rootkits

[Underpants?]

anyone been reading up on this ? just curious to hear if anyone's got more words on it than eweek or ms. they've been plaguing linux distros for half a decade now but now appear to be rearing generations of fledgling MS parasites.
link.
I know the linux versions worry the stomach linings out of some of the best sysadmins, so this could become a real problem in short order. just my .02.

[Underpants?]

i'm not bumping my own topic, just adding the lazy way.
http://www.computerworld.com/securityto ... 43,00.html
old story but interesting read, nonethless.

[^misantropia^]

I've heard some wild stories about rootkits but the key point is, the cracker needs access to your box/site/server/whatever first before he can install it. If you've got a secure setup, there's not much to worry about, esp. on *NIX where all vital utilities/daemons belong to root (a root with a weak password deserves what's coming to him). PS: you might want to try OpenBSD if you're worried about security.

[Underpants?]

OpenBSD from what I understand is to date the most rock hard OS out there (to that end, so is OS X), and I would use it in a heartbeat were some of the third party apps I need ported. SELinux looks pretty solid thus far as well. As for not much to worry about, I would agree if you're only running a vanilla desktop config with a solid kernel and bulletproof firewall rules. You aren't suggesting corporate applications run as root, I'm assuming? Exploits on Apache, Sendmail and BIND come out often enough to leave most linux users uncomfortable. Add to that a buffer overflow and you've an open door marked 'root process' to the rest of the system.
In short, rootkits are prevalent, some have said that linux is the "most breached" OS out there.
Now that the hidden process game is starting to emerge in the Windows realm, I personally am a bit concerned.

[Tormentius]

Now that the hidden process game is starting to emerge in the Windows realm, I personally am a bit concerned.

Quite agreed. http://www.rootkit.com has some good info and MS and Symantec (and many others I'm sure) are all working on detection apps.

http://www.sysinternals.com has a free detection tool as well right now but its far from friendly.

[^misantropia^]

You aren't suggesting corporate applications run as root, I'm assuming? Exploits on Apache, Sendmail and BIND come out often enough to leave most linux users uncomfortable.

Heh, no. Should've been a bit more clear on that but it was late and I was rather groggy. On your average distro, root owns the binary but it's run as a different user with little or no privileges. So, even when a service/daemon gets hijacked, the cracker can't replace it with a copy of his own since he only has the credentials of said user. setuid root and kernel-land exploits are another story, though.

[Underpants?]

Now that the hidden process game is starting to emerge in the Windows realm, I personally am a bit concerned.

Quite agreed. http://www.rootkit.com has some good info and MS and Symantec (and many others I'm sure) are all working on detection apps.

http://www.sysinternals.com has a free detection tool as well right now but its far from friendly.

Sysinternals bleeds gold, I love those guys.. Hopefully soon the big guns will develop tools which allow detection and smothering of the injected shitbird binaries as well as the keys in one fell swoop.
All I can say is this took some insight; it makes my conspiracy theory sciatica ache.

[Underpants?]

You aren't suggesting corporate applications run as root, I'm assuming? Exploits on Apache, Sendmail and BIND come out often enough to leave most linux users uncomfortable.

Heh, no. Should've been a bit more clear on that but it was late and I was rather groggy. On your average distro, root owns the binary but it's run as a different user with little or no privileges. So, even when a service/daemon gets hijacked, the cracker can't replace it with a copy of his own since he only has the credentials of said user. setuid root and kernel-land exploits are another story, though.

there're tons, eh?
here's a relative qualifier.

[Tormentius]

Sysinternals bleeds gold, I love those guys.. Hopefully soon the big guns will develop tools which allow detection and smothering of the injected shitbird binaries as well as the keys in one fell swoop.
All I can say is this took some insight; it makes my conspiracy theory sciatica ache.

Yeah, the Sysinternals guys are great. I can't say that I've had occasion to use all their tools yet but the process viewer is a good one for tracking scumware and regmon is kinda nice when it comes to repackaging apps.

FYI, here is Microsoft research's info on their rootkit detector.

[Underpants?]

thanks torm, I heard mumblings about this but couldn't find it.. think I left my fucking memory in a jar of paint thinner back before beer was cheap.

ffs:
"Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. " :lol: :lol:


mad, mad conspiracies.

[Tormentius]

thanks torm, I heard mumblings about this but couldn't find it.. think I left my fucking memory in a jar of paint thinner back before beer was cheap.

ffs:
"Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. " :lol: :lol:


mad, mad conspiracies.

Yeah its some pretty disturbing stuff, especially for an admin. Think of the amount of owned corporate PCs out there already....ugh.

I hear ya on the memory too. It just gets rustier as the summer gets closer and the patios get more inviting.

[^misantropia^]

there're tons, eh?
here's a relative qualifier.

Well... yes. But you shouldn't be running a server as root. Most of these setuid root exploits are nothing more than a sysadm not doing his job properly (sane programs give up their privileges at startup, before accepting connections/requests from clients).