Re: Positive uses for rootkits

[Ben Ford <bford () ERISKSECURITY COM>]

Dick Visser wrote:

> On Fri, 23 Mar 2001, Jonathan James wrote:
>
> > > 1. Are most rootkits simply shell scripts or real programs?
> >
> > Most rootkits are installed as Operating System Modules:
> > Win95/Win98/WinME:
> > - .VxD files
> > Windows NT/2000
> > - .sys files
> > Linux
> > - LKMs (Linux Kernel Module)
> >
> > With Kernel Modules installed you've generally got 100% control of the
> > current hosting operating system.
> > This means that you can filter output that is sent to the user, hook into
> > the filesystem calls etc..
> > Kernel modules are hard to detect (for the common everyday user) and can be
> > installed so that they are hard to remove.
>
>
> So that's why I think it's better to build a minimal, static kernel
> without modules support. And once your kernel is OK and running, remove
> the .config file from your kernel source tree. If someone does get in and
> tries to make a new kernel (with modules support) he cannot simply grab
> the old configfile and add modules support to it.
> If he can make a kernel, at least he will have to configure it right to
> make it behave the same like the static kernel.
> I say this because it is not the first time I made a kernel and found out
> that it was not bootable because of a tiny misconfiguration :)
> Comments on this strategy are welcome.
>
> --
> Dick Visser

That is a great strategy to follow.  Take it another step tho.  If this
is a server we are talking about, don't even put devel. tools on the
box.  Build your small static kernel elsewhere and copy it to the box.

There *are* wasy around this, but you gotta be good.  If you play with
memory locations directly, there are ways to load a module even on a
static monloitic kernel.  But as I said, you gotta be real good.  Read
that as "no script kiddies"

-b