Date: Sat, 8 Sep 2001 16:48:00 +0200 From: Alexander Langer <alex@big.endian.de> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: D J Hawkey Jr <hawkeyd@visi.com>, deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908164800.A54141@fump.kawo2.rwth-aachen.de> In-Reply-To: <Pine.BSF.4.21.0109081554260.765-100000@lhotse.zaraska.dhs.org>; from kzaraska@student.uci.agh.edu.pl on Sat, Sep 08, 2001 at 04:24:23PM %2B0200 References: <200109081052.f88AqRG30016@sheol.localdomain> <Pine.BSF.4.21.0109081554260.765-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Krzysztof Zaraska (kzaraska@student.uci.agh.edu.pl): > # kldload trojan.ko && rm /modules/trojan.ko No need to rm it. You can manipulate the ufs vnode layer to hide this file. See http://www.r4k.net/mod/ > So the only alert you may get from tripwire is that ctime of /modules is > changed. see above. > I thing the original question was: how to find a trojaned module in > memory if there's no relevant binary on disk? Write a module that checksums the relevant parts of kernel, the linker_file list and similar in-kernel stuff (e.g. accesses to all functions that are needed to load the trojan module). Be sure to hide this module as well. If an attacker isn't aware of such a module, he won't try to circumvent it. If he's aware, it's still hard to find and circumvent it, before his trojan module got loaded. It's even harder if he doesn't know what internal functions and data structures your module uses, so be sure to write your own :) > We may also consider adding a feature to kldload to load only modules > from under /modules but I'm afraid this may be circumvented by attacker > fetching her own kldload. You can still use /dev/mem. Oh, and if you are able to load a module in securelevel >= 1 mode, you are probably also able to tell kldload to load from other pathes :) Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908164800.A54141>