> But the article referenced earlier is the first instance I've heard
> of launching a hypervisor type program while the original host
> system was running. It certainly sounded suspiciously advanced to me.
While not strictly the same thing, loadable module kernel-level
rootkits have been available for some time now. In fact, the SUCKit
rootkit (published as a proof of concept in Phrack magazine several
years ago now) can infect a kernel that doesn't have loadable module
support, simply by going through /dev/kmem.
These rootkits allow and attacker with root privilege to replace
standard system call interfaces in the kernel with subverted calls
that hide the attackers files, processes, etc-- without rebooting.
Done properly, this technique should be able to completely mask an
attacker's activity on the system (though all of the kernel level
rootkits I've seen so far have small flaws that make them detectable).
So in this instance you're munging the kernel of the actual host
operating system in order to get it to lie to the users and processes
running on the system. In the worst case scenario, forensic analysis
can only be done after booting off of a "known good" kernel (install
media, Knoppix CD, etc).
--
Hal Pomeranz, Founder/CEO Deer Run Associates [EMAIL PROTECTED]
Network Connectivity and Security, Systems Management, Training
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
