How real root kits run. (was: Re: Root Kit Protection)
My thoughts on the matter, for what they're worth... ("grain of salt",
If I were going to write a root-kit, I'd spend half an hour writing a
kernel module that would give up the real file on an open() or fopen(),
and run _my_ special program on execution.
It would, of course, hide my files in space that I claim is free, and
name itself to the kernel as something innocent-looking, like 'mtrr' or
It's true this proposed program (and tripwire) would show corrupted,
non-hidden root-kits, but there are plenty it wouldn't show. I think
this might give a false sense of security to those who should have a
healthy bit of paranoia -- especially those that think they need this
program. That's the only downside to developing this program, IMO.
The real solution is a redesign of hardware that we usually use, but
that's offtopic here.
Ken Thompson's Turing Award speech gives some hints as to what's
possible: URL: http://www.acm.org/classics/sep95/
( Is your system running your kernel? Why do you think so? Because
you asked the kernel the uname and the uptime? Because you asked it
to open a file for you, so you could checksum it?