Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Lately Immunity Inc. published a new rootkit, called DR rootkit, available from their homepage along with sources.
The only other rootkit of this kind is mood-nt rootkit, developed 2-3 years ago by darkangel, a member of the antifork group (like the guy that made kern_check etc). It's available from darkangels website and it's in packetstorm too.
These rootkits use the Debug Registers of the processor to hook onto system calls and play with the system.
I must say I have not found anywhere a "mood-nt analysis" or a "DR rootkit analysis" document, but have not dived into their code either (it's not the simpliest thing in the world..).
Does anyone have any idea how to detect those rootkits if they are installed on the system? Obviously the tradiotional checks do not work...
It seems like you can trust the OS less and less as time goes on. That might mean the best solution is to rely on a different OS. For example, boot to a Live CD and use the find command to look for hidden, out of place, or otherwise suspicious files/directories. You could also monitor network traffic. The NSM Wiki has more information on Network Security Monitoring. If you can't trust the OS, I don't think you should rely on it to report accurate results from commands. These ways don't focus on detecting X type of rootkit, they should work with all rootkits.
those things really do not work with these rootkits..
With all due respect but if you haven't searched for analysis docs or looked at the code, how can you know for sure what works and what not?
Originally Posted by trv
I'm looking for specific details or analysis on debug register rootkits
A few minutes worth of searching showed me a nice discussion on DailyDave, an interesting remark by Brad S. elsewhere, some primary-coloured pills, some recent papers on debug registers and suggestions about SMM and hardware. But just being curious, what would you do with that information? Do you have anything to share yourself on the subject by any chance?
And even though DR kits might be hard to detect right now it isn't something automagical. And one still must find a system, and a route into that system and transition out of userland...
Hello unSpawn. I expected that this thread may draw your attention
Don't get me wrong here. I'm doing a paper for a project in my university about rootkit technology, and after i've covered everything else, I decided to write some info about this special breed of rootkits, that work with the debug registers. Don't think anything too special or some extraodrintary research, it's mostly bibliographical.
I'm following dailydave and i've read some of the generic papers on the subject around debug registers. But that's not what i'm looking for.
Using chkrootkit I was not able to detect those rootkits, haven't tested rkhunter yet. You maintain it dont you? So you may be one of the best person to ask..
How can one detect dr rootkits? Of course you can also hook the registers and then the rootkit hook'em back etc. But is there any other way? From what I understand, there are no published methods or papers about "detecting debug register rootkits" (like there are for almost every other kind of rootkit)
Again, dont get me wrong, I'm looking into these things for completeness in my paper.
For examle i'm going to write "adore-ng and other vfs rootkits can be detected by examining 'this' thing, and there is 'this' program that does it, and there is 'this' paper covering it in detail. Then there are rootkits involing redirection of the whole syscall table, others involing rewriting addrress of the table etc, that can be detect with kern_check and other means etc.
But in the case of dr rootkits, I think there are not many things to write for..
is there any other way? From what I understand, there are no published methods or papers about "detecting debug register rootkits"
I'd appreciate you posting the URI's for the papers you've got on the subject. 3 methods come to mind right now, each with their own esoteric requirements: dedicated PCI cards, Intel SMM and VMM's. As far as I know no readymade tools are available as of now. That's the answer you're looking for, right? Other than that I emphasise it's still a three stage rocket so without known good tools right now that still leaves auditing the entry phase and gathering evidence from the post-mortem phase.
You are correct about everything in your last post, and that's the purpose of my original question.
If there exist any papers/tools, that dont have to do with pci cards/virtual machines etc.
Tools like saint jude or something maybe, kernel modules monitoring constantly the state of the system to see somehow if the debug registers are accesses from uncommon processes or for strange purposes.
Maybe monitoring all the do_debug function calls somehow.. i don't know.
That's what i was talking about when I asked if something in this area exists, some research maybe.
Maybe rkhunter could have a module available too, for just the 'extreme' cases when someone wants to be protected for threats like that too. But of course, i don't know if it's even possible detecting using a lkm, so that you dont have to go 'deeper' under the os to monitor the debug registers.