Bug#498024: RFP: dr-rootkit -- IA32 Debug Register based rootkit

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#498024: RFP: dr-rootkit -- IA32 Debug Register based rootkit
From: "W. Martin Borgert" <debacle@debian.org>
Date: Sat, 06 Sep 2008 13:11:45 +0200
Message-id: <[🔎] 20080906111145.28358.75589.reportbug@localhost.localdomain>
Reply-to: "W. Martin Borgert" <debacle@debian.org>, 498024@bugs.debian.org

Package: wnpp
Severity: wishlist

Package name    : dr-rootkit
Version         : 0.1 (according to README)
Upstream Author : Bas Alberts <bas.alberts@immunityinc.com>, Daniel Palacio
URL             : http://www.immunityinc.com/resources-freesoftware.shtml
License         : GPL2 (with Linus T. remark like the kernel)
Programming Lang: C
Description     : IA32 Debug Register based rootkit
Architecture    : i386 (i686)

Will Debian the first Linux distro shipping their own rootkit?

DR features a reference implementation of a IA32 debug register based
rootkit hooking engine. It does not modify IDT or syscall_table at all
but still provides transparent syscall hooking on IA32 Linux 2.6.

How to detect the rootkit? As easy as "dpkg -l dr-rootkit".
No need for chkrootkit, rkhunter, or unhide.

Reply to: