On Fri, 2019-11-22 at 10:04 +0000, rob pearman wrote:
> Thanks for coming back to me, Al.
>
> I couldn't see anything useful in the changelog, but looking further
> at how RKH seems to work it looks like it would pick up HiddenWasp (as
> an example) because it preloads a shared library as part of it's
> infection process.
>
Absolutely correct. Whilst using signatures works for specific things, RKH has
the advantage of detecting general things which can be characteristic of
malware. In this instance RKH does not list checking for hiddenwasp, but it
would detect 'odd things' such as the ld preloading and the fact that
hiddenwasp creates an account. For me these are reasons why RKH is actually
quite good to use, but alongside other security software.
Reading an article on hiddenwasp it was slightly odd/funny to read that approx
60 or so AV software did not detect it. This was because they had no signature
for it. If they checked rootkit/malware detection software, such as RKH, then I
suspect they would find that it would, in effect, be detected (or at least odd
things flagged).
As to signatures in RKH, this was something that unSpawn started. Unfortunately
it then sort of fizzled out, and unSpawn has not been heard of since then.
Although there is a signatures subdirectory, with files in it, they are not
maintained.
As to hiddenwasp, and a couple of others, I'll see about adding some checks for
the files it uses ('/lib/se1inux.so' or some such).
John.
> On Thu, 21 Nov 2019 at 18:54, Al Varnell <alvarn...@mac.com> wrote:
> > Take a look at the release dates in the Change Log to see how often
> > signatures are update:
> >
> > <https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/CHANGELOG
> > >
> >
> > -Al-
> > macOS User
> >
> > On Nov 21, 2019, at 07:47, rob pearman <rob.pear...@gmail.com> wrote:
> >
> > Hi!
> >
> > I'd be grateful if someone could answer a couple of questions ...
> >
> > 1. I'm aware that in principle it checks for changes to key files that
> > might indicate a replacement by a rootkit/virus, and I've already set
> > up my installation to check against my package manager's details (DPKG
> > in my case), however there are also rootkit-specific tests run by RKH
> > that are listed toward the end of the 'check' process. Notably absent
> > from this list are some recent nasties such as HiddenWasp - is this
> > because the signatures haven't been updated yet, or would it be
> > detected by more generic checks that mean it doesn't need specific
> > checks to be performed?
> >
> > 2. what is the process, and how often are the RKH signatures updated?
> >
> > Thanks for your help.
> > Rob
>
> _______________________________________________
> Rkhunter-users mailing list
> Rkhunter-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/rkhunter-users
--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>
This email and any files with it are confidential and intended solely for the
use of the recipient to whom it is addressed. If you are not the intended
recipient then copying, distribution or other use of the information contained
is strictly prohibited and you should not rely on it. If you have received this
email in error please let the sender know immediately and delete it from your
system(s). Internet emails are not necessarily secure. While we take every
care, University of Plymouth accepts no responsibility for viruses and it is
your responsibility to scan emails and their attachments. University of
Plymouth does not accept responsibility for any changes made after it was sent.
Nothing in this email or its attachments constitutes an order for goods or
services unless accompanied by an official order form.
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
