Dailydave mailing list archives
Re: DR Linux 2.6 rootkit released
From: Jon Oberheide <jon () oberheide org>
Date: Fri, 05 Sep 2008 02:11:03 -0400
On Thu, 2008-09-04 at 20:14 -0400, Valdis.Kletnieks () vt edu wrote:
On Fri, 05 Sep 2008 01:45:33 +0430, Mohammad Hosein said:i'm probably 2-3 days far from examining this myself , but if anyone out there have ideas on how this whole debug register hooks and stuff would react on "hardened" kind of kernels ( like the one gentoo offers ) let usYou'd probably need to examine each "hardened" kernel to see if their particular mix of hardening features includes anything to stop this particular rootkit. If the particular kernel doesn't address it, the rootkit won't care. There's too many different "hardened" kernels out there, with varying degrees of hardening and sanity of security posture, across the entire spectrum of "not really hardened" to "misguided cargo-cult hardening" to "truly bulletproof" that making a generic judgment is pointless.
In general, "hardened" kernels are simply designed to "harden" the system against initial exploitation rather than play the tricky game of prevention/detection during/after loading of the rootkit. If there's wide open avenues for loading via /dev/kmem (CONFIG_DEVKMEM=y), /dev/mem (CONFIG_NONPROMISC_DEVMEM=n), or, in the case of DR, insmod (CONFIG_MODULES=y), then your hardened kernel can only do so much. Of course, that's not to say that kernel protection mechanisms don't attempt to detect debug register usage [1], but as Joanna points out [2], it ain't so simple. Regards, Jon Oberheide [1] http://uninformed.org/index.cgi?v=6&a=1&p=18 [2] http://lists.immunitysec.com/pipermail/dailydave/2008-September/005329.html -- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- DR Linux 2.6 rootkit released Bas Alberts (Sep 03)
- Message not available
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Message not available
- Re: DR Linux 2.6 rootkit released Joanna Rutkowska (Sep 04)
- Re: DR Linux 2.6 rootkit released Piotr Bania (Sep 05)
- <Possible follow-ups>
- Re: DR Linux 2.6 rootkit released Pierre Falda (Sep 04)
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Re: DR Linux 2.6 rootkit released Bas Alberts (Sep 04)
- Re: DR Linux 2.6 rootkit released Mohammad Hosein (Sep 04)
- Re: DR Linux 2.6 rootkit released Valdis . Kletnieks (Sep 04)
- Re: DR Linux 2.6 rootkit released Jon Oberheide (Sep 05)
- Re: DR Linux 2.6 rootkit released Curt Wilson (Sep 05)
- Re: DR Linux 2.6 rootkit released Mohammad Hosein (Sep 04)