Re: RPM aware rootkits?
From: Tim Lawless (lawless@wwjh.net)Date: 02/14/02
- Previous message: Chris Green: "Re: RPM aware rootkits?"
- In reply to: Anton Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Michal Zalewski: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Tim Lawless <lawless@wwjh.net> To: Anton Chuvakin <anton@chuvakin.org> Date: 13 Feb 2002 18:46:47 -0500
On Wed, 2002-02-13 at 17:56, Anton Chuvakin wrote:
> Hello Chris and all,
>
> Thanks for the message.
>
> >What won't work in this situation is attackers that have the md5sums
> >or signatures for various binaries on the machine that you are
> >intending to replace.
> Hmm, that was the point of my question, to some extent. How would an
> attacker (possesing the md5sums for valid packages and md5sumes for hacked
> packages) go about updating the rpm database to pass the ? Are there any
> tools (in rootkits or elsewhere) to accomplish it?
The root kits need not modify the RPM database, rather either modify the
kernel image in /boot, or install a kernel module back door. The latter
method would be easier mode of attack for red hat systems. The kernel
module need then only intercept the open commands, and depending on
certain conditions (such as calling program, user, group, time of day,
file requested) redirect the operation to the original or legitimate
file, while allowing all other operations (such as execve()) operate
on the original file.
For example, an existing linux backdoor in the wild opperates as
follows:
To insert the backdoor/rootkit, the init binary is replaced with
a trojan utility that loads a kernel module that is linked to the
/sbin/init Trojan. After the rootkit is loaded into kernel space, the
rootkit will redirect all subsequent calls to the init binary (or its
inode) to the original init binary (that is hidden from directory lists
in a secret directory)
Once loaded, the kernel rootkit can do anything a userspace rootkit can
do -- just better, and harder to detect.
-- Tim Lawless lawless@wwjh.net http://www.wwjh.net> > Best regards, > -- > Anton A. Chuvakin, Ph.D. > http://www.chuvakin.org > http://www.info-secure.org >
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Chris Green: "Re: RPM aware rootkits?"
- In reply to: Anton Chuvakin: "Re: RPM aware rootkits?"
- Next in thread: Michal Zalewski: "Re: RPM aware rootkits?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
