Language Selection

English French German Italian Portuguese Spanish

Unix/Linux rootkits 101

Filed under
Security

The term rootkit originated with a reference to the root user account on Unix systems. Rootkits are not limited to Unix, however, or even to administrative user accounts like the Unix root account. No matter what operating system you use, you should be familiar with good practices for detecting and dealing with the threat of rootkits.

What is a rootkit?

As Mike Mullins explained in Windows rootkits 101, rootkits are not exploits. They are not the means of cracking security and accessing your system in the first place. Instead, rootkits are inserted into your system after it has already been compromised for the first time. Rootkits then cover the malicious security cracker’s tracks when he or she revisits the system later, or the tracks of other malicious software left behind. A rootkit may also include a “back door” allowing the security cracker to gain access at any time in the future.

On Unix systems such as Solaris or FreeBSD, and on Unix-like systems such as Linux, a number of different means may be employed to cover the security cracker’s tracks. Common tactics include replacing system utility binaries such as ls and diff so that when they are used they will hide changes to the system and files on it from the user. The key point to keep in mind when dealing with the threat of rootkits is that once a rootkit has been installed on your system, you are no longer able to trust any of the tools installed on that system to give you accurate information.

This can make accurate detection of rootkits and other changes to a system by malicious security crackers a challenge.

Rootkit detection




Also:

Like a lot of people, I use the free anti-virus program Clamav on my mail server. Last week, I was seriously impressed with its performance.

It started last wednesday, 25 July. At about noon, I received a mail by amavisd-new that it had blocked an e-mail containing a virus, Trojan.Downloader-11827. What was strange, is that I received this message on an e-mail account which is protected by my ISPs proprietary anti-virus solution. So it had not caught this virus, while Clamav did. Then I submitted the file to virustotal.com, and apparently only a few (about five) anti-virus programs detected the virus. Amongst others, Kaspersky, F-Secure, NOD32, Bitdefender, Symantec and of course Clamav. In the clamav-virusdb mailing list archives, I found that Clamav had detection for this virus since 7h21 CEST, so it was really amongs the first to detect this virus.

Clamav is great

More in Tux Machines

pfSense 2.2.4 BSD Firewall Fixes Multiple Stored XSS Vulnerabilities in the WebGUI

Electric Sheep Fencing LLC., through Chris Buechler, has announced the immediate availability for download of the fourth maintenance release of the pfSense 2.2 FreeBSD-based firewall software. Read more

Standardisation process should be open, study shows

Organisations setting ICT standards should be open, as this improves their standards and contributes to their implementation in software, concludes a group of Swedish researchers. “Standards get better with contributions coming from individuals and organisations,” says Jonas Gamalielsson, lead author of a paper published in June. Read more

Open source runs Croatia’s geospatial services platforms

Croatia’s Ministry of Environment and Nature Protection has become one of the country’s major users of open source solutions. The software is making possible two geospatial service platforms on biodiversity and environmental protection, unveiled in May. Read more

today's leftovers

  • Three months with a Chromebook computer
    Chromebooks have become incredibly popular among some users, as you can see from Amazon's list of bestselling Chromebooks. One user decided to use a Chromebook as his primary computing device for three months, and found that it worked extremely well for him. [...] Debian Linux is known as a distribution that supports lots of different hardware, but now the Debian developers have announced the removal of support for the SPARC hardware architecture.
  • New Target for Mobile App Devs: Plasma Mobile on Linux
  • New Plasma Mobile, New Security Issues
    Jonathan Riddell said the hacking was frustrating at first, but Martin Gräßlin was able to get the system going with Wayland and KWin. Gräßlin said Plasma Mobile is the first product to use Wayland by default and the only reason Wayland is mature enough to be included as a technical preview in upcoming Plasma 5.4. They're confident Android apps will run on it at some point as well.
  • KDE Creates Plasma Mobile, A KDE Based Operating System For Mobile Phones
    As you may know, the KDE developers have created Plasma Phone UI, a Linux based operating based on Ubuntu Touch and Kubuntu Linux. The OS is open-source, has an user-friendly interface and provides a customizable platform for mobile devices. For now, KDE’s mobile OS is just a prototype and can be tested on the LG Nexus 5.
  • GSoC ’15 Post #5: Port Complete – Time for the Real Deal
    With loads of help from people on #kde-devel, we finally managed to complete the KDE Network Filesharing port to KF5. Wasn’t easy, given that this was my first time porting frameworks, but it was real fun. Apart from apol’s blogpost shared in my last post, here’s another post that was immensely helpful to me while porting: Porting a KControl Module to KF5.
  • Gnome Pie 0.6.3 (Circular Application Launcher) Brings New Features And Bug-Fixes
    As you may know, Gnome Pie is a circular application launcher, enabling the users to easily access their favorite apps, which they have added to the pie. For usage information, see this link.
  • Gnome 3.18 Will Include A News Reader App
  • ExLight Distro Brings Enlightenment 0.19.7 and Linux Kernel 4.0 to Ubuntu 15.04
    On July 26, Arne Exton, the creator of numerous distributions of GNU/Linux as well as various Android-x86 Live DVDs, was more than proud to announce the immediate availability for download of a new build for his ExLight Linux distribution.
  • OpenSUSE Leap 42 Will Be An OpenSUSE Flavor For The Users That Need A Stable System
  • Very slow ssh logins on Fedora 22
    I’ve recently set up a Fedora 22 firewall/router at home (more on that later) and I noticed that remote ssh logins were extremely slow. In addition, sudo commands seemed to stall out for the same amount of time (about 25-30 seconds).
  • Debian Dropping SPARC Support
    While Debian supports many CPU architectures, it's working to remove support for the Sun/Oracle SPARC architecture. As of this weekend, Debian has dropped SPARC from their unstable, experimental, and jessie-updates archives.
  • Ubuntu Touch OTA-5 Update Brings Double Battery Life On Meizu MX4 Ubuntu Edition
  • Ubuntu Phone Gets Blasted In Reviews This Week
  • 3.5-inch SBC runs Yocto on Braswell and 6 Watts
    Aaeon’s Yocto Linux ready, 3.5-inch “GENE-BSW5″ SBC offers Intel Braswell CPUs, dual GbE ports, six serial ports, and mini-PCIe, SATA, and mSATA expansion.
  • Not Learning Unix is a Mistake
    It has occurred to me that not learning Unix is a grave mistake. My relatively early exposure to Unix was important. I may not have appreciated Linux as much or even at all if I hadn't had that ability to experiment at home with Xenix. Learning about Unix develops new mental muscles like playing a musical instrument or learning a new language. But learning these new processes becomes more difficult with age. To me the exact technical details are less important. It does not really matter if you are a Linux user or if you use one of the BSDs or even something more exotic like Plan 9. The important thing is you can learn new concepts from what I will broadly refer to as the Unix/Internet Community.
  • Mmm, what's that smell, Google+? Yes it's death: Google unhooks 'social network' from YouTube
    Google is no longer forcing Google+ on the world: people will be able to log into YouTube, and other Googley services, without having to create mandatory Google+ profiles. From now on, only those who deliberately sign up for Google+ will create profiles on the ghost town of a social network. Previously, Google harassed users of YouTube, Gmail and so on, to convert their accounts into Google+ accounts, a move obviously designed to boost G+'s sad numbers. It didn't go down very well at all – a lot of folks hated it.
  • Google to block access to unofficial autocomplete API
    Google has decided the autocomplete API it informally offers will no longer be available for “unauthorised” users as of August 10th.