What You Need to Know About Linux Rootkits

[SUPERIOR]

Code:

http://www.linuxsecurity.com/content/view/154709?rdf

sorry if it's already posted

[Mrkvonic]

Know in what sense?
Mrk

[dw426]

Hmm, I never have and never will believe Linux is "immune". However, realistically, if one never tries to bypass the built in security (meaning doesn't try something so stupid as running as root for daily activity, and sticks to software in the supplied repositories, the chances of getting one of these things is ridiculously low. I'd even go so far as to say that they are almost as low just by doing general surfing. I think you'd really have to be looking for it.

[Mrkvonic]

Getting your system infected with something really sophisticated is quite complicated, because the code highly depends on the libraries you have on your host, the exact glibc version, exact kernel, etc. It is virtually impossible to run non-compatible code of any kind, let alone some complex malware that resides in the kernel space without causing kernel panic.
Mrk

[lodore]

IMHO all that matters is who is using the keyboard and mouse and if they are willing to give their root password to packagexyz.deb, packagedfd666.rpm etc. there will always be times when a user cant find an application that does want they want in the offical repos.

[Mrkvonic]

That's not all. There's the idea of planting a kernel module into the kernel to subvert it. This is the tricky part. Not easily done, because this thing, regardless of malware or not, is not easily done. That's why often you can't have ubuntu 9.10 code running on 10.10, for example. So much is different.
Mrk

[NGRhodes]

Quote:

Originally Posted by Mrkvonic

That's not all. There's the idea of planting a kernel module into the kernel to subvert it. This is the tricky part. Not easily done, because this thing, regardless of malware or not, is not easily done. That's why often you can't have ubuntu 9.10 code running on 10.10, for example. So much is different.
Mrk

Wow that is a bonus I never thought of Linux and its unstable ABI.

[Mrkvonic]

Yup, even tiny changes in the compilation flags of modules compared to the kernel, plus the tiny differences in environment variables or gcc version down to the fourth dot might result in faulty modules that won't load and/or if load will panic the host.

Cheers,
Mrk

[kareldjag]

hi,

A kind of vulgarization article for linux users, and technically outdated.
Grsecurity patch is more interesting than SeLinux for Kernel level rootkits.
A few detectors are available but there is no reliable detection way than forensic detection (with Volatility framework for instance:
http://www.terena.org/activities/tf-...g-rootkits.pdf ).

Rgds

[Ranget]

Linux servers always Gets hacked even more frequently than windows


see the hacked site database for an instance

[Mrkvonic]

In percentage or absolute numbers? If numbers, then it's ok, because there is more Linux in the server world than Windows.
Statistics can be fickle.
Mrk

[NGRhodes]

Quote:

Originally Posted by Mrkvonic

In percentage or absolute numbers? If numbers, then it's ok, because there is more Linux in the server world than Windows.
Statistics can be fickle.
Mrk

Or severity or how long left vulnerable...

Cheers, Nick

[funkydude]

Quote:

Originally Posted by Nick Rhodes

Or severity or how long left vulnerable...

When it comes to servers, speed of fixing the exploit doesn't help, when it's the person/company itself responsible that isn't patching that server. Unless you're trying to state that all these compromised servers every day are always 0-day, which I *highly* doubt.

That being said, isn't it usually 3rd party applications on the OS that are being exploited, e.g. PHP, MySQL, wordpress. In which case, OS doesn't really matter.

[NGRhodes]

Quote:

Originally Posted by funkydude

When it comes to servers, speed of fixing the exploit doesn't help, when it's the person/company itself responsible that isn't patching that server. Unless you're trying to state that all these compromised servers every day are always 0-day, which I *highly* doubt.

That is a maintenance issue and has nothing to do with how quickly patches are released.

Quote:

Originally Posted by funkydude

That being said, isn't it usually 3rd party applications on the OS that are being exploited, e.g. PHP, MySQL, wordpress. In which case, OS doesn't really matter.

Though it does matter when its the Linux distros - the OS that are supplying the patches and update mechanisms


Whats worse, 10 exploits that get fixed in days, or 1 exploit that does not get fixed for months ?
Time to fix, be it a patch or providing a work around is important.

Cheers Nick.

[funkydude]

You seemed to veer off what I was saying/or misunderstood my point. Also avoiding the entire 3rd party statement by switching topic back to the OS the software is hosted on.

While time to patch may be important, in the real world we live in (Earth), hundreds of servers are compromised each day. Patch response time (at least for servers) is near meaningless, as server hosts/providers don't always immediately update. While the effort of the company/individual responsible for fixing said exploit can be commended, it goes to waste against a high amount of server providers that don't take advantage of it.

But again I say, it is usually 3rd party software responsible.

[J_L]

Looks good. Wish I saw this last time I asked.

[NGRhodes]

Quote:

Originally Posted by funkydude

You seemed to veer off what I was saying/or misunderstood my point. Also avoiding the entire 3rd party statement by switching topic back to the OS the software is hosted on.

This is a Linux topic and 99.99% of servers in the world use distros and their update mechanisms so is relevant.

Quote:

Originally Posted by funkydude

While time to patch may be important, in the real world we live in (Earth), hundreds of servers are compromised each day. Patch response time (at least for servers) is near meaningless, as server hosts/providers don't always immediately update. While the effort of the company/individual responsible for fixing said exploit can be commended, it goes to waste against a high amount of server providers that don't take advantage of it.

The poor response times are not a issue of Linux's security, its down to poor admin. The time to release patches is meaningful to those who care about security of their data/systems.

Quote:

Originally Posted by funkydude

But again I say, it is usually 3rd party software responsible.

Debian is well known for releasing fixes before upstream has chance to roll out a patch, sometimes the security problems are due to custom patchset applied (how about the SSH key issue recently with Debian), unless you are building your Linux systems from scratch and handing picking and compiling software with patches then the distro IS an important with 3rd party in the Linux World, all the major distros maintain lots of patches on top of upstream for example.

Cheers, Nick