Language Selection

English French German Italian Portuguese Spanish

Unix/Linux rootkits 101

Filed under
Security

The term rootkit originated with a reference to the root user account on Unix systems. Rootkits are not limited to Unix, however, or even to administrative user accounts like the Unix root account. No matter what operating system you use, you should be familiar with good practices for detecting and dealing with the threat of rootkits.

What is a rootkit?

As Mike Mullins explained in Windows rootkits 101, rootkits are not exploits. They are not the means of cracking security and accessing your system in the first place. Instead, rootkits are inserted into your system after it has already been compromised for the first time. Rootkits then cover the malicious security cracker’s tracks when he or she revisits the system later, or the tracks of other malicious software left behind. A rootkit may also include a “back door” allowing the security cracker to gain access at any time in the future.

On Unix systems such as Solaris or FreeBSD, and on Unix-like systems such as Linux, a number of different means may be employed to cover the security cracker’s tracks. Common tactics include replacing system utility binaries such as ls and diff so that when they are used they will hide changes to the system and files on it from the user. The key point to keep in mind when dealing with the threat of rootkits is that once a rootkit has been installed on your system, you are no longer able to trust any of the tools installed on that system to give you accurate information.

This can make accurate detection of rootkits and other changes to a system by malicious security crackers a challenge.

Rootkit detection




Also:

Like a lot of people, I use the free anti-virus program Clamav on my mail server. Last week, I was seriously impressed with its performance.

It started last wednesday, 25 July. At about noon, I received a mail by amavisd-new that it had blocked an e-mail containing a virus, Trojan.Downloader-11827. What was strange, is that I received this message on an e-mail account which is protected by my ISPs proprietary anti-virus solution. So it had not caught this virus, while Clamav did. Then I submitted the file to virustotal.com, and apparently only a few (about five) anti-virus programs detected the virus. Amongst others, Kaspersky, F-Secure, NOD32, Bitdefender, Symantec and of course Clamav. In the clamav-virusdb mailing list archives, I found that Clamav had detection for this virus since 7h21 CEST, so it was really amongs the first to detect this virus.

Clamav is great

More in Tux Machines

Tux Machines Privacy Statement

Summary: Today, May 25th, the European General Data Protection Regulation (GDPR) goes into full effect; we hereby make a statement on privacy AS a matter of strict principle, this site never has and never will accumulate data on visitors (e.g. access logs) for longer than 28 days. The servers are configured to permanently delete all access data after this period of time. No 'offline' copies are being made. Temporary logging is only required in case of DDOS attacks and cracking attempts -- the sole purpose of such access. Additionally, we never have and never will sell any data pertaining to anything. We never received demands for such data from authorities; even if we had, we would openly declare this (publicly, a la Canary) and decline to comply. Privacy is extremely important to us, which is why pages contain little or no cross-site channels (such as Google Analytics, 'interactive' buttons for 'social' media etc.) and won't be adding any. Google may be able to 'see' what pages people visit because of Google Translate (top left of every page), but that is not much worse than one's ISP 'seeing' the same thing. We are aware of this caveat. Shall readers have any further questions on such matters, do not hesitate to contact us.

today's leftovers

  • S11E12 – Twelve Years a Slave
    It’s Season 11 Episode 12 of the Ubuntu Podcast! Alan Pope, Mark Johnson and Martin Wimpress are connected and speaking to your brain.
  • Porting guide from Qt 1.0 to 5.11
    We do try to keep breakages to a minimum, even in the major releases, but the changes do add up. This raises the question: How hard would it be to port a Qt application from Qt 1.0 to 5.11?
  • Thunderbolt Networking on Linux
    Thunderbolt allows for peer-to-peer network connections by connecting two computers directly via a thunderbolt cable. Mika from Intel added support for this to the 4.15 kernel. Recently, Thomas Haller from NetworkManager and I worked together to figure out what needs to be done in userspace to make it work. As it turns out, it was not that hard and the pull-request was merged swiftly.
  • What’s new in openSUSE Leap 15 – part 1
    openSUSE Leap 15 will be released on the 25th of May 2018! A new openSUSE release is always an exciting event. This means that I get to play with all kinds of new and improved software packages. I am aware that I can simply install openSUSE Tumbleweed and have a new release 4 or 5 times a week. But when using openSUSE Tumbleweed some time ago, I noticed that I was installing Gigabytes of new software packages multiple times per week. The reason for that is that I have the complete opposite of a minimum install. I always install a lot of applications to play / experiment with (including a lot of open source games). I am using openSUSE since 2009 and it covers all of my needs and then some. I am already happy with the available software, so there is no real reason for me to move with the speed of a rolling release. Therefore I prefer to move with the slower pace of the Leap releases.
  • GNOME Terminal: a little something for Fedora 29
    Can you spot what that is?
  • UBports To Work On Unity 8 / Mir / Wayland After OTA-4
    The UBports team have put out their latest batch of answers to common questions around this project that's still working to maintain the Ubuntu Touch software stack. Among the project's recent work has included getting QtWebEngine working on Mir and before their Ubuntu 16.04 LTS based release they still need to figure out Chromium crashes and to resolve that as well as updating the browser. For their first release of UBports derived from Ubuntu 16.04 "Xenial" they are still going to rely upon Oxide while later on should migrate to a new browser.
  • 8 Best App Locks For Android To Secure Your Device In 2018
  • These Weeks in Firefox: Issue 39
  • What's Coming in OpenStack Rocky?
    The OpenStack Rocky release is currently scheduled to become generally available on August 30th, and it's expected to add a host of new and enhanced capabilities to the open-source cloud platform. At the OpenStack Summit here, Anne Bertucio, marketing manager at the OpenStack Foundation, and Pete Chadwick, director of product management at SUSE, outlined some of the features currently on the Rocky roadmap. Bertucio began the session by warning the audience that the roadmap is not prescriptive, but rather is intended to provide a general idea of the direction the next OpenStack release is taking.
  • PostgreSQL 11 Is Continuing With More Performance Improvements, JIT'ing
    PostgreSQL 11 is the next major feature release of this open-source database SQL server due out later in 2018. While it's not out yet, their release notes were recently updated for providing an overview of what's coming as part of this next major update. To little surprise, performance improvements remain a big focus for PostgreSQL 11 with various optimizations as well as continued parallelization work and also the recently introduced just-in-time (JIT) compilation support.
  • Tidelift Secures $15M in Series A Funding
    Tidelift, a Boston, MA-based open source software startup, secured $15m in Series A funding.
  • Tesla disclosed some of its autopilot source code after GPL violation
    Tesla, a technology company, and the independent automaker are well known for offering the safest, quickest electric cars. The company uses a lot of open source software to build its operating system and features, such as Linux Kernel, Buildroot, Busybox, QT, etc also they have always been taciturn about the finer details and tech of its popular artefacts, such as Model S, Model X, but now Elon Musk’s company has just released some of its automotive tech source code into the open source community.
  • Open Source Underwater Distributed Sensor Network
    One way to design an underwater monitoring device is to take inspiration from nature and emulate an underwater creature. [Michael Barton-Sweeney] is making devices in the shape of, and functioning somewhat like, clams for his open source underwater distributed sensor network.
  • Security Researchers Discover Two New Variants of the Spectre Vulnerability
  • Security updates for Thursday

today's howtos

Games and Wine: Hacknet - Deluxe, Full Metal Furies and More