Language Selection

English French German Italian Portuguese Spanish

Unix/Linux rootkits 101

Filed under
Security

The term rootkit originated with a reference to the root user account on Unix systems. Rootkits are not limited to Unix, however, or even to administrative user accounts like the Unix root account. No matter what operating system you use, you should be familiar with good practices for detecting and dealing with the threat of rootkits.

What is a rootkit?

As Mike Mullins explained in Windows rootkits 101, rootkits are not exploits. They are not the means of cracking security and accessing your system in the first place. Instead, rootkits are inserted into your system after it has already been compromised for the first time. Rootkits then cover the malicious security cracker’s tracks when he or she revisits the system later, or the tracks of other malicious software left behind. A rootkit may also include a “back door” allowing the security cracker to gain access at any time in the future.

On Unix systems such as Solaris or FreeBSD, and on Unix-like systems such as Linux, a number of different means may be employed to cover the security cracker’s tracks. Common tactics include replacing system utility binaries such as ls and diff so that when they are used they will hide changes to the system and files on it from the user. The key point to keep in mind when dealing with the threat of rootkits is that once a rootkit has been installed on your system, you are no longer able to trust any of the tools installed on that system to give you accurate information.

This can make accurate detection of rootkits and other changes to a system by malicious security crackers a challenge.

Rootkit detection




Also:

Like a lot of people, I use the free anti-virus program Clamav on my mail server. Last week, I was seriously impressed with its performance.

It started last wednesday, 25 July. At about noon, I received a mail by amavisd-new that it had blocked an e-mail containing a virus, Trojan.Downloader-11827. What was strange, is that I received this message on an e-mail account which is protected by my ISPs proprietary anti-virus solution. So it had not caught this virus, while Clamav did. Then I submitted the file to virustotal.com, and apparently only a few (about five) anti-virus programs detected the virus. Amongst others, Kaspersky, F-Secure, NOD32, Bitdefender, Symantec and of course Clamav. In the clamav-virusdb mailing list archives, I found that Clamav had detection for this virus since 7h21 CEST, so it was really amongs the first to detect this virus.

Clamav is great

More in Tux Machines

today's howtos

Leftovers: Ubuntu

  • Ubuntu Phone, Sep 2016 - Vorsprung durch Touch
    The Ubuntu Phone is getting better, and with every new iteration of the OTA, my little BQ Aquaris E4.5 is gaining more speed and functionality. Like in the air force, with an avionics upgrade, which transforms ancient wings into a powerful and modern bird of prey. Only the pace of advancement is lagging behind the market. See what Android and iOS can do, even Windows Phone, and you realize how late and insufficiently meaningful the Ubuntu Phone really is. This has to change, massively. This latest round does bring some fine goods to the table - more speed and stability, better icons, more overall visual polish, incremental improvements in the applications and the scopes. But that's not enough to win the heart of the average user. A more radical, app-centric effort is required. More focus on delivering the mobile experience, be it as it may. Ubuntu cannot revolutionalize that which is already considered the past. It can only join the club and enjoy the benefits of a well-established reality. And that is a kickass app stack that makes the touch device worth using in the first place. Still, it's not all gloomy. E4.5 is a better product now than it was a year ago, fact. Ubuntu Phone is a better operating system than it was even this spring, fact. So maybe one day we will see Ubuntu become an important if not dominant player in the phone and tablet space. It sure is heading in the right direction, my only fear is the availability of resources to pull off this massive rehaul that is needed to make it stand up to the old and proven giants. And that's it really. If you're keen on Linux (not Android) making it in the mobile world, do not forget to check my Ubuntu tablet review! Especially the convergence piece. On that merry note, you do remember that I'm running a wicked contest this year, too? He/she who reads my books might get a chance to win an M10 tablet. Indeed. Off you go, dear readers. Whereas I will now run the same set of tests we did here on the Aquaris tablet, and see how it likes the OTA-12 upgrade. The end.
  • Ubuntu 16.10 Unity 8 - new window snapping feature
  • Ubuntu Online Summit for Ubuntu 17.04 is Taking Place In Mid-November
  • Ubuntu Online Summit: 15-16 November 2016

Leftovers: OSS and Sharing

  • 10 Top Open Source Artificial Intelligence Tools for Linux
    In this post, we shall cover a few of the top, open-source artificial intelligence (AI) tools for the Linux ecosystem. Currently, AI is one of the ever advancing fields in science and technology, with a major focus geared towards building software and hardware to solve every day life challenges in areas such as health care, education, security, manufacturing, banking and so much more.
  • List of FLOSS International Conferences September 2016 Materials
  • This Week In Servo 78
    Our overall roadmap is available online and now includes the initial Q3 plans. From now on, we plan to include the quarterly plan with a high-level breakdown in the roadmap page.
  • Firefox 49 Release: Find out what is new
    Firefox 49.0 is the next major stable release of the web browser. Firefox 48.0.2 and earlier versions of Firefox can be updated to the new release.
  • Open-Source Climate Change Data From NASA, NOAA, & Others Available For 1st Time
    Climate change has many components — rising sea levels, alterations in rainfall patterns, and an increase in severe storm activity, among others. Communities around the world are faced with the need to plan for climate change but don’t have the information available to do so effectively.
  • Another Setback for 3D Printed Gun Advocate Cody Wilson as Court of Appeals Rules That National Security Concerns Outweigh Free Speech
    It’s been a long, drawn-out battle, beginning in 2013 when Cody Wilson, founder of Defense Distributed, published the open source files for his 3D printed handgun, the Liberator, online. The State Department ordered that he take the files down, and Wilson complied, but not before thousands had downloaded them and spread them elsewhere on the Internet. In 2015, with the help of gun rights organization The Second Amendment Foundation, Wilson filed a federal lawsuit claiming that the State Department had violated not only his Second Amendment but his First Amendment rights. By suppressing his right to share information online, Wilson argued, the State Department was violating his right to free speech.
  • In 3D-Printed Gun Case, Federal Court Permits Speech Censorship in the Name of Alleged National Security
  • Oracle tries playing nice with Java EE rebels
    With Oracle now trying to get back on track with advancing enterprise Java, the company is seeking rapprochement with factions that had sought to advance the platform on their own. The two groups involved are mostly amenable to patching up the relationship. Oracle's Anil Gaur, group vice president of engineering, said this week he had already been in touch with some of the concerned parties. The two factions include Java EE Guardians, led by former Oracle Java EE evangelist Reza Rahman, and Microprofile.io, which has included participation from Red Hat and IBM.

GNU News