Information Security News mailing list archives

Re: New Attack Sneaks Rootkits Into Linux Kernel

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 16 Apr 2009 00:09:03 -0500 (CDT)

Forwarded from: Kristian Erik Hermansen <kristian.hermansen (at) gmail.com>

I met Anthony and saw this same talk previewed at the Southern 
California Linux Expo (SCALE), where I was also speaking.

Abstract:
http://scale7x.socallinuxexpo.org/conference-info/speakers/anthony-lineberry

Slides:
http://scale7x.socallinuxexpo.org/sites/scale7x.socallinuxexpo.org/files/Anthony_Lineberry.ppt

My Abstract:
http://scale7x.socallinuxexpo.org/conference-info/speakers/kristian-erik-hermansen-0

I asked Anthony if it would be possible to detect his rootkit by 
utilizing Cold Boot attacks, and he confirmed that it would be possible.  
However, okease refer to the talk slides for details on the specifics of 
what kernel structures are modified.

Cheers,

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=216500687

By Kelly Jackson Higgins
DarkReading
April 14, 2009

Kernel rootkits are tough enough to detect, but now a researcher has 
demonstrated an even sneakier method of hacking Linux.

The attack attack exploits an oft-forgotten function in Linux versions 
2.4 and above in order to quietly insert a rootkit into the operating 
system kernel as a way to hide malware processes, hijack system calls, 
and open remote backdoors into the machine, for instance. At Black Hat 
Europe this week in Amsterdam, Anthony Lineberry, senior software 
engineer for Flexilis, will demonstrate how to hack the Linux kernel 
by exploiting the driver interface to physically addressable memory in 
Linux, called /dev/mem.

"One of bonuses of this [approach] is that most kernel module rootkits 
make a lot noise when they are inserting [the code]. This one is 
directly manipulating" the memory, so it's less noticeable, he says.

The /dev/mem "device" can be opened like a file, and you can read and 
write to it like a text file, Lineberry says. It's normally used for 
debugging the kernel, for instance.

[...]


-- 
Kristian Erik Hermansen


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/

Current thread:

New Attack Sneaks Rootkits Into Linux Kernel InfoSec News (Apr 15)
- <Possible follow-ups>
- Re: New Attack Sneaks Rootkits Into Linux Kernel InfoSec News (Apr 15)