Hello all,
I am a mid level linux user and currently working on a Masters of Information Assurance. One of my classes is on malicious software; part of the class work is to create a presentation on a piece of mal software, and I wanted to do mine on a linux lkm rootkit.

I've been scouring the web for leads on recent rootkits for linux, but haven't had much luck. (One of the restrictions on the selection software is that is has to have been created within the last 5 years).

The only one I have found so far is a reference to phalanx2, but I am not sure there is a lot of technical information on it yet.

If anyone has any resources that they wouldn't mind sharing with me on specific rootkits, I would really appreciate it!

Thanks in advance,
Alex

I doubt you're going to get much help in finding rootkits from anyone here....

If you're working on a "Masters of Information Assurance" (?), there would probably be something in that course, telling folks to always know the sources of information, and who's asking for it. You may be working on such a certificate...but how do WE know that?

Hi TB0ne,

Well, you can choose to help or you can choose not to. I'm not demanding an answer from anyone here. I just thought this would be a valuable resource in doing research. I can always choose to do the presentation on a windows rootkit like everyone else, but I'd rather learn more about linux.

By the way, I'm not looking for getting rootkits, that's easy to do - just leave an unpatched system online for a few hours (or d/l from various sites). I'm just looking for resources for rootkits which were developed in the last 5 years.

Do you want a note from my professor or something?

By the way, the MSIA is from Capitol College (http://www.capitol-college.edu/acade...e-requirements)

Thanks for your reply,
Alex

The names aren't the problem but unfortunately LQ isn't the resource to provide help with or a list of malware or LRK names (please see the LQ Rules). Here's a workaround though: find Open Source Software products that detects rootkits and malware and search the sources for names. Check that list of names against your favourite search engines. And there you'll have your timeline. That's the kind of one-dimensional "research" any novice can do.

Thanks unSpawn,
I did not read the rules, and apologize for that.

I did what you suggested last night (and I have memorized many of the names as a result )

After spending about 2 days looking for starting points, I think it may be too difficult to do research on recent rootkits for linux in the limited time I have, so I am going to change my research topic to BIOS rootkits.

Thanks again for your help and time looking and responding. I really appreciate it.

In that case here's a recent exploit that was discovered:
http://www.linuxquestions.org/questi...xploit-712903/
it is not malicious, it's just a proof of concept ... it's not actually a rootkit. Either way you probably won't find info on any actual BIOS rootkits here.

That's a shame because there's been at least ten released (or modified) in the past five years. Can you describe what exactly it is you're looking for?

The requirements for the presentation are to be able to provide the full gambit of the malicious code - how it spreads, means of detection, alternate names, what it does and how it does it, etc.

I looked at SuckIT, FU rootkit, kenga3, etc but they all seem to be old. On top of that most of the antivirus sites have little in terms of information on linux rootkits - it seems that everything starts with WIN/

I don't have to do the presentation on a rootkit, it can be any malware out there created in the last 5 years. I only chose rootkit because I think it's fascinating (and I do digital forensics as a profession so I enjoy finding artifact when examining systems).

Exactly, I am looking for an LMK rootkit created (perhaps updated) within the last 5 years. I would love links that discuss the rootkit, but that's part of the research I am and will be doing.

Thanks again for the help and your time.

Incidentally, I was reminding by the prof that I have to submit 3 possible topics. So far I am planning to submit "Blue Pill".


By the way H_TeXMeX_H,
Thank you so much for those links!! VERY interesting; I'm going to read through that tomorrow and see if I can submit that.

Thank you again!

Pardon me but in post #4 I have already provided you with a perfectly reasonable approach. Perhaps you read over it or failed to understand the value of using past research as basis. If you would follow that lead you would find the research has already been done. Three times over. Collating information you would find that Phalanx is post-2004 and you should then easily find a report on a mailing list by Kazantsev of duke.edu, one web page by Heintz detailing a breakin plus the link to the actual tarball.


Commercial AV companies in general are not interested in GNU/Linux. Apart from architectural differences with products from say the Pitiful Operating System (abbrev.: POS) they would see no ROI. It's simply a market thing.


A problem you might have doing research is your scope. While it is customary for amateurs to use whatever resource they are familiar with regardless of effectivity, finding a kitted system is a major breach of security. Those incidents are often reported to sites like the various CERT's and handled by sites like isc.sans.org and talked about on mailing lists on sites like SecurityFocus or seclists.org (Bugtraq, Full Disclosure, Incidents, pentest, you name it). Granted, it takes time you might not have or are willing to invest, but even one with way low Google-fu will find post-2004 rootkit leads in say seclists.org.

If that doesn't do it for you then you're invited to contact me by email. Note though I'm not promising anything. But if you are able to give me the official presentation details and a detailed account of what you've done sofar I might be willing to provide more pointers.