Bugtraq mailing list archives
Re: An alternative method to check LKM backdoor/rootkit
From: Florian Weimer <Weimer () CERT Uni-Stuttgart DE>
Date: Thu, 18 Apr 2002 00:04:39 +0200
Paul Starzetz <paul () starzetz de> writes:
Be sure that this will be fixed in the next 'generation' of LRKM's. Patching the device methods for disk special nodes is not a big deal - why not to incorporate even your code into one of the nice LRKM's? You probably found a weaknes of 'current' LRKM's but in general it is a bad idea to check your machine while running a compromised kernel.
I agree. You can never be sure which kernel you are running. An attacker could have placed a modified kernel on a swap device (which excludes this very area from being used as swap space), and tweaked the boot loader to load the modified kernel. Using this approach, the modified kernel image can be made completely invisible easily, and it still survives reboot. Such a modification is very hard to spot even during an offline analysis, and the checklists I've seen so far do not address this problem at all. -- Florian Weimer Weimer () CERT Uni-Stuttgart DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Current thread:
- An alternative method to check LKM backdoor/rootkit Wang Jian (Apr 16)
- Re: An alternative method to check LKM backdoor/rootkit Paul Starzetz (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Florian Weimer (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Karsten W. Rohrbach (Apr 18)
- 答复: An alternative method to check LKM backdoor/rootkit Wang Jian (Apr 18)
- Re: An alternative method to check LKM backdoor/rootkit Florian Weimer (Apr 17)
- <Possible follow-ups>
- RE: An alternative method to check LKM backdoor/rootkit Philippe Bourgeois (Apr 17)
- Re: An alternative method to check LKM backdoor/rootkit Paul Starzetz (Apr 17)