Re: RootKits Under Linux

["John Geddes" <jgeddes1 () umbc edu>]

The majority of Linux rootkits check /dev/kmem for the address of the
interrupt descriptor table (IDT).  This is a table for all the system
calls and their corresponding function pointers.  Once you have this,
you can just overwrite the function pointer for any system call to
your own function.  So for example you can write you own function for
getdents with is used to get file listings and hide files.  Here are
some links with more information:

http://www.phrack.org/archives/59/p59-0x13
http://www.phrack.org/archives/63/p63-0x07_Games_With_Kernel_Memory_FreeBSD_Style.txt
http://reactor-core.org/linux-kernel-hacking.html

So what a lot of rootkit detectors do is just check the IDT for
inconsistencies.  You can also compare the output to getdents (or just
ls) to a lower level function call that gets the directory listing.
If there are any differences there's a pretty good chance some file is
being hidden.  Hopes this helps.

~John Geddes

On Feb 1, 2008 4:56 PM, Brandon Louder <Brandon.Louder () mckennan org> wrote:
> I can't answer your entire question but I can provide a good resource.
>
> http://www.packetstormsecurity.org/UNIX/penetration/rootkits/
>
> Packet Storm has A LOT of known rootkits listed there with descriptions
> and links to other sites.
>
> Another tool you might look into is Rootkit Hunter (rkhunter).
>
> Good Luck!
>
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Ahmed Zaki
> Sent: Thursday, January 31, 2008 1:41 PM
> To: focus-ids () securityfocus com
> Subject: RootKits Under Linux
>
> Hi all
>
>       I am currently doing a project on rootkits under linux os. I am
> specially interested in loadable kernel module rootkits. I wanted to
> know
> where does research stand now in terms of detecting such rootkits. It
> would
> be very helpful if you would be able to point me to resources where I
> gain
> information on the diverse  variations of these rootkits and current
> available methods of detecting them. Also if there are mechanisms that
> can
> be used to totally avoid detection that would be used by rootkits.
>
>
>
> Regards
>
> Zeeq
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
> n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
> -----------------------------------------
> Confidentiality Notice: This e-mail message, including any
> attachments, is for the sole use of the intended recipient(s) and
> may contain confidential and privileged information. Any
> unauthorized review, use, disclosure, or distribution is
> prohibited. If you are not the intended recipient, please contact
> the sender by reply e-mail and destroy all copies of the original
> message.
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------