Hi,
I should give a small talk in a VM course about virtual machine introspection.
I would like to give a simple demonstration as well, by finding a simple rootkit with vdi which hides from ps/top/netstat within the infected machine.
So, here comes my problem: I seem to be unable to infect my debian test machine due to all available rootkits being for lower kernel versions and downgrading the kernel is somewhat of a dependency nightmare.

Are there any simple rootkits that hide from ps/top/netstat without being too focused on a certain kernel version? The rootkit does not have to be undetectable by normal security meassures. It should just not show up on ps/top/netstat. (And obviously I have root access on the infected machine.)
I tried KBeast which seems to be suitable for 2.6.32, but it fails to build probably due to 2.6.32-5 kernel headers.

Note that it is no problem if the rootkit only works for a specific distribution, since reinstalling the infected machine is quicker than to sort through source code.

You'll be disappointed to know that regardless of the reason we do not consider this an appropriate topic for LQ.
Thread closed.