----- Original Message ----- From: Marc Esipovich <marcat_private> To: <BUGTRAQat_private> Sent: Wednesday, December 22, 1999 3:20 AM Subject: Re: Announcement: Solaris loadable kernel module backdoor > > With the proliferation of these types of backdoors, is there any way to > > prevent your 'r00t3d' box from being backdoored? Not completely. Being root means they can change almost anything. One helpful thing is to install a progrm such as tripwire that stores checksums of your files. However, tripwire can also be duped into believing everything is alright(perhaps by modifying the kernel). Another idea would be to store copies of /bin, /usr/bin, /usr/sbin, /sbin,etc. on a cd-rom drive and backup up from those frequently, need it or not. This will ensure that if any of these is tampered, an original will be restored on a regular basis. > Basically it comes down to this, can you trust your own kerenl?... > you wake up one morning, read an article about backdoor kerenl modules, > and quickly run off to fix your system, at that point, how can you tell > you're not already infected by such a module? when you can't trust your > kernel, you can't trust anything on your entire system system. Often, you can't. UNIX users have had this problem for awhile because of loadable kernel modules and because you can recompile the kernel. Recently, Windows NT users have begun to face the same problem(see Phrack55) because there are are now known ways to patch the NT kernel. See www.phrack.com and www.cell2000.net/security/ for more information. I have source code(C++) for a program that can add one of the described patches and remove both of them from an sp3 kernel under NT. -steven
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:21 PDT