#19 Hijacking the Linux Kernel via /dev/mem

main
closed
unSpawn
Rkhunter (37)
5
2009-08-27
2009-04-17
No

I would like rkhunter to include a feature that would locate and remove all malware/rootkits that are placed in a hijacked system using this method of hiding the malware.

Here is a link to the online white paper: http://www.dtors.org/papers/malicious-code-injection-via-dev-mem.pdf

I will include the pdf listed above as an attachment.

Discussion

  • unSpawn

    unSpawn - 2009-04-19
    • assigned_to: nobody --> unspawn
     
  • unSpawn

    unSpawn - 2009-04-19

    Please remember that RKH is a userland, post-incident tool. If a kernel was subverted already, changes could have easily been made in ways a userland application could not detect without prior kernel presence (like an LKM). In terms of auditing for events leading up to a compromise, /dev/mem has specific DAC rights and ownership (0640, 0:0) so the entrypoint is only available to those who *already* obtained root rights. LKM support in RKH was initiated in 2008 but was paused due to lack of developers. If you are willing to sponsor this please let us know. If not, I suggest you complement your RKH installation with Samhain.
    Finally automatic removal of whatever filesystem entities will never be supported by RKH as it is the sole responsability of the user.

    Any questions do let us know.

    Regards,
    unSpawn

     
  • unSpawn

    unSpawn - 2009-08-27

    This ticket was basically already closed as "won't fix" per my previous comments. Would need external tool and none available for the task.

     
  • unSpawn

    unSpawn - 2009-08-27
    • status: open --> closed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks