Difference between revisions of "OpenChaos/Malware Linux"
Mario Manno (talk | contribs) |
Mario Manno (talk | contribs) (added category) |
||
| Line 31: | Line 31: | ||
* clamav | * clamav | ||
* hb-antivir | * hb-antivir | ||
| + | |||
| + | |||
| + | |||
| + | [[Category:OpenChaos]][[Category::Events]] | ||
Revision as of 23:13, 4 November 2004
Folien unter http://www.mmweg.rwth-aachen.de/~thorsten.holz/summerschool/malware-unix.pdf
Contents
runtime kernel patching
- /dev/kmem - raw i/o capability needed from kernel
- kmalloc fuer rootkit code
- suckit aendert pointer auf syscall in der IDT
hide modules by
- delete module from module list (adore) by changing syscall table
- modify vfs (adore-ng)
- parasitic module infection (adore-ng optional), changes the module file
- runtime-kernel patching (suckit) (copy der syscall table ...idt)
- static kernel patching - im kernel image code ablegen
Sebek
- baut sk_buff struct und schickt sie an device
Virus
- ELF header infection
- RST.B Virus
rootkit hunter
- chkrootkit
- tiger
grsec
- grsec, trusted path execution, benutzer koennen keine programme ausfuehren die sie schreiben koennen
Antivirus Virus Linux
- f-prot
- clamav
- hb-antivirEvents
