Re: Re: Kernel Rootkits

From: Petr Baudis
Date: Fri Apr 15 2005 - 13:40:31 EST


Dear diary, on Fri, Apr 15, 2005 at 08:15:37PM CEST, I got a letter
where Allison <fireflyblue@xxxxxxxxx> told me that...
> hi,

Hello,

> I got the terminology mixed up. I guess what I really want to know is,
> what are the different types of exploits by which rootkits
> (specifically the ones that modify the kernel) can get installed on
> your system.(other than buffer overflow and somebody stealing the root
> password)
>
> I know that SucKIT is a rootkit that gets loaded as a kernel module
> and adds new system calls. Some other rootkits change machine
> instructions in several kernel functions.

I think you are still confused. You are mixing two things:

(1) Getting enough access to the machine to load the rootkit

(2) Loading the rootkit smart enough to slip any detectors

The first part basically involves getting root access to the machine.
This is so broad area that it is out of scope of this mail, I guess, but
innumerable types of vulnerabilities exist, ranging from silly bugs in
programs running as root, to in-kernel bugs which let you elevate your
permissions from a regular user to superuser (root).

The second part is very broad too, I think you would be better off by
doing some research on your own - there are plenty of resources on the
net w.r.t. this. (I hope you are asking only in order to defend
yourself! ;-) Basically, rootkits can range from a set of
custom-tailored binaries like ps and ls which will hide the cracker's
files from you, to linux kernel modules which the attacker will load as
a regular kernel module, but which will then usually hide itself and
then again hide the cracker's files from you, only better. These are
already kind of old-fashioned now, though. E.g. the SucKIT rootkit
installs itself to the kernel by bypassing the traditional kernel module
installing mechanism and writing itself directly to the memory,
overriding certain kernel structures and therefore taking control over
it.

> Once these are loaded into the kernel, is there no way the kernel
> functions can be protected ?

once they are in the kernel, they can do anything they want. That's the
point of being in the kernel, after all.

--
Petr "Pasky" Baudis
Stuff: http://pasky.or.cz/
C++: an octopus made by nailing extra legs onto a dog. -- Steve Taylor
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/