Forwarded from: Kristian Erik Hermansen <kristian.hermansen (at) gmail.com> I met Anthony and saw this same talk previewed at the Southern California Linux Expo (SCALE), where I was also speaking. Abstract: http://scale7x.socallinuxexpo.org/conference-info/speakers/anthony-lineberry Slides: http://scale7x.socallinuxexpo.org/sites/scale7x.socallinuxexpo.org/files/Anthony_Lineberry.ppt My Abstract: http://scale7x.socallinuxexpo.org/conference-info/speakers/kristian-erik-hermansen-0 I asked Anthony if it would be possible to detect his rootkit by utilizing Cold Boot attacks, and he confirmed that it would be possible. However, okease refer to the talk slides for details on the specifics of what kernel structures are modified. Cheers, > http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=216500687 > > By Kelly Jackson Higgins > DarkReading > April 14, 2009 > > Kernel rootkits are tough enough to detect, but now a researcher has > demonstrated an even sneakier method of hacking Linux. > > The attack attack exploits an oft-forgotten function in Linux versions > 2.4 and above in order to quietly insert a rootkit into the operating > system kernel as a way to hide malware processes, hijack system calls, > and open remote backdoors into the machine, for instance. At Black Hat > Europe this week in Amsterdam, Anthony Lineberry, senior software > engineer for Flexilis, will demonstrate how to hack the Linux kernel > by exploiting the driver interface to physically addressable memory in > Linux, called /dev/mem. > > "One of bonuses of this [approach] is that most kernel module rootkits > make a lot noise when they are inserting [the code]. This one is > directly manipulating" the memory, so it's less noticeable, he says. > > The /dev/mem "device" can be opened like a file, and you can read and > write to it like a text file, Lineberry says. It's normally used for > debugging the kernel, for instance. > > [...] -- Kristian Erik Hermansen _______________________________________________ Best Selling Security Books and More! http://www.shopinfosecnews.org/Received on Wed Apr 15 2009 - 22:09:03 PDT
This archive was generated by hypermail 2.2.0 : Wed Apr 15 2009 - 22:19:50 PDT