Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00)

[Dave Dittrich <dittrich () CAC WASHINGTON EDU>]

> This can also possibly be used to detect LKM trojanss and the like.
> It might give a false alarm though, as some kernel patches
> designed to hide other user's processes might give the same result.
> But together with the other tell-tale signs of ManTrap it gives a
> very good fingerprint.

It doesn't seem to work against TESO's Adore LKM, while Stephane
Aubert's "rkscan" (published on the INCIDENTS list on 25 Oct 2000)
currently does:

   $ id
   uid=500(notroot) gid=500(notroot) groups=500(notroot),236(office)
   $ ./mantrap -a
   ManTrap detection/testing program by wilson () f8labs org - www.f8labs.org
   proc-vs-kill() test:
     Normal: No mismatches found.
   dotdot test:
     Normal: /proc/.. found in directory listing.
   cwdwalk test:
     Normal: getwd() succeeded after chdir to /proc/self/cwd.
   Finished.
   $ ./rkscan
   -=-      Rootkit Scanner      -=-
   -=- by Stephane.Aubert () hsc fr -=-

     Scanning for ADORE version 0.14, 0.24 and 2.0b ...
     #ADORE rootkit is running with ELITE_CMD=31337 !

     Scanning for KNARK version 0.59 ...
     KNARK rootkit NOT DETECTED on this system.

   Done.

I haven't tried it yet against knark or other Linux LKMs... (nor do I
have mantrap to test rkscan against it.)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5