Language Selection

English French German Italian Portuguese Spanish

Unix/Linux rootkits 101

Filed under
Security

The term rootkit originated with a reference to the root user account on Unix systems. Rootkits are not limited to Unix, however, or even to administrative user accounts like the Unix root account. No matter what operating system you use, you should be familiar with good practices for detecting and dealing with the threat of rootkits.

What is a rootkit?

As Mike Mullins explained in Windows rootkits 101, rootkits are not exploits. They are not the means of cracking security and accessing your system in the first place. Instead, rootkits are inserted into your system after it has already been compromised for the first time. Rootkits then cover the malicious security cracker’s tracks when he or she revisits the system later, or the tracks of other malicious software left behind. A rootkit may also include a “back door” allowing the security cracker to gain access at any time in the future.

On Unix systems such as Solaris or FreeBSD, and on Unix-like systems such as Linux, a number of different means may be employed to cover the security cracker’s tracks. Common tactics include replacing system utility binaries such as ls and diff so that when they are used they will hide changes to the system and files on it from the user. The key point to keep in mind when dealing with the threat of rootkits is that once a rootkit has been installed on your system, you are no longer able to trust any of the tools installed on that system to give you accurate information.

This can make accurate detection of rootkits and other changes to a system by malicious security crackers a challenge.

Rootkit detection




Also:

Like a lot of people, I use the free anti-virus program Clamav on my mail server. Last week, I was seriously impressed with its performance.

It started last wednesday, 25 July. At about noon, I received a mail by amavisd-new that it had blocked an e-mail containing a virus, Trojan.Downloader-11827. What was strange, is that I received this message on an e-mail account which is protected by my ISPs proprietary anti-virus solution. So it had not caught this virus, while Clamav did. Then I submitted the file to virustotal.com, and apparently only a few (about five) anti-virus programs detected the virus. Amongst others, Kaspersky, F-Secure, NOD32, Bitdefender, Symantec and of course Clamav. In the clamav-virusdb mailing list archives, I found that Clamav had detection for this virus since 7h21 CEST, so it was really amongs the first to detect this virus.

Clamav is great

More in Tux Machines

Phoronix Benchmarks

Leftovers: Software

  • Are you Struggling With Finding Text In Files Or Locating Files? Try 'Recoll' Program In Linux
    Recoll is a full text search QT based free, open source program especially made for Unix-like and Linux but it is also available for Windows and Mac systems, licensed under GPL. It provides efficient desktop full text search from single-word to arbitrarily complex boolean searches, basically it indexes the documents data (along with their compressed versions) and huge number of files then let you find quickly whatever you search for. Recoll updates its index at designed intervals (for example through Cron tasks) but if desired, the indexing task can run as a file-system monitoring daemon for real-time index updates.
  • New Inkscape 0.92 breaks your previous works done with Inkscape
    I hope this type of blog-post will shake the mindset a bit, and make developers more serious about compatibility. The users shouldn't be prompted with a dialog with jargon. The artwork or rendering shouldn't be broken. Inkscape should do the auto-conversion to keep the artwork as it was (especially because the software can). Isn't it the task of Inkscape to be able to read SVG? to properly read itself? I hope a version 0.92.x will happens and solve this serious bug [1] . For those who have been following my work for the last ten years, I like to promote the release of new Free/Libre and Open-Sources Software versions. It costs me a lot emotionally and in production-time to have to make this type of blog-post against a project I love. But what else can I do?
  • Ardour + Cinelerra + 4 Cams + Heavy Blues
  • Albert Quick Launcher 0.9.0 Released With External Extensions Support
    Albert is a quick launcher for Linux inspired by Alfred (Mac). It can be used to run applications, open files, search the web, open bookmarks in your web browser, calculate math expressions, and more.
  • MKVToolNix 9.8.0 Open-Source MKV Manipulation App Adds Support for DVB Subtitles
    Moritz Bunkus released today, January 22, 2017, a new stable release of his popular, multiplatform, and open-source MKV (Matroska) manipulation utility for all supported platforms, including GNU/Linux, macOS, and Microsoft Windows. There are bunch of exciting new features added in the new MKVToolNix 9.8.0 release, which comes three weeks after the previous version, namely MKVToolNix 9.7.1, but first we'd like to inform package maintainers about an important change in the build system as parallel builds are now enabled by default.
  • Libvirt 3.0 Released With Various Improvements
    The libvirt virtualization API saw a major 3.0 release this week to succeed its earlier v2.5 milestone.
  • 5 Highly Promising Terminal Emulators
    The terminal emulator is a venerable but essential tool for computer users. The reason why Linux offers so much power is due to the command line. The Linux shell can do so much, and this power can be accessed on the desktop by using a terminal emulator. There are so many available for Linux that the choice is bewildering.
  • What Spotify Takes Away, the Open-Source Community Brings Back…
    One of my favourite bands has just released a new album, which means I now have 11 new songs to learn the words to before I go see them play next!
  • Skype for Linux Alpha Video Call Support Begins ‘Rollout’

today's howtos

Wine Staging 2.0 RC6