Vulnerability Development mailing list archives
Re: Positive uses for rootkits
From: Ben Ford <bford () ERISKSECURITY COM>
Date: Mon, 26 Mar 2001 06:18:38 -0800
Dick Visser wrote:
On Fri, 23 Mar 2001, Jonathan James wrote:1. Are most rootkits simply shell scripts or real programs?Most rootkits are installed as Operating System Modules: Win95/Win98/WinME: - .VxD files Windows NT/2000 - .sys files Linux - LKMs (Linux Kernel Module) With Kernel Modules installed you've generally got 100% control of the current hosting operating system. This means that you can filter output that is sent to the user, hook into the filesystem calls etc.. Kernel modules are hard to detect (for the common everyday user) and can be installed so that they are hard to remove.So that's why I think it's better to build a minimal, static kernel without modules support. And once your kernel is OK and running, remove the .config file from your kernel source tree. If someone does get in and tries to make a new kernel (with modules support) he cannot simply grab the old configfile and add modules support to it. If he can make a kernel, at least he will have to configure it right to make it behave the same like the static kernel. I say this because it is not the first time I made a kernel and found out that it was not bootable because of a tiny misconfiguration :) Comments on this strategy are welcome. -- Dick Visser
That is a great strategy to follow. Take it another step tho. If this is a server we are talking about, don't even put devel. tools on the box. Build your small static kernel elsewhere and copy it to the box. There *are* wasy around this, but you gotta be good. If you play with memory locations directly, there are ways to load a module even on a static monloitic kernel. But as I said, you gotta be real good. Read that as "no script kiddies" -b
Current thread:
- Re: Positive uses for rootkits, (continued)
- Re: Positive uses for rootkits Ron DuFresne (Mar 25)
- Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
- Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
- Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)
- Re: Positive uses for rootkits The Attitude Adjuster (Mar 25)
- Re: Positive uses for rootkits Ben Ford (Mar 28)
- Re: Positive uses for rootkits Big Woz (Mar 28)
- Re: Positive uses for rootkits Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Dick Visser (Mar 26)
- The use of immunix Renee Teunissen (Mar 26)
- Re: Positive uses for rootkits Ben Ford (Mar 27)
- Re: Positive uses for rootkits Martin 'Goran' Moravec (Mar 28)
- Re: Positive uses for rootkits Kev (Mar 28)
- Re: Positive uses for rootkits Ryan Permeh (Mar 29)
- Kernel-level security (was Re: Positive uses for rootkits) Craig Boston (Mar 29)
- Re: Positive uses for rootkits Gregor Binder (Mar 29)
- ICQ exploit Geo. (Mar 28)
- Re: ICQ exploit Jonathan James (Mar 28)
- Re: ICQ exploit Mikko Ruskola (Mar 28)
- Re: ICQ exploit Knud Erik Højgaard - CyberCity Support (Mar 28)