Honeypots mailing list archives
Re: sebek as a patch?
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Wed, 05 Oct 2005 14:36:03 +0200
Edward Balas wrote:
Could you elaborate on what you mean by rather hard to hide the kernel module? I presume you mean beyond simply modifying the kernel data structure to remove the module from the linked list of modules which is done currently?
I think he means that it is hard to hide a module on a host if the attacker has uid 0. After all, he can then start to dig around, search through kernel memory for patterns (e.g. module structure, modifications in the network code, ...), insert his own modules, and basically arbitrary things. So shouldn't it be easy to detect the presence of Sebek by searching through the memory for the constant strings? Or triggering a little fork bomb and see whether the system behaves unusual compared to normal behavior? Probably it would be interesting to add further mechanisms to hide the presence of Sebek on a host, e.g., by hiding the configuration file or even the module itself with the help of steganography. The people from samhain have implemented some nice mechanisms: http://la-samhna.de/samhain/manual/stealthmode.html
As for a patch, it does offer some advantages, however I am skeptical that it will be the magic fix. First most of the detection stuff we have seen is pattern match based. Going to kernel patch, just changes the patterns that one needs to looks for. Second, once you have patched the kernel, detection can happen on there kernel image in the fs itself.
I agree that it will not be the magic fix, but it can help the more paranoid people. After all, Sebek is then part of the kernel and removing it becomes much harder. And if we observer the kind of detection techniques you mention, we can start to add polymorphism ;-)
The one thing that is pretty sweet about a patch is that you dont need to worry about how to reinstall the kernel module after reboot.
Another option is detailed in "Infecting loadable kernel modules", Phrack Volume 0x0b, Issue 0x3d, Phile #0x0a (http://www.phrack.org/phrack/61/p61-0x0a_Infecting_Loadable_Kernel_Modules.txt) I hope that there will be soon a diploma thesis about improving the Data Capture mechanism at my Lab. I keep you up-to-date on this topic. Cheers, Thorsten
Current thread:
- Re: sebek as a patch? Thorsten Holz (Oct 02)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Daniel J. Axtens (Oct 07)
- Re: sebek as a patch? Edward Balas (Oct 07)
- Re: sebek as a patch? Thorsten Holz (Oct 05)