What You Need to Know About Linux Rootkits

Discussion in 'all things UNIX' started by SUPERIOR, Oct 7, 2011.

Thread Status:
Not open for further replies.
  1. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    Code:
    http://www.linuxsecurity.com/content/view/154709?rdf
    
    sorry if it's already posted :oops:
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Know in what sense?
    Mrk
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Hmm, I never have and never will believe Linux is "immune". However, realistically, if one never tries to bypass the built in security (meaning doesn't try something so stupid as running as root for daily activity, and sticks to software in the supplied repositories, the chances of getting one of these things is ridiculously low. I'd even go so far as to say that they are almost as low just by doing general surfing. I think you'd really have to be looking for it.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Getting your system infected with something really sophisticated is quite complicated, because the code highly depends on the libraries you have on your host, the exact glibc version, exact kernel, etc. It is virtually impossible to run non-compatible code of any kind, let alone some complex malware that resides in the kernel space without causing kernel panic.
    Mrk
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,007
    IMHO all that matters is who is using the keyboard and mouse and if they are willing to give their root password to packagexyz.deb, packagedfd666.rpm etc. there will always be times when a user cant find an application that does want they want in the offical repos.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    That's not all. There's the idea of planting a kernel module into the kernel to subvert it. This is the tricky part. Not easily done, because this thing, regardless of malware or not, is not easily done. That's why often you can't have ubuntu 9.10 code running on 10.10, for example. So much is different.
    Mrk
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Wow that is a bonus I never thought of Linux and its unstable ABI.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Yup, even tiny changes in the compilation flags of modules compared to the kernel, plus the tiny differences in environment variables or gcc version down to the fourth dot might result in faulty modules that won't load and/or if load will panic the host.

    Cheers,
    Mrk
     
  9. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi,

    A kind of vulgarization article for linux users, and technically outdated.
    Grsecurity patch is more interesting than SeLinux for Kernel level rootkits.
    A few detectors are available but there is no reliable detection way than forensic detection (with Volatility framework for instance:
    http://www.terena.org/activities/tf-csirt/meeting27/oesterberg-rootkits.pdf ).

    Rgds
     
  10. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Linux servers always Gets hacked even more frequently than windows o_O


    see the hacked site database for an instance
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    In percentage or absolute numbers? If numbers, then it's ok, because there is more Linux in the server world than Windows.
    Statistics can be fickle.
    Mrk
     
  12. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Or severity or how long left vulnerable...

    Cheers, Nick
     
  13. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    When it comes to servers, speed of fixing the exploit doesn't help, when it's the person/company itself responsible that isn't patching that server. Unless you're trying to state that all these compromised servers every day are always 0-day, which I *highly* doubt.

    That being said, isn't it usually 3rd party applications on the OS that are being exploited, e.g. PHP, MySQL, wordpress. In which case, OS doesn't really matter.
     
  14. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    That is a maintenance issue and has nothing to do with how quickly patches are released.

    Though it does matter when its the Linux distros - the OS that are supplying the patches and update mechanisms


    Whats worse, 10 exploits that get fixed in days, or 1 exploit that does not get fixed for months ?
    Time to fix, be it a patch or providing a work around is important.

    Cheers Nick.
     
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    You seemed to veer off what I was saying/or misunderstood my point. Also avoiding the entire 3rd party statement by switching topic back to the OS the software is hosted on.

    While time to patch may be important, in the real world we live in (Earth), hundreds of servers are compromised each day. Patch response time (at least for servers) is near meaningless, as server hosts/providers don't always immediately update. While the effort of the company/individual responsible for fixing said exploit can be commended, it goes to waste against a high amount of server providers that don't take advantage of it.

    But again I say, it is usually 3rd party software responsible.
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Looks good. Wish I saw this last time I asked.
     
  17. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    This is a Linux topic and 99.99% of servers in the world use distros and their update mechanisms so is relevant.

    The poor response times are not a issue of Linux's security, its down to poor admin. The time to release patches is meaningful to those who care about security of their data/systems.

    Debian is well known for releasing fixes before upstream has chance to roll out a patch, sometimes the security problems are due to custom patchset applied (how about the SSH key issue recently with Debian), unless you are building your Linux systems from scratch and handing picking and compiling software with patches then the distro IS an important with 3rd party in the Linux World, all the major distros maintain lots of patches on top of upstream for example.

    Cheers, Nick
     
Loading...
Thread Status:
Not open for further replies.