On Tue, Oct 12, 1999 at 10:24:36PM +1000, Steve Youngs wrote:
[...]
> Wouldn't tripwire detect the Trojan/module thing as well? I don't
> know, I haven't setup tripwire here yet.
Possibly not. Tripwire will detect a modified file and may or may
not detect additions to critical directories. If you stored the trojan
module in a non-critical directory, then insmoded it into the kernel, you
really haven't modified anything that tripwire would be watching. If you
really needed to, you could copy it to a critical directory, insmod it,
remove it from the directory, then reset the directory modification times
back to what they were. To hit the kernel itself, you would have to modify
the existing kernel image OR modify lilo.conf, either of which tripwire
could catch, and then reboot (which several other things should catch). I
will conceed the theoretical possibility of creating a kernel, adding it
to lilo.conf, running lilo, then deleting the kernel and (somehow) protecting
that diskspace so it is no longer overwritten. One trick COULD be to shrink
the swap space and hide a rogue kernel in a new partition, but the logistics
would be really tricky.
A kernel module could be inserted into a running kernel without
modifying any existing files or critical directories or rebooting the
system. That's far easier and far more difficult to detect.
[...]
> Surely it would be better to use something that is guaranteed to be
> run like inetd for the Trojan rather than a module that may not even
> get loaded.
Again, possibly... Depending on what you are trying to do.
You are more likely to see combination effects. The attacker has
several binaries or applications which the module is used to help
hide. The module is not the hole per se but becomes part of the root
kit stealth element.
I've already seen the source code to the new generation stealth
modules that are running around out there. They get loaded and then
tinker with the kernel structures so they can't be unloaded or detected
after insmoding. What they do in the system after loading is up to you.
They would probably get loaded by some trojan or backdoor out of inetd
or one of the rc scripts and then act from the kernel layer to hid the
original trojan or backdoor in a way that is hard to detect from user space.
> But at the end of the day, it all boils down to one thing... keep the
> bastards out in the first place.
No joke!
> --
> ---Regards, Steve Youngs--------Email:-<[EMAIL PROTECTED]>---
> | If Microsoft is the answer, then all I can say is that |
> | you are asking the wrong question. |
> ------------------------------<Don't be a Newbie--Be a Gnu-bie>---
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
