Re: RootKits Under Linux

["Nathan Sportsman" <nsportsman () gmail com>]

I believe hooking functions has become difficult in the 2.6 kernel,
because of the new syscall_table_description restrictions (its
hidden). I've heard of a few dirty methods to get around this and I
believe adore has a 2.6 version of their linux kernel module rootkit,
but I have not messed around with it.

Nathan Sportsman

On Feb 1, 2008 3:56 PM, Brandon Louder <Brandon.Louder () mckennan org> wrote:
> I can't answer your entire question but I can provide a good resource.
>
> http://www.packetstormsecurity.org/UNIX/penetration/rootkits/
>
> Packet Storm has A LOT of known rootkits listed there with descriptions
> and links to other sites.
>
> Another tool you might look into is Rootkit Hunter (rkhunter).
>
> Good Luck!
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Ahmed Zaki
> Sent: Thursday, January 31, 2008 1:41 PM
> To: focus-ids () securityfocus com
> Subject: RootKits Under Linux
>
> Hi all
>
>        I am currently doing a project on rootkits under linux os. I am
> specially interested in loadable kernel module rootkits. I wanted to
> know
> where does research stand now in terms of detecting such rootkits. It
> would
> be very helpful if you would be able to point me to resources where I
> gain
> information on the diverse  variations of these rootkits and current
> available methods of detecting them. Also if there are mechanisms that
> can
> be used to totally avoid detection that would be used by rootkits.
>
>
>
> Regards
>
> Zeeq
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
> n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
> -----------------------------------------
> Confidentiality Notice: This e-mail message, including any
> attachments, is for the sole use of the intended recipient(s) and
> may contain confidential and privileged information. Any
> unauthorized review, use, disclosure, or distribution is
> prohibited. If you are not the intended recipient, please contact
> the sender by reply e-mail and destroy all copies of the original
> message.
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------