ ģ Ű Ͱ Ȼ ʣ H ʄ Į ȿ Ͱ Ȼ Ò Ǧ Ǌ .Ɩ (Policy File)ɸģ ˫ Ů ř ɋÕƖ ɒ Rootkit ͪ ǜ ɼ ΩƘ Ç Ϳ ź ςĴĝ .ˊ ʡǊ .Ɩ _ 3. Χͅ Tripwire ƘƘƘƘ ȻȻȻȻ <<<< ʘʘʘʘ HHHH ͰͰͰͰ ȻȻȻȻ ÒÒ ǦǦ ș ÿ 2 Ǌ .Ɩ | ½ Ǒ L ʁ m Ǌ .Ɩ Ω_Ȃ Rootkit ʈ| ½ Χ ͵· Ɂ Ȕ(baseline database)ʙ Ĥ Ɋ ̤ģ Ű ΩΧ ͅ Tripwire Ƙ Ȼ < ʘHͰ Ȼ ζ ʁ m Ǌ .Ɩ ĝ .ςƖ ɒ Ω· ̫ ŧ Đ ʈǤ ʆ ̋ 2ř L ¬ Χ ͵· Ɂ Ȕu ʁ .ςʙȋ έ ʡǊ .Ɩ I | ½ ĳ Ɠ i H ʁ Ů Ț ĳ ʄ ¬ Tripwire ș ÿ 9V ¯ Tripwire ÿɋÕI ̤Ͱ Ȼ ʡΩ ϔ ɄŇ | ½ Χ ͵· Ɂ Ȕu ʁ Ů ςʙ_Ȃȋ ® Ϳ ̆ Ŏª « Ω ̫ ζ ̦ĭ ʡû Ɯ Ɩ έ Ɠ i (Response) ș ÿ 3Ϊ š Tripwire Ǒ v ̜ Ƙ Ç (Integrity Check) ș ÿ 10ςû Ɯ Ɩ (Response)Ω̫ Ȣ Ƌ ¬ ý 3 ̉ Ñ ζ ʁ m Χ ͵· Ɂ Ṳ̏ŧ Đ Ω_ȂȖg Ƙ Ç ͂ ̼ ʗ ɋÕǥ £ λ (System Admin)˸ ά Ωř ˥ ͪ 2ř Ɗ ʈ ² ƙ Į Ɩ ɒ ė® Ϳ Ǥ ʆ ɋÕǥ £ λ ͪ K ΩĈ £ ș ÿ 4ɕ m Ƙ Ç ʐ͘Ɗ ʈ Ɩ ɒ ² ƙ Į ė® Ϳ Ø č͘Į ɯ ¤® Ϳ Ϝº >ϡ ʡ V , λ 3.2 ̦ĭƖʍ˛2222 řřřř ƝƝƝƝ ǩǩǩǩ ͼͼͼͼ ʲ ȇɋÕƖ ɒ .Ϊ š ș ÿ 5 L č͘ Ĥ Ɋ ʄ ¬ OhKimΩ [8]Ĝ ŷ { Ű ǩ ) ͼ ʁ Þ Ɖ έ ͔ Ɂ ɋÕƖ ɒ .Ϊ š ș ÿ 3 (Oh & Kim, 2004)V ¯TripwireǑ v ̜ Ƙ Ç û Ɯ Ɩ ș ÿ 5Tripwire Ǒ v ̜ û Ɯ Ɩ ζ Ǻ Tripwire Ƙ Ȼ Ω ΩƊ ʈ ñ ϔ Ω® Ϳ ̰¶ ɸςʙŧ Đ ͅ t ~ | ʐ͘Hû Ɯ Ɩ (Report File)ʈƜ ƣ ½ Ω® Ϳ · Ɂ ȔI ɋÕǥ £ λ i ϥ® Ϳ · Ɂ ȔI ș ÿ 6Ʊ͎ ř Tripwire Ǒ v ̜ Ƙ Ç û Ɯ Ɩ _Ω· Ǽ X ėÒǦRootkit̤® Ϳ Ω̰¶ Þ Ȗ¤Į Rootkit ̫ ʈͪ 4 ϔ ΩÒͿ ̰¶ 54ŧ Đ ® Ϳ · Ω® Ϳ ̰¶ 2ř ˎ ĴƊ ʈ ® Ϳ ̰¶ I ² ƙ Į ̤Κ Ɂ Ȕ5Ȗ4² ƙ ʁ Ů Ƶ ȇǊ .Ɩ 5ΩƊ ʈ ǼH ͎ ř · Ɂ ȔΩ2ř ź ¡ ź : ̰¶ ļ Ʌ͌ ę D Ů ñ " ʎ Ʀ (Sim_Threshold)ST > έ ș ÿ 6.1V ¯ Tripwire Ǒ v ̜ Ƙ Ç û Ɯ Ɩ ʈƊ Rootkit · Ɂ Ȕ K_D Ò Ǧ ʈ ɋÕƖ ɒ ² ƙ ñ ϔ Ω® Ϳ č͘ (Metamorphic)Rootkit· Ɂ ȔM_D ² Ω© Ϝº ² V ¯ Ƌ ̤̆ š Ω ę X .