Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: Chih hung Feng <chfeng () DU NET TW>
Date: Fri, 23 Mar 2001 19:14:45 +0800
on 3/22/2001 2:58 AM, Daniel McCranie at sfml () SNEAKERNETSECURITY COM wrote:
Hi, I was wondering that since intruders can modify system commands to not display certain things, couldn't admins modified the commands like cp, mv, rm... so that they would not be able to replace any of the included commands? These could be made in such a way only to work unlimited in single user mode or have the disk mounted to another system when there is a legitimate need to change one. I have just enough UNIX knowledge to be dangerous to myself so be gentle :) Questions: 1. Are most rootkits simply shell scripts or real programs?
Most rootkits I've seen are binaries. Those written in scripts are easily detected and I guess is the reason why shell-scripted trojans are seldom used. But certainly there are exceptions. I once discovered a netstat replacement which was simplely: /usr/bin/netstat.orig $* | grep -v ad.ne (assuming the intruder came from somewhere.bad.net)
2. Would there be anyway to stop programs from overwriting those files with programming calls? (Maybe making them read-only and modifying chmod...)
BSD 4.4 provides chflags which can set a file to be immutable or append-only and so on. If the system runs in secure mode (1/2/3), you'd have to reboot it and lower it down to insecure mode (0 or 1) in order to modify the file flags. Man chflags(1) and init(8) on modern BSD* system for details.
3,4,5: I know that this probably wouldn't be good in a standard distro but what about a hardening kit? Has this been tried before? Is there something blatantly wrong?
Some systems, like FreeBSD, set immutable flags for all setuid program by default. However this doesn't give you extra security cause the system runs in insecure mode after installation is finished (I don't recall FreeBSD provides secure-level options during installation). Security level (or any other mechanism to protect important files from being modified) gives you better security than ordinary installation but don't put all eggs in this basket. There are other tricks, like trojaned system calls, to circumvent this kind of protection. Cheers, Chih-hung Feng <chfeng () du net tw>
Current thread:
- Positive uses for rootkits Daniel McCranie (Mar 22)
- Re: Positive uses for rootkits Nicolas Gregoire (Mar 23)
- Re: Positive uses for rootkits Chih hung Feng (Mar 23)
- Re: Positive uses for rootkits Berend De Schouwer (Mar 23)
- Re: Positive uses for rootkits Gregor Binder (Mar 23)
- Re: Positive uses for rootkits Cedric Blancher (Mar 23)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
- Re: Positive uses for rootkits Dick Visser (Mar 25)
- Re: Positive uses for rootkits Ron DuFresne (Mar 25)
- Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
- Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
- Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)
- Re: Positive uses for rootkits Dick Visser (Mar 25)