Language Selection

English French German Italian Portuguese Spanish

Unix/Linux rootkits 101

Filed under
Security

The term rootkit originated with a reference to the root user account on Unix systems. Rootkits are not limited to Unix, however, or even to administrative user accounts like the Unix root account. No matter what operating system you use, you should be familiar with good practices for detecting and dealing with the threat of rootkits.

What is a rootkit?

As Mike Mullins explained in Windows rootkits 101, rootkits are not exploits. They are not the means of cracking security and accessing your system in the first place. Instead, rootkits are inserted into your system after it has already been compromised for the first time. Rootkits then cover the malicious security cracker’s tracks when he or she revisits the system later, or the tracks of other malicious software left behind. A rootkit may also include a “back door” allowing the security cracker to gain access at any time in the future.

On Unix systems such as Solaris or FreeBSD, and on Unix-like systems such as Linux, a number of different means may be employed to cover the security cracker’s tracks. Common tactics include replacing system utility binaries such as ls and diff so that when they are used they will hide changes to the system and files on it from the user. The key point to keep in mind when dealing with the threat of rootkits is that once a rootkit has been installed on your system, you are no longer able to trust any of the tools installed on that system to give you accurate information.

This can make accurate detection of rootkits and other changes to a system by malicious security crackers a challenge.

Rootkit detection




Also:

Like a lot of people, I use the free anti-virus program Clamav on my mail server. Last week, I was seriously impressed with its performance.

It started last wednesday, 25 July. At about noon, I received a mail by amavisd-new that it had blocked an e-mail containing a virus, Trojan.Downloader-11827. What was strange, is that I received this message on an e-mail account which is protected by my ISPs proprietary anti-virus solution. So it had not caught this virus, while Clamav did. Then I submitted the file to virustotal.com, and apparently only a few (about five) anti-virus programs detected the virus. Amongst others, Kaspersky, F-Secure, NOD32, Bitdefender, Symantec and of course Clamav. In the clamav-virusdb mailing list archives, I found that Clamav had detection for this virus since 7h21 CEST, so it was really amongs the first to detect this virus.

Clamav is great

More in Tux Machines

3 Alternatives to the Adobe PDF Reader on Linux

Adobe has pulled the plug on supporting its PDF reader app for Linux. This should come as no surprise, as the last time Adobe Reader for Linux was updated came in May 2013. But until recently, you could at least download and install Reader on your Linux desktop machine. Now? You can’t. If you go to the Adobe Reader site, you’ll find the Linux installer is no longer available. Read more

How OpenStack powers the research at CERN

OpenStack has been in a production environment at CERN for more than a year. One of the people that has been key to implementing the OpenStack infrastructure is Tim Bell. He is responsible for the CERN IT Operating Systems and Infrastructure group which provides a set of services to CERN users from email, web, operating systems, and the Infrastructure-as-a-Service cloud based on OpenStack. Read more

WE’RE HOSTING AN OPENDAYLIGHT HACKFEST IN JAPAN!

The OpenDaylight Project has quickly grown to become a global community, with more than 250 contributors working to advance open SDN and NFV from all corners of the world. This includes 11 ambassadors worldwide and OpenDaylight User Groups (ODLUG) in six cities across three countries. We are excited to host our first OpenDaylight HackFest in Japan in less than two weeks, and the good news is that it’s free to attend. Read more

Debian Project mourns the loss of Peter Miller

The Debian Project recently learned that it has lost a member of its community. Peter Miller died on July 27th after a long battle with leukemia. Peter was a relative newcomer to the Debian project, but his contributions to Free and Open Source Software goes back the the late 1980s. Peter was significant contributor to GNU gettext as well as being the main upstream author and maintainer of other projects that ship as part of Debian, including, but not limited to srecord, aegis and cook. Peter was also the author of the paper "Recursive Make Considered Harmful". The Debian Project honours his good work and strong dedication to Debian and Free Software. The contributions of Peter will not be forgotten, and the high standards of his work will continue to serve as an inspiration to others. Read more