RE: An alternative method to check LKM backdoor/rootkit

["Philippe Bourgeois" <Philippe.Bourgeois () cert-ist com>]

Wang Jian wrote :
> Our alternative method uses the first style: to find the differences
> between the fake view and the real view.
[...]
> We read the raw disk and traverse the filesystem on disk, bypass the
> live filesystem, and create a real view of files on disk; then traverse
> the live filesystem to get the fake view. Compare the two view, we can
> find the differences. We will find the stealth files.

For your information, I wrote the same kind of tool some time ago.

It works fine for my needs, and found all the LKM I tested, as far as
files are hidden (I mean, if the LKM doesn't hide any file, "ancheck"
doesn't find it). I definitly think that the "Find the differences
between the two views" approach is a very good approach to detect LKM.

I called my tool "ancheck" (alternate ncheck) because it works
more or less like the UNIX "ncheck" command (ncheck exists on most
UNIX systems, but not on Linux) :
http://www.cert-ist.com/francais/outils/ancheck03.tar.Z
http://www.cert-ist.com/francais/outils/ancheck03.tar.Z.sig

Ancheck is a set of 2 UNIX commands ("ls_hidden" and "ancheck") designed
to locate hidden or deleted files. It works on UFS (Solaris) and EXT2
(Linux)
file systems. You need TCT (the Coroner's Toolkit)to compile the package.
TCT can be downloaded from :
  http://www.porcupine.org/tct
  http://www.fish.com/tct/

Philippe Bourgeois
Cert-IST