Author: John (EBo) David Date: Subject: Kernel w/o loadable mods, for security?
foodog wrote: >
> By homestead I meant "move in and make themselves at home", use the box
> for what they want instead of what I built it for. It seemed like the
> right word at the time :-)
makes sense... I was just asking to make sure I was not missing
accepted jargon ;-)
> I haven't found any articles or papers discussing kernel module
> rootkits, but I haven't been looking for very long. In a nutshell, it's
> a LKM designed to hide information from the sysadmin or authorized
> users. Since it resides in the kernel it's in an excellent position to
> conceal files, processes, network connections, loaded modules... Here
> are two brief blurbs from packetstorm for adore and knark, 2 such
> rootkits:
>
> > Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything. Changes: Added 64bit FS support, now fools protection modules as StMichael, and minor fixes.
>
> > Knark is a kernel based rootkit for Linux 2.2. Hides files in the filesystem, strings from /proc/net for netstat, processes, and program execution redirects for seamlessly bypassing tripwire / md5sum. Changes: Remote command execution.
hmmm... I've noticed some odd behaviour on my machine for quite a
while. It could well be valid system behaviour, but I've never been
sure... Where do you read up on these beasties?