Vulnerability Development mailing list archives

Re: Positive uses for rootkits

From: Chih hung Feng <chfeng () DU NET TW>
Date: Fri, 23 Mar 2001 19:14:45 +0800

on 3/22/2001 2:58 AM, Daniel McCranie at sfml () SNEAKERNETSECURITY COM wrote:

Hi,

I was wondering that since intruders can modify system commands to
not display certain things, couldn't admins modified the commands
like cp, mv, rm...  so that they would not be able to replace any
of the included commands?  These could be made in such a way only to
work unlimited in single user mode or have the disk mounted to
another system when there is a legitimate need to change one.

I have just enough UNIX knowledge to be dangerous to myself so be
gentle :)

Questions:

1. Are most rootkits simply shell scripts or real programs?


Most rootkits I've seen are binaries. Those written in scripts are easily
detected and I guess is the reason why shell-scripted trojans are seldom
used. But certainly there are exceptions. I once discovered a netstat
replacement which was simplely:
/usr/bin/netstat.orig $* | grep -v ad.ne
(assuming the intruder came from somewhere.bad.net)


2. Would there be anyway to stop programs from overwriting those
files with programming calls?  (Maybe making them read-only and
modifying chmod...)


BSD 4.4 provides chflags which can set a file to be immutable or
append-only and so on. If the system runs in secure mode (1/2/3),
you'd have to reboot it and lower it down to insecure mode (0 or 1)
in order to modify the file flags. Man chflags(1) and init(8) on
modern BSD* system for details.


3,4,5: I know that this probably wouldn't be good in a standard
distro but what about a hardening kit?  Has this been tried before?
Is there something blatantly wrong?


Some systems, like FreeBSD, set immutable flags for all setuid program
by default. However this doesn't give you extra security cause the
system runs in insecure mode after installation is finished (I don't
recall FreeBSD provides secure-level options during installation).

Security level (or any other mechanism to protect important files from
being modified) gives you better security than ordinary installation but
don't put all eggs in this basket. There are other tricks, like trojaned
system calls, to circumvent this kind of protection.

Cheers,
Chih-hung Feng <chfeng () du net tw>

Current thread:

Positive uses for rootkits Daniel McCranie (Mar 22)
- Re: Positive uses for rootkits Nicolas Gregoire (Mar 23)
- Re: Positive uses for rootkits Chih hung Feng (Mar 23)
- Re: Positive uses for rootkits Berend De Schouwer (Mar 23)
- Re: Positive uses for rootkits Gregor Binder (Mar 23)
- Re: Positive uses for rootkits Cedric Blancher (Mar 23)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
  - Re: Positive uses for rootkits Dick Visser (Mar 25)
    - Re: Positive uses for rootkits Ron DuFresne (Mar 25)
    - Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
    - Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
    - Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)

(Thread continues...)