#28 New rootkit Jynx undetectable

main
closed-fixed
unSpawn
Rkhunter (37)
5
2012-03-08
2011-10-21
No

Hi,

please find out new released rootkit: http://packetstormsecurity.org/files/105893/Jynx-Kit-Pub.tar.gz
http://www.blackhatacademy.org/security101/index.php?title=Jynx

Currently undetectable by rkhunter

Please create according detection for this malware.

Thank you!

Discussion

  • John Horne
    John Horne
    2011-11-11

    As far as I am aware rkhunter checks both LD_PRELOAD and the ld.so.preload file. It has done this for some time, so the comment on 'blackhatacademy.org' that the rootkit is not detected by rkhunter does not seem true. Although RKH may not explicitly look for the rootkit, it will warn the user that LD_PRELOAD/ld.so.preload are being used.

     
  • Hi jhorne,

    is it possible that rkhunter will report this as critical issue instead of warn only? As you know warn messages can be overlooked in rkhunter report.

    Thank you

     
  • John Horne
    John Horne
    2011-12-17

    There is no such thing as a 'crtitical' issue in RKH. Tests are generally reported as either 'OK' or 'Warning'. All warnings indicate that something is not right or, at least, suspicious. It is for the user to check these using such options as '--rwo' and/or mailing the warnings to the sysadmin.

     
  • unSpawn
    unSpawn
    2012-03-08

    Check completed, thanks.

     
  • unSpawn
    unSpawn
    2012-03-08

    • milestone: --> main
    • assigned_to: nobody --> unspawn
    • status: open --> closed-fixed