ñĜ ŷ Ωʍ ˛ bɸςʙ[ ͼ .ȔI Ϳ ź . ̲ ̆ š ș ÿ 6.3 L . ș ÿ 1ʁ m · Ɂ ȔK_DȖ· Ɂ ȔM_DI Ω̌ ʈ í Ʉ̆ š ș ÿ 6.2 Ȗș ÿ 9 Ű ǩ ʙĜ ŷ { ʙź ͼ č : ș ÿ V ¯ Ǒ v ̜ Ƙ Ç û Ɯ Ɩ ΩƊ 6.2 Tripwire E ∩ E Sim ( S , S ) = i j ʈ ñ ϔ Ω® Ϳ ̰¶ ɸςʙŧ Đ i j + E i E j ͅ t ~ | ½ Ω® Ϳ · Ɂ ȔI ɋÕǥ 2

£ λ i ϥ® Ϳ · Ɂ ȔI Ǽ X ėÒǦ ʙI Si, Sj Ɖ N ϜÒǦȖ>έRootkit

Rootkit ̤ ® Ϳ Ω ̰ ¶ Þ Ȗ ¤ Į |EiEj|.N Ϝʗ Rootkitʍ ˛ I Ò ř ̰¶

Rootkit Ω® Ϳ ̰¶ 2ř ˎ ĴƊ ʈ ® (item)̤Ä ̫ ΩƱ ̇Ŏ|Ei||Ej|ò N ϜÒǦ Ϳ ̰¶ I ² ƙ Į ̤Κ Ǽÿ 3.2 O I Ȗ>έRootkitʍ ˛ I Ò ̰¶ ΩǬ ̇

ς͎ ř · Ɂ ȔΩ2ř ź ¡ ź ș ÿ 2ς̌ Û ʯ ϣ b̫ ͳ Si ș ÿ 6.3ÿƉ Τ Ω̆ š Ǒ v ̜ Ƙ Ç Ȗ· Ɂ Ȕȋ ș ÿ 3ʁ m Ĝ ŷ { 2ř έ ΩØɻ I Į Ʉ$ζ ʺ [ ɼ έ Ω Ƙ Ç ř ˥ Ɩ ɒ ̠ Ò ȋ Ƙ Ç ̰ ¶ (property)ÿȋ έ Ω· Ɂ I čʁ Ƶ Ƙ ˖ ʗ Ʊ ʍ ˛ ² ƙ ͟ ͅ "ʎ Ʀ

Ǌ .Ɩ .Ϊ š ș ÿ 8 L u ʁ ș ÿ 4ςSjΩʍ ˛ Ĝ ŷ { ͟ ͅ "ʎ Ʀ ST.ģ ñí ȋ έ ʍ ˛ · Ɂ Ȕ.Ϊ š ș ÿ 7 bC L ú È Ž ΩĜ ŷ { ζ ˙ l ʙʐ ș ÿ 7 Į έ ΩƘ Ç ř ˥ Ɩ ɒ ̠Òȋ Ƙ Ç ̰¶ ̤͘HH N ō ˞ .ģ ñOutlier

.ςʙȋ έ ʡʍ ˛ · Ɂ ȔI ș ÿ 5ʁ ʙb̫ C _ò Sj Ωʍ ˛ ʈȖ Si ź Ɗ Ɖ ș ÿ 8 Į έ ΩƘ Ç ř ˥ Ɩ ɒ ̠Òȋ Ƙ Ç ̰¶ řĮ H í Ωʍ ˛ .ʁ Ĺ 2 L ș ÿ 6.3 ȋ έ Ǌ .Ɩ (policy)̠ȋ έ · Ɂ ȔHʆ Tripwire ź K Ƙ Ȼ L ¬ L .ñ>έʍ ˛ ɸH ʁ ȋ έ Ǌ .Ɩ (policy)̠ȋ έ · Ɂ Ȕ ʈƊ Ɖ ² ƙ ζ ª « Ǌ .řǊ .ª « ςĐ Ǌ .Ȕƙ .û ʡș ÿ 3 ú Ĵñ È Ȃ͈ ưǼ Β̊ Ωʈϕ Hi HǤ ʆ ől ΩͶ m Ĥ Ɋ g ƱɋÕ̦ĭ Ɩ ȖƖ ɒ Ĺ 4 H Chkrootkit Ͱ Ȼ cb-rootkit ɥ Ə Ω˿ ȫ (hash)Ʀ ʈ̆ š ͣ ɸʄ ¬ Oh Kim Ω Ĝ ŷ { Ű ǩ ) Ĝ Į ͔ Ω̌ ʍ ˛ Ĝ ŷ { Ű ǩ ) ͼ Þ Π ͋ õ Ϟ Ω̦ĭ Ɩ ʍ ˛ 2ř Ɲ ǩ ͼ Ʊi Hϣ ʡÈ ʃ ΩͰ Ȼ ʐ͘

