Quake3World.com Forums
     Technology & Troubleshooting
        rootkits
Post new topicReply to topic
Login | Profile | | FAQ | Search | IRC




Print view Previous topic | Next topic 
Topic Starter Topic: rootkits
Underpants?
Elite
Elite
Joined: 21 Oct 2001
Posts: 6519
PostPosted: 04-25-2005 02:22 PM           Profile Send private message  E-mail  Edit post Reply with quote


anyone been reading up on this ? just curious to hear if anyone's got more words on it than eweek or ms. they've been plaguing linux distros for half a decade now but now appear to be rearing generations of fledgling MS parasites.
link.
I know the linux versions worry the stomach linings out of some of the best sysadmins, so this could become a real problem in short order. just my .02.
Top
                 
Underpants?
Elite
Elite
Joined: 21 Oct 2001
Posts: 6519
PostPosted: 04-25-2005 02:25 PM           Profile Send private message  E-mail  Edit post Reply with quote


i'm not bumping my own topic, just adding the lazy way.
http://www.computerworld.com/securityto ... 43,00.html
old story but interesting read, nonethless.
Top
                 
^misantropia^
Mentor
Mentor
Joined: 12 Mar 2005
Posts: 3958
PostPosted: 04-25-2005 03:19 PM           Profile Send private message  E-mail  Edit post Reply with quote


I've heard some wild stories about rootkits but the key point is, the cracker needs access to your box/site/server/whatever first before he can install it. If you've got a secure setup, there's not much to worry about, esp. on *NIX where all vital utilities/daemons belong to root (a root with a weak password deserves what's coming to him). PS: you might want to try OpenBSD if you're worried about security.
Top
                 
Underpants?
Elite
Elite
Joined: 21 Oct 2001
Posts: 6519
PostPosted: 04-25-2005 08:01 PM           Profile Send private message  E-mail  Edit post Reply with quote


OpenBSD from what I understand is to date the most rock hard OS out there (to that end, so is OS X), and I would use it in a heartbeat were some of the third party apps I need ported. SELinux looks pretty solid thus far as well. As for not much to worry about, I would agree if you're only running a vanilla desktop config with a solid kernel and bulletproof firewall rules. You aren't suggesting corporate applications run as root, I'm assuming? Exploits on Apache, Sendmail and BIND come out often enough to leave most linux users uncomfortable. Add to that a buffer overflow and you've an open door marked 'root process' to the rest of the system.
In short, rootkits are prevalent, some have said that linux is the "most breached" OS out there.
Now that the hidden process game is starting to emerge in the Windows realm, I personally am a bit concerned.
Top
                 
Tormentius
The voices in your head
The voices in your head
Joined: 14 Dec 2002
Posts: 10054
PostPosted: 04-25-2005 10:09 PM           Profile   Send private message  E-mail  Edit post Reply with quote


Underpants? wrote:
Now that the hidden process game is starting to emerge in the Windows realm, I personally am a bit concerned.


Quite agreed. http://www.rootkit.com has some good info and MS and Symantec (and many others I'm sure) are all working on detection apps.

http://www.sysinternals.com has a free detection tool as well right now but its far from friendly.
Top
                 
^misantropia^
Mentor
Mentor
Joined: 12 Mar 2005
Posts: 3958
PostPosted: 04-26-2005 03:36 AM           Profile Send private message  E-mail  Edit post Reply with quote


Underpants? wrote:
You aren't suggesting corporate applications run as root, I'm assuming? Exploits on Apache, Sendmail and BIND come out often enough to leave most linux users uncomfortable.


Heh, no. Should've been a bit more clear on that but it was late and I was rather groggy. On your average distro, root owns the binary but it's run as a different user with little or no privileges. So, even when a service/daemon gets hijacked, the cracker can't replace it with a copy of his own since he only has the credentials of said user. setuid root and kernel-land exploits are another story, though.
Top
                 
Underpants?
Elite
Elite
Joined: 21 Oct 2001
Posts: 6519
PostPosted: 04-26-2005 06:59 AM           Profile Send private message  E-mail  Edit post Reply with quote


Tormentius wrote:
Underpants? wrote:
Now that the hidden process game is starting to emerge in the Windows realm, I personally am a bit concerned.


