Vulnerability Development mailing list archives

Re: Positive uses for rootkits

From: Jason Nicholls <s9802857 () STUDENT UP AC ZA>
Date: Fri, 23 Mar 2001 09:07:39 +0200

Just some thoughts that I have on the subject.


Daniel McCranie wrote:

Hi,

I was wondering that since intruders can modify system commands to
not display certain things, couldn't admins modified the commands
like cp, mv, rm...  so that they would not be able to replace any
of the included commands?  These could be made in such a way only to
work unlimited in single user mode or have the disk mounted to
another system when there is a legitimate need to change one.

I have just enough UNIX knowledge to be dangerous to myself so be
gentle :)

Questions:

1. Are most rootkits simply shell scripts or real programs?


Some of the rootkits that I have played with have been scritps but most
have been edited version. ie Someone downloads the source changes it and
recompiles it on the infected system, then wipes over the old file with
the new one.



2. Would there be anyway to stop programs from overwriting those
files with programming calls?  (Maybe making them read-only and
modifying chmod...)


You could modify chmod or the system call so that the programs can not
be overwritten but what stops the intruder from overwritting chmod to
allow one to install root kits. One could build it into the kernel and
say that x,y,z may not be overwritten. But if you are root you could
just undo it. Only if you know what was done in the first place. If one
makes it that you can not override say ls ps etc one could always
overide the system calls with ones own files. I think it does not matter
how many things you put in place. If the intruder understands the system
and what has been done to stop him/her. They will get in and change
things.


3,4,5: I know that this probably wouldn't be good in a standard
distro but what about a hardening kit?  Has this been tried before?
Is there something blatantly wrong?


There were some scripts to help newbie admin on freshmeat to harded
boxes, As well as many articles in *nix journal. I think everything
helps. The more you put in place to protect the system. The easier it is
for a bug (buffer overflows, unsafe sys calls )to be in those protective
measures and thus the easier it would be to get in. Kinda ironic.

Dan

Current thread:

Positive uses for rootkits Daniel McCranie (Mar 22)
- Re: Positive uses for rootkits Nicolas Gregoire (Mar 23)
- Re: Positive uses for rootkits Chih hung Feng (Mar 23)
- Re: Positive uses for rootkits Berend De Schouwer (Mar 23)
- Re: Positive uses for rootkits Gregor Binder (Mar 23)
- Re: Positive uses for rootkits Cedric Blancher (Mar 23)
- Re: Positive uses for rootkits Jason Nicholls (Mar 23)
- Re: Positive uses for rootkits Jonathan James (Mar 25)
  - Re: Positive uses for rootkits Dick Visser (Mar 25)
    - Re: Positive uses for rootkits Ron DuFresne (Mar 25)
    - Re: Positive uses for rootkits Daniel R. Warner (Mar 25)
    - Re: Positive uses for rootkits -> off-topic: booting tricks. Alex Schütz (Mar 27)
    - Re: Positive uses for rootkits -> off-topic: booting tricks. ze Snark (Mar 28)
    - Re: Positive uses for rootkits The Attitude Adjuster (Mar 25)
    - Re: Positive uses for rootkits Ben Ford (Mar 28)
    - Re: Positive uses for rootkits Big Woz (Mar 28)
    - Re: Positive uses for rootkits Renee Teunissen (Mar 26)

(Thread continues...)