Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux Hosts
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > The Community > The Coffee Lounge
Reload this Page Protection from kernel rootkits
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

The Coffee Lounge General chat about anything that goes, a good place to introduce yourself and say hi, tell a Joke, or just relax.

Reply
 
Thread Tools Display Modes
Old 02-05-2007   #1 (permalink)
ingleswapnil
Just Joined!
 
Join Date: Oct 2006
Posts: 0
Smile Protection from kernel rootkits
Hello All!!!
we are doing a project for protecting any host on the network from kernel level rootkits.
here we have putforth our project idea in brief..
please do reply...


Kernel rootkits are attacking the host by following ways:

1)Redirecting standard system calls such as fork,execve,open,read, kill to their own malicious system call routines, using Linux Kernel Module (LKM).example of this kind of rootkits is Knark.

2)Redirecting Proc and Virtual File System routines to their own malicious Proc and VFS routines, using linux kernel modules(LKM).example of this kind of rootkits is Adore-NG

3)Inserting their own IDT (Interrupt Descriptor Table) and system call table and redirecting original system pointers to their own IDT (hacked IDT) using /dev/kmem file which is character device file represents Kernel virtual memory.example of this rootkit is suckIT.

4)Replacing original kernel Binary image (vmlinuz file in /boot directory) with its own malicious Binary image.

5)Modifying path of Binary Image (vmlinuz file) in grub.conf file.

Solution:

1)X-KernRootkit is Preventing Kernel level rootkits from modifying kernel on the remote Host.

2)We are making changes in init_module system call. our project is nullifying rootkit’s effect by redirecting pointers of system calls ,proc and VFS routines back to their original position at the end of init_module routines, so that system will refer to original system call routines.

3)we are redirecting IDT and system call pointer back to their original position at the end of write system call routine as writing to /dev/kmem file executes write system call routine in kernel space. due to this system will always refer to original IDT and system call table.

4)Solution is not allowing rootkits to replace original vmlinuz file. we are making changes in unlink system call so that rootkit can not delete original vmlinuz file inturn can not replace it.

5)To modify path of Binary image, fseek function is called. fseek function executes lseek system call from user space. In lseek system call we are checking the offset given by rootkits code if that offset is path of vmlinuz file we are not allowing rootkits to overrite that path.

area of application : system security
ingleswapnil is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




All times are GMT. The time now is 10:32 PM.



Contact Us | Advertise | Archive | Top
© 2000 - 2008 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.0.0