Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)

[Dave Aitel <dave () immunitysec com>]

On Thu, 2002-07-04 at 09:06, noir sin wrote:
> Resend:
> attachment moved to http://gsu.linux.org.tr/~noir/b.tar.gz
> since no more than 100K is allowed
>
> Hi,
>
> Recently, Dave Aitel posted a link to a loadable kernel module for the
> Solaris operating system to check its kernel integrity against backdoors.
> I downloaded and do some quick analysis on the "product". Simply it does
> md5 checksuming on the sysent32 table where pointers to syscall handling
> kernel functions reside. These pointers are well known to be manipulated by
> backdoor lkm's to change the execution order and pre-execute some hacker
> code that will hide things or feed false information.

<lots of really interesting and cool stuff cut for brevity>

Well, BG 1.0 Free Demo (http://www.immunitysec.com/bodyguard.html) does
do the dereference. E.G. It checks the system call code itself, not the
sysent32 table. So theoretically adding exece to BodyGuard's checksum
table _would_ catch this method, at least for the moment. :> (I'll try
this later today to make sure.) Did you check to see if you could do the
same trick to stat64?

The demo version is somewhat limited in what it checks, but DOES work on
many "popular" kernel level rootkits. A lot of the goal was to give
people at least SOME recourse. I recognize the it becomes an escalating
game of SPY vs SPY, but BG does at least give non-hackers a chip to
spend in the game - something they didn't have until Monday :>. 

There's definitely a window of time where BG will detect a rootkit. This
is why BG, to be successful, will have

1. Limited distribution
2. slightly different executables for each customer
3. be sold only on a subscription basis - new versions due out
periodically throughout the year.

Dave Aitel
Immunity, Inc
www.immunitysec.com

Attachment: dave_immunitysec_com.asc
Description:

Attachment: signature.asc
Description: This is a digitally signed message part