1 / 7

LINUX ROOTKITS

LINUX ROOTKITS. Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services. Definition. Rootkit – Software toolkit designed to hide the presence of a intruder inside a compromised system. Two types of rootkits: User mode and Kernel mode.

twyla
Download Presentation

LINUX ROOTKITS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services

  2. Definition • Rootkit – Software toolkit designed to hide the presence of a intruder inside a compromised system. • Two types of rootkits: User mode and Kernel mode. • Rootkits may contain trojans, backdoors, sniffers, scanners, rootshell exploits, attack bots, IRC bots, keystroke loggers, log scrubbers and other hacking tools.

  3. Rootkits found on UA systems • T0rn • MYRK • Bobkit • EPY • Diablow • Knark – KLM • RVDA - KLM

  4. Uncovering Rootkits • Use chkrootkit. (http://www.chkrootkit.org) • Image system drive and examine rootkit on a secure system of the same or similar OS. • If not possible, then import original system binaries and/or libraries to perform the examination. • Do not trust anything on the compromised system • Look for hidden files and directories. • Look for trojans in boot-up scripts. • Compare system binaries with distribution copies.

  5. Preventing Rootkits • Use network and host based firewalls (ipchains or iptables) and TCP Wrappers. • Disable unused and unnecessary network services. • Remove unused and unnecessary software packages. • Patch OS and applications on a regular basis. • Stay current on security vulnerabilities. • Compile and use statistic kernel without KLM support. • Use host based IDS like Tripwire.

  6. Live Demonstration • T0rn Rootkit • Author: Surrey, 21 year old from Surbiton, England; arrested by Scotland Yard in September, 2002. • Analysis available at: • http://www.securityfocus.com/infocus/1230

  7. Live Demonstration • RVDA Rootkit • It is a KLM rootkit. • Found on a UAF CS test server running RH 7.2. • Functions only on a unpatched kernel. • Source code is very small. • Romanian in origin?

More Related