[25129] in bugtraq
Re: An alternative method to check LKM backdoor/rootkit
daemon@ATHENA.MIT.EDU (Florian Weimer)
Wed Apr 17 21:30:17 2002
To: Paul Starzetz <paul@starzetz.de>
Cc: Wang Jian <lark@marsec.net>, bugtraq@securityfocus.com
From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Date: Thu, 18 Apr 2002 00:04:39 +0200
In-Reply-To: <3CBD7E92.7010600@starzetz.de> (Paul Starzetz's message of
"Wed, 17 Apr 2002 15:54:26 +0200")
Message-ID: <87g01ux9qg.fsf@CERT.Uni-Stuttgart.DE>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Paul Starzetz <paul@starzetz.de> writes:
> Be sure that this will be fixed in the next 'generation' of LRKM's.
> Patching the device methods for disk special nodes is not a big deal -
> why not to incorporate even your code into one of the nice LRKM's? You
> probably found a weaknes of 'current' LRKM's but in general it is a bad
> idea to check your machine while running a compromised kernel.
I agree. You can never be sure which kernel you are running. An
attacker could have placed a modified kernel on a swap device (which
excludes this very area from being used as swap space), and tweaked
the boot loader to load the modified kernel.
Using this approach, the modified kernel image can be made completely
invisible easily, and it still survives reboot. Such a modification
is very hard to spot even during an offline analysis, and the
checklists I've seen so far do not address this problem at all.
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
