Re: DR Linux 2.6 rootkit released

[Bas Alberts <bas.alberts () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hrmm .. didn't read moodNT .. mostly it's just a straight translation of
the IA software developers manual. MoodNT would have been referenced
otherwise. Read DR.c for the gritty details. It was written to be a
porting platform for existing syscall hooks. Very simple stuff.

In any event, I only wrote the debug register bit (DR.c) .. I think the
actual hooks and 'rootkit' functionality could be improved (read my
comments in source). Feel free to do so. For me the goal was just to
give a simple and clean hooking mechanism based on dr logic, that people
could plug into existing 'oldschool' rootkits.

Cheers,
Bas

ninjaboy wrote:
> 2008/9/3 Bas Alberts <bas.alberts () immunityinc com>:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > All,
> >
> > Immunity is releasing the DR Linux 2.6 IA32 rootkit under the GPLv2. It
> > is supported by CANVAS (and is thus commercially supported for your
> > penetration-testing needs) but is suitable for standalone use.
> >
> > Currently the rootkit can:
> >
> > o Hide processes
> > o Hide network sockets
> > o Hide files
> > o Get a remote MOSDEF Node (via hidden userland-backdoor)
>
> good fork of mood-nt.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIv+K3LpdA2Ju9tfcRAhemAJ9WAydPGDcSfCUsza/pcTDQQ8MflACgglU2
zop+jBkdmjCjzzUfggUzyHk=
=BObD
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave