[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I've been hacked by DevilSoul

On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote:
> i doubt that a kernel module can override the linux kernel filesystem
> abstraction layer. but i guess it could be possible.

Oh, it certainly can!  knark is a perfect example of a kernel module to
do just this.  (knark is Swedish for "drugged".)  It allows files,
processes, network connections, and network interface promiscuity to be
*completely* hidden.  It allows the cracker to override what actual
binary file gets run when a user tries to run some other (possibly
hidden) executable.

It works amazingly well, and it is scary.  It's been around for quite a
while now (couple of years, I guess), but hasn't shown up in rootkits
much yet.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpQDGrMbj9_f.pgp
Description: PGP signature

Reply to: