Re: Kernel Rootkits

From: Lennart Sorensen
Date: Fri Apr 15 2005 - 13:46:06 EST

Next message: Daniel Souza: "Re: Kernel Rootkits"
Previous message: Lee Revell: "Re: Kernel Rootkits"
In reply to: Lee Revell: "Re: Kernel Rootkits"
Next in thread: Andre Tomt: "Re: Kernel Rootkits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 15, 2005 at 06:15:37PM +0000, Allison wrote:
> I got the terminology mixed up. I guess what I really want to know is,
> what are the different types of exploits by which rootkits
> (specifically the ones that modify the kernel) can get installed on
> your system.(other than buffer overflow and somebody stealing the root
> password)
>
> I know that SucKIT is a rootkit that gets loaded as a kernel module
> and adds new system calls. Some other rootkits change machine
> instructions in several kernel functions.
>
> Once these are loaded into the kernel, is there no way the kernel
> functions can be protected ?

Well you could build a monilithic kernel with module loading turned off
entirely, but that doesn't prevent replacing libc which most programs
use to make those system calls. Could make the filesystem readonly,
that would prevent writing a module to load into the kernel, and
replacing libc as long as you make it imposible to remount the
filesystem at all.

Len Sorensen
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel Souza: "Re: Kernel Rootkits"
Previous message: Lee Revell: "Re: Kernel Rootkits"
In reply to: Lee Revell: "Re: Kernel Rootkits"
Next in thread: Andre Tomt: "Re: Kernel Rootkits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]