Re: How real root kits run. (was: Re: Root Kit Protection)

To: debian-devel@lists.debian.org
Subject: Re: How real root kits run. (was: Re: Root Kit Protection)
From: Michael Vogt <mvogt@acm.org>
Date: Thu, 17 Feb 2000 14:32:16 +0100
Message-id: <20000217143216.B13735@rolexx.ping.de>
Reply-to: egon@pr-kaapke2.do.uunet.de
In-reply-to: <20000217010255.A20696@optilinkcomm.net>; from cmiller@optilinkcomm.net on Thu, Feb 17, 2000 at 01:02:55AM -0500
References: <20000217010255.A20696@optilinkcomm.net>

Hi

> If I were going to write a root-kit, I'd spend half an hour writing a
> kernel module that would give up the real file on an open() or fopen(),
> and run _my_ special program on execution.  
See my other posting how to deal with this. I worte a ext2chksum program,
that does not use the kernels vfs. It opens the device directly. But this
will only raise the bar. A potential cracker could tamper ext2chksum. Or
he could just check if we exec("ext2chksum") and start a nice little fake
program, that behaves like ext2chksum but never rings the alarm bell.

 
> It would, of course, hide my files in space that I claim is free, and
> name itself to the kernel as something innocent-looking, like 'mtrr' or
> 'apm'.
You do not need to name it as something innocent. Just delete it from kernels 
module list (this is trivial) and it will be invisible. 
 
> 						- chad
Michael 

-- 
GPG Fingerprint = EA71 B296 4597 4D8B 343E  821E 9624 83E1 5662 C734
 /"\                                     o
 \ /     ASCII RIBBON CAMPAIGN          /|\
  X        AGAINST HTML MAIL             >>
 / \                                     o

Reply to:

References:
- How real root kits run. (was: Re: Root Kit Protection)
  - From: Chad Miller <cmiller@optilinkcomm.net>

Prev by Date: Re: Root Kit Protection
Next by Date: dpkg-architecture and localy installed gcc-2.95.2
Previous by thread: Re: How real root kits run. (was: Re: Root Kit Protection)
Next by thread: I don't want to use xterm, why am I forced to use it any way?
Index(es):
- Date
- Thread