Kernel rootkits and countermeasures

The Spy Within

Author(s):

Rootkits allow attackers to take complete control of a computer. We describe the tricks intruders use to gain access to the Linux kernel and provide guidelines on hardening the kernel against such attacks.

In response to a question asked in parliament, the German Federal Government responded in May 2012 that it was able to decrypt PGP messages or SSH connections, at least partially. Experts were exasperated when they heard this. No one seriously believed that PGP encryption had been cracked. More likely, data is sniffed before encryption or after decryption, or the secret service possesses the private key and, possibly, the associated password. Germany’s “Federal Trojan” can infiltrate the kernel as a rootkit for this purpose.

Classically, the term “rootkit” refers to a piece of software that gives an attacker camouflaged access to, and thus control over, a machine. Userland rootkits tend to modify applications to do this. In comparison, the much more powerful kernel rootkits change kernel data structures and code – for example, through system call hijacking.

Read full article as PDF:

Price $2.95

Related content

  • How to Write a Rootkit

    Today’s rootkits infiltrate a target system at kernel level, thus escaping unwanted attention from administrators. Read on for a practical look at how a kernel rootkit really works.

  • Security Lessons

    We look at the history of the rootkit, including its newest incarnation, the DR RootKit.

  • Virtualizing Rootkits

    A new generation of rootkits avoids detection by virtualizing the compromised system – and the user doesn't notice a thing.

  • Rootkits and Linux Security

    Your Linux system may not be so airtight after all. To understand the threats, you need to think like an intruder. We'll show you what the intruders are thinking now about the Linux 2.6 kernel.

  • HookSafe Protects Kernel from Rootkits

    A research group in the computer sciences faculty at North Carolina State University has written a prototype to prevent rootkits from manipulating kernel object hooks to do their damage.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News