Bugtraq mailing list archives
re, anti btrom
From: stealth () DIONE IDS PL (Martin Markovitz)
Date: Wed, 8 Sep 1999 19:47:13 +0200
hi, Sorry for somewhat late reply...
Why it is not convenient to use the sys_call_table? Using the sys_call_table to hook a system call is the 'right way', but it is not for a stealth module, because programs like "btrom" can detect that, and having the 'System.map' (file that every paranoic administrator must have),
The problems are: 1.) If you assume you have a breakin, you can't depend on System.map or something else. Attackers may even install a new kernel, not only modules. 2.) New and unknown technics maybe exist that you don't know and scanners like btrom die on that. Thus you may think that all is OK, but it isn't. :( 3.) => Securelevels such as BSD's make the kernel more trustworthy even if you think that someone broke in. What i have seen in the most hacker/backdoor modules is that they do somethink like mp->name=""; mp->size=0; but not really remove the module from the list. So you could write somethink like radar.c (once written to bypass EoE) which could maybe help you: /*** Used to detect stealth modules. ;-) ***/ #define __KERNEL__ #define MODULE #include <linux/module.h> int init_module() { int i = 0; struct module *m = &__this_module; while (m) { printk("Found %s\n", m->name); #ifdef KILL_EOE if (strstr(m->name, "eoe")) { for (i = 0; i < GET_USE_COUNT(m); i++) __MOD_DEC_USE_COUNT(m); } #endif m = m->next; } return 0; } int cleanup_module() { return 0; } OK, you maybe see output like 'Found: ' which shows you 'Aha! there is something that hides itself', because name="". Be happy as long as you can see the not-so-stealth modules. So. But this is only a special solution, as _all_ scanners would be a special solution which would all die on technics like o not hooking syscalls, but stealing ...->files->fd[i]->f_op or replacing it. o unregistering/registering drivers on the fly ;-) o deleting modules from the list, either as described in stealth.c or with other teks o etc. Oh ... when does securelevels appear in Linux ... :-) Stealth : ---- main(){fork();main();} ---- : Hi! I'm a .signature virus! Copy me into your ~/.signature, please! : Stealth <-> http://www.kalug.lug.net/stealth
Current thread:
- Re: IE5 allows executing programs David LeBlanc (Aug 30)
- <Possible follow-ups>
- Re: IE5 allows executing programs SysAdmin (Aug 30)
- Re: IE5 allows executing programs Jim Frost (Sep 01)
- Re: IE5 allows executing programs David LeBlanc (Sep 01)
- Re: IE5 allows executing programs Brad Griffin (Sep 02)
- Re: IE5 allows executing programs David LeBlanc (Sep 07)
- re, anti btrom Martin Markovitz (Sep 08)
- Re: IE5 allows executing programs Paul L Schmehl (Sep 08)
- SDI AMD remote exploit for RH linux Thiago (Sep 02)
- Re: IE5 allows executing programs J MacCraw (Sep 07)
- Re: IE5 allows executing programs Jesper M. Johansson (Sep 08)
- Re: IE5 allows executing programs SysAdmin (Sep 08)
- Re: IE5 allows executing programs Haxor, Wikit (Sep 16)
- Two SuSE 6.2 local root exploits Brock Tellier (Sep 16)
- SuSE 6.2 /usr/bin/sccw read any file Brock Tellier (Sep 16)