Re: Kernel-level Rootkits

[Dominik Lupinski <yhpx () alpha net pl>]

On Sun, Dec 08, 2002 at 06:33:47PM -0800, Edward Ray wrote:

> Hello everyone.
  
  Hello,

> A question concerning Kernel-level rootkits.
>
> Has anyone used a kernel-level rootkit (i.w. Knark, Adore, KIS) in a
> honeypot implementation?
>
> It would appear to have a few advantages, but only in the hands of someone
> who knew how to use it correctly.

  Yes, IMHO such solution with kernel modules could give you low-level control
  on honeypot with abilities to log whatever you want apart from user-land
  utilities and also hide certain tools, firewall rules, connections, etc.
  
> If anybody has experimented with kernel-level rootkits, I would be
> interested in your results, as I am considering using a rootkit (after I
> learn how it works of course) in a honeypot of my own.

  Actualy, I have been working on it for a few weeks. My implementation is 
  heading into FreeBSD systems. I think I'll end up with first usable version
  in two months or so. If you're interested in having your honeypot on
  FreeBSD, I'd be glad to let you test it. :)


Regards,
-- 
0A 0D 0A 2D 2D 20 0D 0A 44 6F 6D 69 6E 69 6B 20  ...-- ..Dominik 
4C 75 70 69 6E 73 6B 69 20 2F 2F 20 79 68 70 78  Lupinski // yhpx
40 61 6C 70 68 61 2E 6E 65 74 2E 70 6C 0D 0A 2E  @alpha.net.pl...