Bugtraq mailing list archives
Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)
From: Dave Aitel <dave () immunitysec com>
Date: 05 Jul 2002 12:07:16 -0400
On Thu, 2002-07-04 at 09:06, noir sin wrote:
Resend: attachment moved to http://gsu.linux.org.tr/~noir/b.tar.gz since no more than 100K is allowed Hi, Recently, Dave Aitel posted a link to a loadable kernel module for the Solaris operating system to check its kernel integrity against backdoors. I downloaded and do some quick analysis on the "product". Simply it does md5 checksuming on the sysent32 table where pointers to syscall handling kernel functions reside. These pointers are well known to be manipulated by backdoor lkm's to change the execution order and pre-execute some hacker code that will hide things or feed false information.
<lots of really interesting and cool stuff cut for brevity> Well, BG 1.0 Free Demo (http://www.immunitysec.com/bodyguard.html) does do the dereference. E.G. It checks the system call code itself, not the sysent32 table. So theoretically adding exece to BodyGuard's checksum table _would_ catch this method, at least for the moment. :> (I'll try this later today to make sure.) Did you check to see if you could do the same trick to stat64? The demo version is somewhat limited in what it checks, but DOES work on many "popular" kernel level rootkits. A lot of the goal was to give people at least SOME recourse. I recognize the it becomes an escalating game of SPY vs SPY, but BG does at least give non-hackers a chip to spend in the game - something they didn't have until Monday :>. There's definitely a window of time where BG will detect a rootkit. This is why BG, to be successful, will have 1. Limited distribution 2. slightly different executables for each customer 3. be sold only on a subscription basis - new versions due out periodically throughout the year. Dave Aitel Immunity, Inc www.immunitysec.com
Attachment:
dave_immunitysec_com.asc
Description:
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd) noir sin (Jul 04)
- Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd) Dave Aitel (Jul 05)
- Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd) noir sin (Jul 06)
- Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd) noir sin (Jul 07)
- Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd) Dave Aitel (Jul 08)
- Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd) noir sin (Jul 06)
- Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd) Dave Aitel (Jul 05)