Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#19 Hijacking the Linux Kernel via /dev/mem

main
closed
unSpawn
Rkhunter (37)
5
2009-08-27
2009-04-17
Michael Fort
No

I would like rkhunter to include a feature that would locate and remove all malware/rootkits that are placed in a hijacked system using this method of hiding the malware.

Here is a link to the online white paper: http://www.dtors.org/papers/malicious-code-injection-via-dev-mem.pdf

I will include the pdf listed above as an attachment.

Discussion

  • unSpawn
    unSpawn
    2009-04-19

    • assigned_to: nobody --> unspawn
     
  • unSpawn
    unSpawn
    2009-04-19

    Please remember that RKH is a userland, post-incident tool. If a kernel was subverted already, changes could have easily been made in ways a userland application could not detect without prior kernel presence (like an LKM). In terms of auditing for events leading up to a compromise, /dev/mem has specific DAC rights and ownership (0640, 0:0) so the entrypoint is only available to those who *already* obtained root rights. LKM support in RKH was initiated in 2008 but was paused due to lack of developers. If you are willing to sponsor this please let us know. If not, I suggest you complement your RKH installation with Samhain.
    Finally automatic removal of whatever filesystem entities will never be supported by RKH as it is the sole responsability of the user.

    Any questions do let us know.

    Regards,
    unSpawn

     
  • unSpawn
    unSpawn
    2009-08-27

    This ticket was basically already closed as "won't fix" per my previous comments. Would need external tool and none available for the task.

     
  • unSpawn
    unSpawn
    2009-08-27

    • status: open --> closed