4. ɋɋ ÕÕ ŔŔ źź ȖŔŔŔŔ ÝÝÝÝ ͣͣͣͣ ǲ ƪ HŔÝ Ͷ ͌ ̤Ǥ L Χ ͅ Tripwire Ƙ Ȼ < ʘ Ĺ 5 H Rkhunter Ͱ Ȼ cb-rootkit ɥ Ə HͰ Ȼ ÒǦ Rootkit ʣ ² i Ǥ ͟ Ͱ Ȼ L ȿ ʫ Ŕ Ý Ȉ ƈ H>έ RootkitčarkBalaurDica Fuckitt0rn ȖÒǦ Rootkitčcb-rootkittoolkit bashdoor ʈ̆ š Ȼ ¢ Þ Ɖ H¤Į Ω ̰Ͱ Ȼ < ʘčChkrootkit [1]Rkhunter [9]rootcheck [10] Ȗ ʣ ̆ š Ȼ ¢ 2È H cb-rootkit Rootkit ñʇ Ɖ ʄ ¬ ̰Ͱ Ȼ < ʘȖ ʣ ̆ š Ȼ ¢ 2È Ʌ Ĺ 6 H Rootcheck Ͱ Ȼ cb-rootkit ɥ Ə ͌ č cb-rootkit H cb-rootkit Ȕ Linux ɋÕʙi ɋÕɸ ʯ ϣ ɋÕ· ̫ Ű Ǒ ģ Ȕ "čĹ 3 ̤º HͰ Ȼ < ʘȖ ʣ ʈ' ǜ ɋÕϥI ζ ɯ ¤ɋÕ Į ɼ Ɩ ɒ >V ė Rootkit ̤Ί ¹ u Į ʣ i Ͱ Ȼ ʡĴ Rootkit Ȕ ɋÕI čĹ 7 ̤º Ŏ ChkrootkitRkhunterRootcheck ɠ i Ͱ Ȼ ʡɋÕ ϡ ʱ ʡΊ ¹ Ÿ5 Ͱ Ȼ ʡ SHV5Showtee Ĵ Rootkit Ĺ 7 H ʣ Ͱ Ȼ cb-rootkit ɥ Ə ̆ ŎĿ ģ Ʉ Ɗ čĹ 4 (Ñ͵)Ĺ 5(Ñ͵)Ĺ 6(Ñ V ¯ ź Rootkit ΩͰ Ȼ ʐ͘ɯ ¤¤Į ΩͰ ͵)̤º Ȼ ʣ ɸ H ˸ Ǒ Ü Ω Ͱ Ȼ ʡ ¤ Į ̠ Ò Ǧ Ω Rootkitú ʙͰ Ȼ ʣ ² H¤Į Rootkit ̤Ί ¹ Ω ʍ ˛ ʈ2ř ɠ ɍ ˸ ÿɋÕI Ǽ X ė Rootkit ̤Ί ¹ Ω̦ĭ Ɩ Ÿ² 5 Ɍ ͼ ͔ ΩƊ Ɖ Ĵ RootkitȂ ͈ Ŀ ģ Ʉ Ɗ ¯Ĵi H ʡε & ̤Ǥ X ΩΧ ͅ Tripwire Ƙ Ȼ < ʘHͰ Ȼ ÒǦ Rootkit ʣ Ω͔ Į Ĺ 3 H cb-rootkit Ȕ ɋÕɥ Ə È ͟ ΩͰ Ȼ ʐ͘čϜ 1 ̤º Ϝ 1 ȖʙL Ͱ Ȼ ʣ 2È ƙ Į š ñ ɸ i Ò ʡͰȻÒ ǦΩ Rootkit Ĩϛ ʄ ¬ Tripwire ʈ Ƙ ȻɋÕ̦ ĭ Ɩ ΩǑ v ̜ ˎ Ÿ P Chkrootkit Rkhunter Rootcheck ȹ Ȫ [ ¯ ʙƊ ʈ ² ƙ Įė Ȕ Rootkit B ė , Ωʄ Rootkit ark O O X O ¬λ ʲ ȇ Þ ɕ m ® Ϳ · ɁȔ Ω· Ɂʈ Ɗ ʈ ² ƙ Balaur b O b O Dica b O b O ² ñ Ò ǦΩ Rootkit ® Ϳ Fuckit b O X O t0rn O b O O 4. ʄ ¬ ʣi óɋÕǥ £ λ ˸ά Ǯ ĺ Ως ϡʱʡ cb-rootkit b b b O toolkit