LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A new Adore root kit

A new Adore root kit

Posted Mar 18, 2004 11:53 UTC (Thu) by copsewood (subscriber, #199)
Parent article: A new Adore root kit

Presumably hidden files would show up if the system is booted using a trusted kernel and the file system scanned with a scanner that knows where to look for them and what to look for ? I seem to remember having to do this reliably to detect MSDOS infection by certain viruses a few years ago. The problems with this approach are a bit of routine downtime while you run this kind of thing, maintaining separation between the potentially compromised and trusted scanning environments, and keeping malware scanning software up to date. Alternatively if the evidence is on the disk and the same disk can be simultaneously mounted read-only using another otherwise isolated system a similar security scan could be done without downtime. This will probably be followed by versions which remove themselves from disk when they load themselves into memory, and resave themselves to disk when the systems shut down.

So I guess other defences might have to involve virtualising the environment and running this within a sandbox continually monitored for known attack signatures.

These precautions all put up the cost of running computing environments which retain similar levels of reasonable trust prior to discovery of this kind of technique.

(Log in to post comments)

Clean boot scans, chkrootkit, and RAID Hotswap For FIDS

Posted Mar 19, 2004 1:59 UTC (Fri) by AnswerGuy (guest, #1256) [Link]

Of course running chkrootkit and/or AIDE or other checksum scanners from
a clean boot will help find compromised files and *known* rootkits.

However, that impinges on uptime for 24x7 servers. There should be
scheduled downtime and such clean boot scanning should be routine during
those downtime windows.

It's possible, with hotswap capable mirror (RAID1) to yank a drive,
insert it into a scan system, force it to come up in degraded mode
as a mountable (non-system) drive and then scan that.

(Put in a spare on the production system and let it re-integrate to
preserve the array and performance).

If it's true hotswap hardware you can do this. If it's soft raid and
you try commands like raidsetfaulty, etc. then you risk the attacker
hooking into that and covering his traces.

I'm surprised I've never seen an article published on this technique,
I've been describing it for years and tested it a couple times. (I'm
not maintaining any production systems in this configuration).

JimD

A new Adore root kit

Posted Mar 21, 2004 1:07 UTC (Sun) by shapr (guest, #9077) [Link]

You could put the trusted kernel on a bootable cdimage, and set the BIOS to boot from CDROM, where the trusted kernel would only start the system on the hard disk after all checks passed.

That would work for chkrootkit at least, and it would beat the "save to disk on shutdown" trick.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds