Difference between revisions of "OpenChaos/Malware Linux"
Mario Manno (talk | contribs) |
(Added two links and another rootkit hunter.) |
||
| Line 21: | Line 21: | ||
==rootkit hunter== | ==rootkit hunter== | ||
| − | * chkrootkit | + | * [http://www.chkrootkit.org chkrootkit] |
| − | * tiger | + | * [http://rootkit.nl rkhunter] |
| + | * tiger | ||
==grsec== | ==grsec== | ||
Revision as of 20:54, 6 November 2004
Folien unter http://www.mmweg.rwth-aachen.de/~thorsten.holz/summerschool/malware-unix.pdf
Contents
runtime kernel patching
- /dev/kmem - raw i/o capability needed from kernel
- kmalloc fuer rootkit code
- suckit aendert pointer auf syscall in der IDT
hide modules by
- delete module from module list (adore) by changing syscall table
- modify vfs (adore-ng)
- parasitic module infection (adore-ng optional), changes the module file
- runtime-kernel patching (suckit) (copy der syscall table ...idt)
- static kernel patching - im kernel image code ablegen
Sebek
- baut sk_buff struct und schickt sie an device
Virus
- ELF header infection
- RST.B Virus
rootkit hunter
- chkrootkit
- rkhunter
- tiger
grsec
- grsec, trusted path execution, benutzer koennen keine programme ausfuehren die sie schreiben koennen
Antivirus Virus Linux
- f-prot
- clamav
- hb-antivir
