On Sat, 12 Jan 2002, Richard wrote: > > On Fri, Jan 11, 2002 at 10:25:03PM +0100, martin f krafft wrote: > > > > > > i doubt that a kernel module can override the linux kernel filesystem > > > abstraction layer. but i guess it could be possible. > > > > > > > Oh, it certainly can! knark is a perfect example of a kernel module to > > do just this. (knark is Swedish for "drugged".) It allows files, > > processes, network connections, and network interface promiscuity to be > > *completely* hidden. It allows the cracker to override what actual > > binary file gets run when a user tries to run some other (possibly > > hidden) executable. > > Here kstat might be of intrest, it's getting it's information directly > from the kernel structures. (reading /dev/kmen, and using a dummy module) >
Looking at all the nice things one can do with a modern (and surprisingly easy to make) rootkit, I'm really thinking about just avoiding modular kernels at any cost. I once had a redhat box hacked (old lpr exploit [from within the 'trusted' network]). Think it was adore I found (along with some sniffers) I already avoid modules on most places (gateway, webservers, ...). Usually the pro's from modules outweight the con's, but nowadays, with memory that cheap i don't think it's worth the trouble anylonger. Still, knark is nice work ;-) Solves the whole AIDE-problem a hacker has on most systems these days... As the document states, one of the only possibilities in detecting knark is using the utils and try to get root yourself, or unhide/hide files. Adore already had a solution for that: those things mostly work by sending a signal to the process, and adore used an offset, so the 'standard' detection tools couldn't detect it anymore. Without the correct offset, nobody but those who installed the rootkit could use it (easily). The problem is that with code like that lying around (don't get me wrong, I think it's *good* that people create things like that - without challenge, there's no need for improvement, and it stimulates creativity - but what worries me is that it lowers the treshold. You don't have to know that much about linux kernel internals to adapt the knark code to use different signals/ports. As soon as people start to do that, most rootkit-detection software fails... And as said in this thread before, one can hide for a very long time in a (standard) linux system... Dries
