The majority of Linux rootkits check /dev/kmem for the address of the interrupt descriptor table (IDT). This is a table for all the system calls and their corresponding function pointers. Once you have this, you can just overwrite the function pointer for any system call to your own function. So for example you can write you own function for getdents with is used to get file listings and hide files. Here are some links with more information:
http://www.phrack.org/archives/59/p59-0x13 http://www.phrack.org/archives/63/p63-0x07_Games_With_Kernel_Memory_FreeBSD_Style.txt http://reactor-core.org/linux-kernel-hacking.html So what a lot of rootkit detectors do is just check the IDT for inconsistencies. You can also compare the output to getdents (or just ls) to a lower level function call that gets the directory listing. If there are any differences there's a pretty good chance some file is being hidden. Hopes this helps. ~John Geddes On Feb 1, 2008 4:56 PM, Brandon Louder <[EMAIL PROTECTED]> wrote: > I can't answer your entire question but I can provide a good resource. > > http://www.packetstormsecurity.org/UNIX/penetration/rootkits/ > > Packet Storm has A LOT of known rootkits listed there with descriptions > and links to other sites. > > Another tool you might look into is Rootkit Hunter (rkhunter). > > Good Luck! > > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Ahmed Zaki > Sent: Thursday, January 31, 2008 1:41 PM > To: [email protected] > Subject: RootKits Under Linux > > Hi all > > I am currently doing a project on rootkits under linux os. I am > specially interested in loadable kernel module rootkits. I wanted to > know > where does research stand now in terms of detecting such rootkits. It > would > be very helpful if you would be able to point me to resources where I > gain > information on the diverse variations of these rootkits and current > available methods of detecting them. Also if there are mechanisms that > can > be used to totally avoid detection that would be used by rootkits. > > > > Regards > > Zeeq > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ----------------------------------------- > Confidentiality Notice: This e-mail message, including any > attachments, is for the sole use of the intended recipient(s) and > may contain confidential and privileged information. Any > unauthorized review, use, disclosure, or distribution is > prohibited. If you are not the intended recipient, please contact > the sender by reply e-mail and destroy all copies of the original > message. > > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
