About Unhide.rb
Hi Julien (not Julian, sorry for the mistake in my latest mail ),
Thank you, I think the new description is better.
One more thing, as you can see here
http://www.unhide-forensics.info/?Linux we implement six techniques
Please don't hesitate to leave a message if you've got some problems
with Unhide (I have added myself to this maillist anyway)
Cheers
2011/10/24 Julien Valroff <julien at debian.org>:
> Hi Yago,
>
> Le dimanche 23 oct. 2011 ? 19:59:00 (+0200 CEST), Yago Jesus a ?crit?:
>> Hi Julian (and all Debian Forensics team)
>>
>> First, I want to thank you for your quick response.
>>
>> I like the new description but, I have a doubt.
>>
>> Why 10 times faster? Who made this test? Is always 10x faster? is it
>> in both 32 and 64 bits enviroments?
>>
>> Im agree Unhide.rb is faster (due to the less deep tests) but I don't
>> know exactly how much.
>
> You are right, I haven't tested it myself.
> Then, what about just stating "much" faster?
>
>> Moreover if you want to highlight this feature I think it is also fair
>> to highlight ?the question about static binaries VS non static Ruby
>> Binary.
>>
>> With a security point of view, I think the fact that Unhide should be
>> compiled and shipped in static mode makes Unhide inmune to the most
>> popular rootkits (based in LD_PRELOAD). On the other hand Unhide.rb
>> due to their Ruby dependency could be compromised. So, yes Unhide is
>> more secure than Unhide.rb
>
> Here is a new proposal:
>
> ?Unhide.rb is a forensic tool to find processes hidden by rootkits.
> ?.
> ?It looks for active processes in many different ways. Processes found by
> ?some means but not others are considered to be "hidden", and are reported
> ?to the user.
> ?.
> ?Unhide.rb is a tentative of rewrite in Ruby of the original Unhide, which
> ?is written in C. While being much faster, it does not implement all the
> ?diagnostics of the original version. It is also less secure as it cannot
> ?be statically compiled.
> ?.
> ?This package can be used by rkhunter in its daily scans.
>
> FYI, here is the current description of the unhide package:
>
> ?Unhide is a forensic tool to find processes and TCP/UDP ports hidden by
> ?rootkits, Linux kernel modules or by other techniques. It includes two
> ?utilities: unhide and unhide-tcp.
> ?.
> ?unhide detects hidden processes using three techniques:
> ?* comparing the output of /proc and /bin/ps
> ?* comparing the information gathered from /bin/ps with the one gathered from
> ? ?system calls (syscall scanning)
> ?* full scan of the process ID space (PIDs bruteforcing)
> ?.
> ?unhide-tcp identifies TCP/UDP ports that are listening but are not listed in
> ?/bin/netstat through brute forcing of all TCP/UDP ports available.
> ?.
> ?This package can be used by rkhunter in its daily scans.
>
>> I understand your perspective about reporting. Unhide.rb is more
>> compact but I think it is more important the fact about finding the
>> exact hidden command (and in some scenarios, the path where
>> rogue-binary lives) But it is subjective
>
> I consider both tools as complementary and not as competitors, depending on
> the use case.
>
> Cheers,
> Julien
>
> --
> ?.''`. ? Julien Valroff ~ <julien at kirya.net> ~ <julien at debian.org>
> ?: :' ?: ?Debian Developer & Free software contributor
> ?`. `'` ? http://www.kirya.net/
> ? `- ? ? 4096R/ E1D8 5796 8214 4687 E416 ?948C 859F EF67 258E 26B1
>
Reply to: