I believe hooking functions has become difficult in the 2.6 kernel,
because of the new syscall_table_description restrictions (its
hidden). I've heard of a few dirty methods to get around this and I
believe adore has a 2.6 version of their linux kernel module rootkit,
but I have not messed around with it.
Nathan Sportsman
On Feb 1, 2008 3:56 PM, Brandon Louder <Brandon.Louder@mckennan.org> wrote:
I can't answer your entire question but I can provide a good resource.
http://www.packetstormsecurity.org/UNIX/penetration/rootkits/
Packet Storm has A LOT of known rootkits listed there with descriptions
and links to other sites.
Another tool you might look into is Rootkit Hunter (rkhunter).
Good Luck!
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Ahmed Zaki
Sent: Thursday, January 31, 2008 1:41 PM
To: focus-ids@securityfocus.com
Subject: RootKits Under Linux
Hi all
I am currently doing a project on rootkits under linux os. I am
specially interested in loadable kernel module rootkits. I wanted to
know
where does research stand now in terms of detecting such rootkits. It
would
be very helpful if you would be able to point me to resources where I
gain
information on the diverse variations of these rootkits and current
available methods of detecting them. Also if there are mechanisms that
can
be used to totally avoid detection that would be used by rootkits.
Regards
Zeeq
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
-----------------------------------------
Confidentiality Notice: This e-mail message, including any
attachments, is for the sole use of the intended recipient(s) and
may contain confidential and privileged information. Any
unauthorized review, use, disclosure, or distribution is
prohibited. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original
message.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