Quite agreed. http://www.rootkit.com has some good info and MS and Symantec (and many others I'm sure) are all working on detection apps.

http://www.sysinternals.com has a free detection tool as well right now but its far from friendly.


Sysinternals bleeds gold, I love those guys.. Hopefully soon the big guns will develop tools which allow detection and smothering of the injected shitbird binaries as well as the keys in one fell swoop.
All I can say is this took some insight; it makes my conspiracy theory sciatica ache.
Top
                 
Underpants?
Elite
Elite
Joined: 21 Oct 2001
Posts: 6519
PostPosted: 04-26-2005 07:38 AM           Profile Send private message  E-mail  Edit post Reply with quote


^misantropia^ wrote:
Underpants? wrote:
You aren't suggesting corporate applications run as root, I'm assuming? Exploits on Apache, Sendmail and BIND come out often enough to leave most linux users uncomfortable.


Heh, no. Should've been a bit more clear on that but it was late and I was rather groggy. On your average distro, root owns the binary but it's run as a different user with little or no privileges. So, even when a service/daemon gets hijacked, the cracker can't replace it with a copy of his own since he only has the credentials of said user. setuid root and kernel-land exploits are another story, though.


there're tons, eh?
here's a relative qualifier.
Top
                 
Tormentius
The voices in your head
The voices in your head
Joined: 14 Dec 2002
Posts: 10054
PostPosted: 04-26-2005 08:03 AM           Profile   Send private message  E-mail  Edit post Reply with quote


Underpants? wrote:
Sysinternals bleeds gold, I love those guys.. Hopefully soon the big guns will develop tools which allow detection and smothering of the injected shitbird binaries as well as the keys in one fell swoop.
All I can say is this took some insight; it makes my conspiracy theory sciatica ache.


Yeah, the Sysinternals guys are great. I can't say that I've had occasion to use all their tools yet but the process viewer is a good one for tracking scumware and regmon is kinda nice when it comes to repackaging apps.

FYI, here is Microsoft research's info on their rootkit detector.
Top
                 
Underpants?
Elite
Elite
Joined: 21 Oct 2001
Posts: 6519
PostPosted: 04-26-2005 10:32 AM           Profile Send private message  E-mail  Edit post Reply with quote


thanks torm, I heard mumblings about this but couldn't find it.. think I left my fucking memory in a jar of paint thinner back before beer was cheap.

ffs:
"Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. " :lol: :lol:

:ninja:
mad, mad conspiracies.
Top
                 
Tormentius
The voices in your head
The voices in your head
Joined: 14 Dec 2002
Posts: 10054
PostPosted: 04-26-2005 12:20 PM           Profile   Send private message  E-mail  Edit post Reply with quote


Underpants? wrote:
thanks torm, I heard mumblings about this but couldn't find it.. think I left my fucking memory in a jar of paint thinner back before beer was cheap.

ffs:
"Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. " :lol: :lol:

:ninja:
mad, mad conspiracies.


Yeah its some pretty disturbing stuff, especially for an admin. Think of the amount of owned corporate PCs out there already....ugh.

I hear ya on the memory too. It just gets rustier as the summer gets closer and the patios get more inviting.
Top
                 
^misantropia^
Mentor
Mentor
Joined: 12 Mar 2005
Posts: 3958
PostPosted: 04-26-2005 01:45 PM           Profile Send private message  E-mail  Edit post Reply with quote


Underpants? wrote:
there're tons, eh?
here's a relative qualifier.


Well... yes. But you shouldn't be running a server as root. Most of these setuid root exploits are nothing more than a sysadm not doing his job properly (sane programs give up their privileges at startup, before accepting connections/requests from clients).
Top
                 
Quake3World.com | Forum Index | Technology & Troubleshooting


Post new topic Reply to topic


cron
Quake3World.com
© ZeniMax. Zenimax, QUAKE III ARENA, Id Software and associated trademarks are trademarks of the ZeniMax group of companies. All rights reserved.
This is an unofficial fan website without any affiliation with or endorsement by ZeniMax.
All views and opinions expressed are those of the author.