Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Positive uses for rootkits

From: Jonathan James <Jonathan () SECURITO SE>
Date: Fri, 23 Mar 2001 20:34:47 +0100
1. Are most rootkits simply shell scripts or real programs?

Most rootkits are installed as Operating System Modules:
Win95/Win98/WinME:
- .VxD files
Windows NT/2000
- .sys files
Linux
- LKMs (Linux Kernel Module)

With Kernel Modules installed you've generally got 100% control of the
current hosting operating system.
This means that you can filter output that is sent to the user, hook into
the filesystem calls etc..
Kernel modules are hard to detect (for the common everyday user) and can be
installed so that they are hard to remove.


2. Would there be anyway to stop programs from overwriting those
files with programming calls?  (Maybe making them read-only and
modifying chmod...)

Anything is possible when you've penetrated the OS layer.

For more information and examples check out the KNARK rootkit by Creed for
Linux
(http://packetstorm.securify.com/UNIX/penetration/rootkits/knark-0.59.tar.gz
)
or Greg Hoglunds Windows rootkit (www.rootkit.com).

Yours Sincerely
Jonathan James
Previous By Date Next
Previous By Thread Next

Current thread: