#39 A catalogue of recognised rootkits would be very useful

[Martin Gregorie]

I've recently had rkhunter 1.4.0 give a false positive warning for GasKit against Fedora 20 and, naturally, wanted to know what Gaskit did. I was surprised to find that 'net searches using duckduckgoose and ixquick didn't find anything apart from cries for help with GasKit. Furthermore, the only list of rootkits I could find was only concerned with old Windows rootkits. Hence this suggestion.

As this project owns a comprehensive list of rootkits and their diagnostic features, would it be possible to add a brief summary to each, saying what it does to infected systems, and publish the list on the project website as a reference catalog? I for one would find this very useful if it showed just the rootkit name and what it does.

[unSpawn]

I agree it would be useful but I'm sorry to say we don't have the resources to do this. Anyone with more time on their hands should feel free to chip in. After all that's what Open Source Software is about, right? That not only developers support their users but vice versa?..

[Martin Gregorie]

Fair comment. Unfortunately, I'm currently in the middle of a modular
68xx emulator project and this summer's soaring season is just starting,
so I can't tackle it any time soon, but I'll bear it in mind.

Are rkhunter's rootkit details held in any tabular form? IOW, is there
any possibility of writing something in awk or Perl that could generate
a rootkit catalogue from the source, possibly with a minor source
rearrangement to help it along?

I'm curious because I'm doing something similar on the emulator, where
an awk script generates message files from a header file that contains

defines and comments.

Cheers,
Martin

On Fri, 2014-04-18 at 11:08 +0000, unSpawn wrote:

I agree it would be useful but I'm sorry to say we don't have the
resources to do this. Anyone with more time on their hands should feel
free to chip in. After all that's what Open Source Software is about,
right? That not only developers support their users but vice versa?..

---

[feature-requests:#39] A catalogue of recognised rootkits would be
very useful

Status: open
Group: main
Created: Mon Mar 03, 2014 01:56 PM UTC by Martin Gregorie
Last Updated: Mon Mar 03, 2014 01:56 PM UTC
Owner: nobody

I've recently had rkhunter 1.4.0 give a false positive warning for
GasKit against Fedora 20 and, naturally, wanted to know what Gaskit
did. I was surprised to find that 'net searches using duckduckgoose
and ixquick didn't find anything apart from cries for help with
GasKit. Furthermore, the only list of rootkits I could find was only
concerned with old Windows rootkits. Hence this suggestion.

As this project owns a comprehensive list of rootkits and their
diagnostic features, would it be possible to add a brief summary to
each, saying what it does to infected systems, and publish the list on
the project website as a reference catalog? I for one would find this
very useful if it showed just the rootkit name and what it does.

---

Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/rkhunter/feature-requests/39/

To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/

[unSpawn]

On Fri, 18 Apr 2014 13:43:22 +0200 "Martin Gregorie"
freeflight@users.sf.net wrote:

Are rkhunter's rootkit details held in any tabular form? IOW, is
there
any possibility of writing something in awk or Perl that could
generate
a rootkit catalogue from the source, possibly with a minor source
rearrangement to help it along?

I'm pretty sure some awk-fu and Perl could be a start.
Do let us know when you have something to look at.

Best regards,
unSpawn

---

[John Horne]

Interesting point about GasKit. Looking through the CVS on sourceforge as far as I can tell it was there before I got started on RKH. The initial version put onto sourceforge contains the code for GasKit, so that is nearly 11 years ago (from today). I admit I too can find pretty much nothing about this rookit (using Google).