X O X O Ȉ ƈ Ω Linux ɋÕƖ ɒ ǂ Ǌ bashdoor X X X O Χ ͅ à ̰ ģ ͘ Ωv õ ȖΠ ͋ ϣ ʡĴ Χ O Ǯ Ɣ ȉ ĨϛY X Ǯ Ɣ Ⱥ ° ĨϛY bǮ Ɣ Ϥ ̪ ¤ĮΩǟͰȻ<ʘē˸ͰȻXɋÕϡʱʡ ͅ Tripwire Ƙ Ȼ<ʘH ͰȻÒ Ǧ Rootkit L ͰȻ Rootkit Ί ¹ Ÿ ² 5 H ˸Ǒ Ü ΩƊ Ɖ ʙ Rootkit ʣ> Ò ʡͰȻÒ Ǧ Rootkit Ω\ ˸óɋÕǥ £ Ŏ Ŀ ģ ͰȻ<ʘΩɄ Ɗ Ŏ ε & Ǥ XL 4̦ ĭ Ɩ λ ˸Ǯ ĺ Ως ϡʱʡȈ ƈ ΩɋÕƖ ɒ ǂ Ǌ ʍ ˛ 2 řƝ ǩ ͼ 5i ˎ¯ Rootkit Ω® Ϳ ̰ ¶ Ȗ̦ ΆΆΆΆ ōōōō &&&& ϐϐϐϐ ĭ Ɩ Ωʍ ˛ ʈ 2 řV ¯ Ŕ Ý ʐ ͘ ϣ έ ʙL ̰ ¤ [1] B. Andreas, “UNIX and Linux based Rootkits Techniques and Countermeasures”, ĮΩͰȻ<ʘŇ H č ε & ̤ Ǥ XL 4̦ ĭ Ɩ ʍ ˛ https://www.dfn-cert.de/team/bunten/rootkits_first 2004.pdf 2 řƝ ǩ ͼ 5 [2] Chkrootkit, http://www.chkrootkit.org ÿŤ ˳ ̜ 2 È I ε & 2 È Chkrootkit [3] S. Jha and M. Hassan, “Building Agents for rule-based intrusion detection system,” Computer RkhunterRootcheck ̰ ͰȻ<ʘÿ Rootkits Ω Communications, Vol. 25, No. 15, pp. 1366-1373, ͰȻʐ ͘ ε & ēĮʹ ˫ ΩŤ ͐ $ ͔ Ɂ 2002 [4] S. T. King and P. M. Chen, “Backtracking ε & Ǥ XΩ4Χ ͅ Tripwire Ƙ Ȼ<ʘH ͰȻÒ Ǧ Intrusions,” ACM Transactions on Computer Systems(TOCS), Vol. 23, No. 1, pp. 51-76, 2005. Rootkit ʣ5Ω͔ ĮĜ ΩŤ ˳ ̜ [5] C. Kruegel, W. Robertson and G. Vigna, 5. ʐε “Detection Kernel-Level Rootkits Through Binary Analysis,” Proceedings of the 20th Annual Ĥ Ɋ ģ Ű Χ ͅ Ƙ Ȼ<ʘH ͰȻÒ Tripwire Computer Security Applications Conference Ǧ Rootkit ʣĵ Ʊ ͰȻ ʣΩź¬ñ i ͰȻ¤ (ACSAC), 2004. [6] W. E. Kuhnhauser, “Root kits: An operating Į> έ Ω Rootkit B ˸ͰȻÒ ǦΩ Rootkitˎ¯ ą systems viewpoint,” ACM SIGOPS Operating ǟΩͰȻǶ Ĕ ˸ά ȋ [ ͔ ɋÕĔ Ü ΩÎ źB ˸ Systems Review, Vol. 38, No. 1, pp. 12-23, 2004. [7] J. Levine, B. Culver and H. Owen, “A Įȿ Ǥ ɋÕǥ £ λ L Ɗ ʈ ˸ Ȗ Linux ɋÕL Ɩ Methodology for Detecting New Binary Rootkit ɒ Ǒ v ̜ ʙϣ ʡ ɼ Ĥ Ɋ ̵ ϐ č ̤ º Exploits,” Proceedings IEEE SouthEastCon 2003, 2003. 1. Rootkit Ω΢ P ʍ ̜ ȖȈ ƈ š ñ L ͣ [8] S.J Oh and J.Y. Kim, “A Hierarchical Clustering Algorithm for Categorical Sequence Data,” V ¯ Ĥ Ɋ i ϣ έ ¤Į Rootkit Ω΢ P (User Information Processing Letters, Vol. 91, No. 3, pp. mode Ȗ Kernel mode)ΩȈ ƈ ʍ ̜ Ȗš ñ H ɯ ¤ʙ 135-140, 2004. [9] Rkhunter, http://www.rootkit.nl/. Ȉ ƈ Ǌ £ i Ǥ ʆ ǥ £ λ ȋ Rootkit [10] Rootcheck, 2. ƿ Ő Ǫ Ϟ õ Linux ɋÕ̤ ʄ ¬Ω Rootkit ͰȻ http://www.ossec.net/en/rootcheck.html [11] R. F. DeMara and A. J. Rocke, “Mitigation of ʣ network tampering using dynamic dispatch of Ĥ Ɋ ʄ ¬ Linux ɋÕΩ̦ ĭ Ɩ ʈ ϕ · mobile agents,” Computers & Security, vol. 23, no. 1, pp. 31 – 42, 2004. Ɂɸ ʁ ̤ Ĥ Ɋ Ω Rootkit ΢ P ʈ ģ Ű ʙͰȻ [12] Security Focus ʣv õ ñ Ϟ õ Linux ɋÕ̤ ʄ ¬Ω Rootkit http://www.securityfocus.com/infocus/1854 [13] Tripwire, http://www.tripwire.com. ͰȻ ʣ [14] A. Somayaji, and S. Forrest, Automated Response Using System-Call Delays”. Proceedings of the 3. ˎ¯ ʙͰȻ ʣL ɋÕ̦ ĭ Ɩ ΩǑ v ̜ ʈ Ɗ ʈ ² 9th Usenix Security Symposium, pp. 185-197.