Best rootkit remover / protection for Linux?

Discussion in 'all things UNIX' started by J_L, May 29, 2010.

Thread Status:
Not open for further replies.
  1. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I know rootkits are probably the biggest threats, so which tools are best for them?
    Other than drive imaging and disk wiping please.
     
  2. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Are you running a Linux server, if not why are you worried about rootkits?
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Still am a Windows user mainly, but I'm sure Linux isn't the fool-proof system many claim they are.
    No I'm not running a server. Also not using root for main account.
     
  4. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Nothing is fool proof but infections are not common in Linux yet, rootkits specially, you won't get infected if you have installed software from proper source, also you need to really get out of Windows mentality of infection, it doesn't happen like that in Linux.

    http://www.psychocats.net/ubuntu/security Some good reading here.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I see.. Interesting read.
    Still think that Linux's greatest defense is it's market share, especially with the masses.

    Once it's popular enough, I'm betting hackers will start tackling Ubuntu's repositories, if successful they can easily spread malware.

    For now, I guess Ubuntu is secure enough, especially with NoScript and WOT.
     
  6. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136

    If you are talking market share, bear in mind, the kernel thats used worldwide in mission critical applications is the same one used on your desktop linux, so yes, thats the advantage of being tested under fire. Linux is the choice on most major financial, military and other apps, even the fastest supercomp from Cray runs on Linux and so do most other. Linux desktop users benefit from that. Also for browsing if you use something like Chrome under Linux, it runs in its own sandboxed mode and you are fully secure no matter what.
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Good point. Totally forgot about that.
     
  8. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    You can believe that fallacy if you want, but it's still a fallacy.

    Fat chance. The repositories are vetted pretty heavily. Not just anyone can be a packager for the official repos (or the "universe" repos for that matter). Sure, it's possible for a malicious person to game the system, gain the trust of others, get a GPG key, and upload malicious signed files. But it wouldn't be long before he is caught and the files removed. So, it wouldn't be worth anyone's time. Making a malicious PPA would be easier but they, too, would be caught pretty quickly, especially if the attacker is packaging a popular app.

    And if someone were to crack the repos in a physical sense (that is, hack the server and secretly replace the original files with his own trojaned files) he would again be wasting his time since he wouldn't have the repo's GPG key to sign the files with. So when users download them, they are automatically informed that the file does not pass verification.

    This is what happened to Fedora in 2008 -- someone hacked their repo server and uploaded a couple of malicious files. The only problem was they didn't have the GPG key, so the files failed the message digest check.

    Much easier for an attacker would be to simply social engineer newbs into installing a malicious .deb from his website. This is why newbs need to be educated to always rely on the repos if at all possible.

    Noscript and WOT are the last things on my list to worry about. I run neither (I prefer AppArmor and Chromium instead).

    As for your original inquiry about rootkits -- I think we need to first understand what a rootkit is. The Windows world has changed the definition of rootkit from what it meant originally (it used to mean a kit that helps the attacker maintain root access on a Unix machine -- hence the name rootkit). On Windows, a rootkit has just become another piece of malware, essentially indistinguishable from a trojan. It's just a trojan with more horsepower.

    On Linux this is not what a rootkit is. A rootkit on *nix machines do nothing in and of themselves -- they are only useful if the machine has already been compromised through other means. Their only function is to help the attacker maintain a backdoor in the system, delete log files, change binaries, etc. Basically, they help the attacker remain hidden. They are worthless unless your machine has already been hacked.

    So, why worry about rootkits if you are doing everything else right? Your chances of being targeted by a hacker, actually being hacked, and then having the attacker install a rootkit are extremely slim on a desktop box. If you run a server which might be a target, then there are better ways to prevent rootkits than with a rootkit scanner. The best way is with an IDS like Tripwire or AIDE.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Guess I need more Linux experience.. I acknowledge that rootkits are highly unlikely, and Linux is secure enough with common sense.
    Please close this thread.
     
  10. tlu

    tlu Guest

    At the risk that Eice steps in :D ...

    AppArmor doesn't protect against the risks Noscript is aimed at (XSS, Clickjacking etc.)

    Is the XSS filter in Chrome reenabled? It had been disabled some time ago because of performance considerations.
     
  11. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I don't worry about clickjacking as I am careful to check the real URL's (and SSL if applicable) of any sensitive site I visit.
     
Loading...
Thread Status:
Not open for further replies.