On Thu, 2002-07-04 at 09:06, noir sin wrote: > > Resend: > attachment moved to http://gsu.linux.org.tr/~noir/b.tar.gz > since no more than 100K is allowed > > Hi, > > Recently, Dave Aitel posted a link to a loadable kernel module for the > Solaris operating system to check its kernel integrity against backdoors. > I downloaded and do some quick analysis on the "product". Simply it does > md5 checksuming on the sysent32 table where pointers to syscall handling > kernel functions reside. These pointers are well known to be manipulated by > backdoor lkm's to change the execution order and pre-execute some hacker > code that will hide things or feed false information. <lots of really interesting and cool stuff cut for brevity> Well, BG 1.0 Free Demo (http://www.immunitysec.com/bodyguard.html) does do the dereference. E.G. It checks the system call code itself, not the sysent32 table. So theoretically adding exece to BodyGuard's checksum table _would_ catch this method, at least for the moment. :> (I'll try this later today to make sure.) Did you check to see if you could do the same trick to stat64? The demo version is somewhat limited in what it checks, but DOES work on many "popular" kernel level rootkits. A lot of the goal was to give people at least SOME recourse. I recognize the it becomes an escalating game of SPY vs SPY, but BG does at least give non-hackers a chip to spend in the game - something they didn't have until Monday :>. There's definitely a window of time where BG will detect a rootkit. This is why BG, to be successful, will have 1. Limited distribution 2. slightly different executables for each customer 3. be sold only on a subscription basis - new versions due out periodically throughout the year. Dave Aitel Immunity, Inc www.immunitysec.com
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDz2MywRBADZ25zAnkqMlSFnSui9JXWse3qYySlo1lTjrJmyIlN8lJNxw/5n 8mrP/4z8HAzbMVfoAnYmHkBfZg9YuWx5GLP3HZwECXY0o82W6GgQph2Z4ylDEAC+ +3IrWweSReWqTA+ME0aL3UeMTnphYGUFF4RWK64cDgs6B3s3IHE28Bq4ewCg8YsO 9HJOR2GeH/bDpZIzcXE2uP0D/ilH5GeSBxNdlRQLP2rrcC4skXwmsn9dNH6uHtYx +EDLNumhO1evB6wBs4rKnwCas7PphAHriNAmtLOvVXshLeue7xHzRX3/0gs5QKOw tQcM80RoZFX0Vzq+LqtRrBFQ9xZI1JZmzA/T+9rZjTfXTWCQt5J2g9K/rVYhvb84 iwAdBADWpJRwIxMaL2+Be+NodOz4iegadU8e45iLjqB1YVDva2zOthfuaeeHJGSZ g7xL2egavp0fN0ekQn3DRmhaMHInk8Zfspp2wD+v3pTBXulT1RnZXpgqlmj6q1En 7FxcFqZt0vKrzwwD03UEKcGcFr2LMwEqHnvS6T72p+G01YYXqLQxRGF2ZSBBaXRl bCAoSW1tdW5pdHksIEluYykgPGRhdmVAaW1tdW5pdHlzZWMuY29tPohXBBMRAgAX BQI89jMsBQsHCgMEAxUDAgMWAgECF4AACgkQB8JNm+PA+iXUMwCfUS1m4/6qGyCu p6DzFmHmVUt4n+QAn3PNlcAwuxHQEZFXSNinaGqeaOh/uQQNBDz2NDsQEADUTJtg Ka1HREaF5V3nhSLCtidFltjaSGWP8mn6JBy9wbRrhuC0jopg8VrCqTrFYoJtA5H8 AE5lZIKkEEDZoQxhF5saS0+tKm2n7r+UnMSxa/faUvWsdCv79oLY7/812fwoIb18 6OwooTw8qzHZ2SXsFCl+J3ySPsJk8D27sedjQ7xfMu7ZMhiuqY3jX/11MG4Rex5X FvDRViVImC/fI/g9khV7MxazjEf1YYoz1zXZmhI2ImrZMmeLCp+RBGoGEJJsHhq3 yYnPj7JObe1CDRZbdX2pRs415c+WnDCFEqRUB0beHIe3Cv5DsQMHIiC6LUq5U5tu qzE6Y03QXW7P6wRWb83pJHO9A0X0JeKaun7LjcRp5/8R24GQY5mFjuhFwPxMFVX9 CnZaJBIhIPFaY+XE4RRKyrmWZzDp91aMFuG53YO9fx9I4YhBT73fFX/Q1jf17uzD m55ZNv2lDcsPQUm66f96190E2TvUg/VB47LOSpaxB9qqOKNYzU2iE1BjB7t4c1+d Bp5wG1E9JP2V7ZwI2/KfJ9SIPoQ0l+8MhwiFqD9j7eZ6/d9G9+ojJQrXuEY7dYxr Z9w1FchEKREKM84ZE5v+cSxAk7VvpASIg4n66nvYM4VEz/cJhkE7v7kLYgOoqY/g NFKa4UWhmO+eRTti0wXAitLC/xTfeDKEn9riCwADBQ//dj5eZ1Bll8toOGZzNkqJ YOSQEqltY6DXR3UHPeABit8MnSngDvHrpUZ9961q7ZhDV8MpUg0xTDWBfHuAvBfq aQzV+5vig3bQHl7EM+KiSaEnXfydxAsHcRTI7PlAf9QuzBeIYWRaaf/HpmJsnWoe Kv2HUFdyRN3lyycCfqTq0DPgMpueIgkpzbr/K69+x5MlC5yorrfTqlPz1bM1e2V2 25hnzXa2olLK6dza24zx/vJ2yuERZcCEg4Z/Vc4zG+YM04v18KxL8ydVjxGObAyq brHZUg7202OgO/wyWYBfzkK2EZdtcfscprgg89p8uqQo/rXL921xAsRfHIJW4UKb 0lhGaYyB9dTeKJgpB5qb3N0ZTl+xLW6MGQ+7PazgM0AMyXPvJ9+q8tvT4KWu9H7L yvkQ8d21GovI2p7y2U9vwriDFnttyCCcLbtqhbS52WlY8yNxSrrXSrX6gJqQnZNx U34hJniLAvkyqVXScz3EkZV5oswab2p6+jtCYh0VCT1Fu9evRdSGjt8daG8KUxiw KYTy6ZFSe/4NYkXbkJB0A3kWzCXxc9jzGcmRPuMxrnkAT+2owo0xluIVrGtav/RR K/2R3P/EIo8BoIgHZn4uj4yZfvWrbtoZY6Eu3viz1Iengl8xnk3o5PjcTe78aHFL 9rAcrnhl+c/giJIGi3gYbXqIRgQYEQIABgUCPPY0OwAKCRAHwk2b48D6JZy5AJsE oSCgQcZkkqfxocvt2Aa9GNM0NwCfdNmulDQgACapPQ44n0gfr4RJf50= =b7FC -----END PGP PUBLIC KEY BLOCK-----
Attachment:
signature.asc
Description: This is a digitally signed message part
