NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA Listmaster

NRT-0611 New security test tool could make programming Linux rootkits easy:


The challenge of hiding malware deep inside a Linux machine's programming is about to get easier with the release of a new open‑source rootkit on 4 September 2008 by Immunity Inc., a firm that supplies tools for penetration testers, according to an online press report. When implemented, Immunity's DR, or Debug Register, makes backdoors and other types of malware extremely difficult to detect or eradicate. This is noteworthy because DR cloaks itself by burrowing deep inside a server's processor and availing itself of debugging mechanisms available in Intel's chip architecture. The rootkit, in other words, mimics a kernel debugger. By exploiting a CPU's native ability to generate interrupts, DR escapes some of the pitfalls that have visited more traditional types of rootkits, which modify an operating system's system call table. This is of increasing importance as more and more Linux distributions make it harder to make changes to the syscall table and rootkit detection programs such as chkrootkit and rkhunter actively check for such modifications.

Over the past few years, a growing body of malware has incorporated rootkits, making detection much more difficult. Until now, the benefit of using a rootkit was counterbalanced by the difficulty of building one. DR, which is now available to the general public, will make it much easier, according to the report.

"In the old days, to attack a computer, you needed to 1) find a bug, 2) write an exploit, 3) run the exploit 4) hide yourself," Charlie Miller, principal security analyst for Independent Security Evaluators, said in an e‑mail cited in the report. "The gap between a script kiddie and a hacker just got a little smaller."

While DR simplifies the task of cloaking malware on Linux boxes, it does not support symmetric multiprocessing or actively hide itself at the kernel level. The good news is that those are shortcomings that limit the rootkit's functionality and make it easier to detect. The bad news is that these features could be added with about a week's worth of development time.

[The Register 04Sep08]


Valid XHTML 1.0! Valid CSS! Counter Image
Last Modified: Thursday, 09-Oct-2008 07:44:19 EDT