Re: Exploit or trojan
From: Felipe Franciosi (ozzybugt_at_terra.com.br)
Date: Thu, 18 Dec 2003 11:56:46 -0200 To: email@example.com
> Such kind of kernel backdoors (e.g. loadable kernel modules) are also
> present for Solaris, *BSD and Windows systems. If you are unsure whether
> someone has compromised your system, don't trust the system's kernel!
Yeah you are right! I was just reading about coding solaris kernel
modules. It is pretty easy, actually. Anyone can find a lot of
documents on google.
A little addition here: Some Linux backdoors (Suckit, for example)
doesn't work as a kernel module. It just opens /dev/kmem and patch
it on the fly. It is still detectable, though, trought some imple-
mentation flaws or checking mechanisms that verify the kernel
syscall table integrity.
-- Felipe Franciosi <firstname.lastname@example.org>