Re: DR Linux 2.6 rootkit released

["Pierre Falda" <darkangel () antifork org>]

Hi people,
if someone else is still interested in these things and wants to see an
'old' code, in 2006 i have published an article and a 2.4.x/2.6.x (tested
until .19) linux rootkit
which loads itself through kmem and fully implements these techniques. It's
a full working rootkit with a debug registers engine and with
anti detection checks via GD and CPU emulation to protect itself too. It has
all modern rootkits hiding features, anti detection extra features
like kmem/mem/kcore/procfs on the fly patching and most add-ons like TTY and
applications sniffing. It works watching SCT and supports
syscall invocations through int 80 and sysenter and so on.

You can find the source code here:

http://packetstormsecurity.org/UNIX/penetration/rootkits/mood-nt_2.3.tgz

or here

http://darkangel.antifork.org/codes.htm

The article about the hardware engine (in Italian) is here

http://darkangel.antifork.org/publications/Abuso%20dell%27Hardware%20nell%27Attacco%20al%20Kernel%20di%20Linux.pdf

and if you want the printed version in a scientific publication you can go
here:

http://www.atsystem.org/en/conventions/nss06/convention+proceedings

Have a nice day!


Pierre Falda 'darkangel'
http://darkangel.antifork.org
Antifork Research Inc.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave