On Thu, Mar 29, 2001 at 03:23:34PM -0500, Patrick Maheral wrote: > Why bother even trying to modify the file to have the same checksum. > All the rootkit must do is keep the original file around, and either > select the compromised file or original depending on whether it is being > openned for reading or executing. A kernel module could be loaded > without rebooting to handle this if module loading is allowed. If a > program loader (eg. ld.so and company) wants to open a file, use the > (hidden) compromised file, otherwise, serve up the original.
Yes, knark does this, and does it very well. It's available from packetstorm, and I've seen it in action "in the wild". It's extremely effective. Fortunately such rootkits are still very uncommon. I'm not sure why that is, as they're no more difficult for the script kiddy than any other rootkit. If used right, they're completely effective against things like tripwire or AIDE. They can do more than just hide files, too. Note that LIDS is supposed to be able to detect Knark. It also helps to portscan the machine from a known good system and look for ports that should not be open (especially ports that don't look open on the potentially cracked box). It's also worth it to reboot from a trusted rescue disk, but don't use the standard rescue disks! They load modules from the systems hard drive, one of which could insert knark. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpK05RdBlZlu.pgp
Description: PGP signature
