Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems BSD

A Look at BSD Rootkits 98

Posted by Zonk from the under-the-devil's-horns dept.
blackbearnh writes "Windows has a reputation for being easily exploited by rootkits, but just because you're using Linux or BSD doesn't mean you're safe from infection. In an interview on O'Reilly's ONLamp site, Joseph Kong (author of Designing BSD Rootkits ), talks about how to build and defend against Rootkits under BSD. 'I know a lot of people who refer to rootkits and rootkit-detectors as being in a big game of cat and mouse. However, it's really more like follow the leader — with rootkit authors always being the leader. Kind of grim, but that's really how it is. Until someone reveals how a specific (or certain class of) rootkit works, nobody thinks about protecting that part of the system. And when they do, the rootkit authors just find a way around it. This is what I meant earlier when I said rootkit hunting is hard — as you really have to validate the integrity of the entire system.'"
This discussion has been archived. No new comments can be posted.

A Look at BSD Rootkits More

A Look at BSD Rootkits

Comments Filter:
  • Basically, once someone has gotten their code running on your system, they can do anything they want, and they can pretty much keep you from noticing that they're there. If you go looking for them, though, odds are you'll find them... but who's going to go looking?

    There's no magical difference between "rootkits" and any other trick for hiding code in a system... it doesn't matter if it's a "virus", or a "rootkit" or even a "polymorphic perverse passive-agressive viral-enhanced trojan rootkit" (or whatever the cool terminology of the week is), the trick to hiding is to change the things you know the rootkit detectors or antivirus software is looking for so they look right. The trick to finding them is to look in more places, and look in ways that they haven't thought of covering up. But the real trick is keeping them out in the first place.

    Security is like sex... once you're penetrated you're ****ed. If the basic software is designed to that when implemented as documented there's no mechanism for an attacker to use, then you're in pretty good shape. At least, you will be able to fix any holes that DO show up without breaking working software. And that's the main disadvantage Windows has... there's just too much everyday software and important APIs that are inherently insecure. Even when implemented as documented, there's attacks ... which is why they have all those security dialogs: those dialogs come down to "this program is about to do something that might be stupid, is that OK?".

    At the very least, you need to cut that down to "you just asked to do something that might be stupid, do you mean it?".

  • Re:rootkit detectors (Score:3, Insightful)

    by jimicus ( 737525 ) on Thursday May 31, 2007 @05:27PM (#19344203)
    Could someone explain how exactly a rootkit detector can guarantee to be even vaguely reliable on a rooted system? By definition, once rooted you can't trust any of the underlying libraries or even the kernel to do as you expect.

    My understanding was the best you can do is boot from CD and then examine the hard disk which actually has the OS installed.

  • Re:bogus remarks (Score:2, Insightful)

    by AKAImBatman ( 238306 ) * <akaimbatman@gmaYEATSil.com minus poet> on Friday June 01, 2007 @12:29AM (#19347803) Homepage Journal
    And thank you for keeping it civil and on topic. :-)

Slashdot Top Deals

UNIX is hot. It's more than hot. It's steaming. It's quicksilver lightning with a laserbeam kicker. -- Michael Jay Tucker

Close