Kernel w/o loadable mods, for security?

[John (EBo) David]

foodog wrote:
> 
> By homestead I meant "move in and make themselves at home", use the box
> for what they want instead of what I built it for.  It seemed like the
> right word at the time :-)

makes sense...  I was just asking to make sure I was not missing
accepted jargon ;-)

> I haven't found any articles or papers discussing kernel module
> rootkits, but I haven't been looking for very long.  In a nutshell, it's
> a LKM designed to hide information from the sysadmin or authorized
> users.  Since it resides in the kernel it's in an excellent position to
> conceal files, processes, network connections, loaded modules... Here
> are two brief blurbs from packetstorm for adore and knark, 2 such
> rootkits:
> 
> > Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control  everything. Changes: Added 64bit FS support, now fools protection modules as StMichael, and minor fixes.
> 
> > Knark is a kernel based rootkit for Linux 2.2. Hides files in the filesystem, strings from /proc/net for netstat, processes, and program execution redirects for seamlessly bypassing tripwire / md5sum. Changes: Remote command execution.


hmmm... I've noticed some odd behaviour on my machine for quite a
while.  It could well be valid system behaviour, but I've never been
sure...  Where do you read up on these beasties?

 EBo --