Honeypots mailing list archives
Re: Kernel-level Rootkits
From: Dominik Lupinski <yhpx () alpha net pl>
Date: Mon, 9 Dec 2002 18:38:11 +0100
On Sun, Dec 08, 2002 at 06:33:47PM -0800, Edward Ray wrote:
Hello everyone.
Hello,
A question concerning Kernel-level rootkits. Has anyone used a kernel-level rootkit (i.w. Knark, Adore, KIS) in a honeypot implementation? It would appear to have a few advantages, but only in the hands of someone who knew how to use it correctly.
Yes, IMHO such solution with kernel modules could give you low-level control on honeypot with abilities to log whatever you want apart from user-land utilities and also hide certain tools, firewall rules, connections, etc.
If anybody has experimented with kernel-level rootkits, I would be interested in your results, as I am considering using a rootkit (after I learn how it works of course) in a honeypot of my own.
Actualy, I have been working on it for a few weeks. My implementation is heading into FreeBSD systems. I think I'll end up with first usable version in two months or so. If you're interested in having your honeypot on FreeBSD, I'd be glad to let you test it. :) Regards, -- 0A 0D 0A 2D 2D 20 0D 0A 44 6F 6D 69 6E 69 6B 20 ...-- ..Dominik 4C 75 70 69 6E 73 6B 69 20 2F 2F 20 79 68 70 78 Lupinski // yhpx 40 61 6C 70 68 61 2E 6E 65 74 2E 70 6C 0D 0A 2E @alpha.net.pl...
Current thread:
- Kernel-level Rootkits Edward Ray (Dec 09)
- Re: Kernel-level Rootkits mike (Dec 09)
- Re: Kernel-level Rootkits Dominik Lupinski (Dec 09)
- <Possible follow-ups>
- Kernel-level Rootkits fred (Dec 09)