Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

re, anti btrom

From: stealth () DIONE IDS PL (Martin Markovitz)
Date: Wed, 8 Sep 1999 19:47:13 +0200

hi,
Sorry for somewhat late reply...


Why it is not convenient to use the sys_call_table?
Using the sys_call_table to hook a system call is the 'right way', but it is
not for a stealth module, because programs like "btrom" can detect that, and
having the 'System.map' (file that every paranoic administrator must have),

The problems are:
1.) If you assume you have a breakin, you can't depend on System.map
    or something else. Attackers may even install a new kernel, not only modules.
2.) New and unknown technics maybe exist that you don't know and scanners like
    btrom die on that. Thus you may think that all is OK, but it isn't. :(
3.) => Securelevels such as BSD's make the kernel more trustworthy even if you
    think that someone broke in.

What i have seen in the most hacker/backdoor modules is that they do somethink like

    mp->name="";
    mp->size=0;

but not really remove the module from the list.
So you could write somethink like radar.c (once written to bypass EoE) which could
maybe help you:

/*** Used to detect stealth modules. ;-)
 ***/
#define __KERNEL__
#define MODULE
#include <linux/module.h>

int init_module()
{
           int i = 0;
        struct module *m = &__this_module;

        while (m) {
                   printk("Found %s\n", m->name);
#ifdef KILL_EOE
                if (strstr(m->name, "eoe")) {
                        for (i = 0; i < GET_USE_COUNT(m); i++)  
                                __MOD_DEC_USE_COUNT(m);
                }
#endif
                m = m->next;
        }
        return 0;
}

int cleanup_module()
{
           return 0;
}

OK, you maybe see output like 'Found: ' which shows you 'Aha! there is something
that hides itself', because name="". Be happy as long as you can see the
not-so-stealth modules.
So. But this is only a special solution, as _all_ scanners would be a special solution
which would all die on technics like

        o not hooking syscalls, but stealing ...->files->fd[i]->f_op or
          replacing it.
        o unregistering/registering drivers on the fly ;-)
        o deleting modules from the list, either as described in
          stealth.c or with other teks
        o etc.

Oh ... when does securelevels appear in Linux ... :-)

Stealth

: ---- main(){fork();main();} ----
: Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
: Stealth <-> http://www.kalug.lug.net/stealth
Previous By Date Next
Previous By Thread Next

Current thread: