Language Selection

English French German Italian Portuguese Spanish

Unix/Linux rootkits 101

Filed under
Security

The term rootkit originated with a reference to the root user account on Unix systems. Rootkits are not limited to Unix, however, or even to administrative user accounts like the Unix root account. No matter what operating system you use, you should be familiar with good practices for detecting and dealing with the threat of rootkits.

What is a rootkit?

As Mike Mullins explained in Windows rootkits 101, rootkits are not exploits. They are not the means of cracking security and accessing your system in the first place. Instead, rootkits are inserted into your system after it has already been compromised for the first time. Rootkits then cover the malicious security cracker’s tracks when he or she revisits the system later, or the tracks of other malicious software left behind. A rootkit may also include a “back door” allowing the security cracker to gain access at any time in the future.

On Unix systems such as Solaris or FreeBSD, and on Unix-like systems such as Linux, a number of different means may be employed to cover the security cracker’s tracks. Common tactics include replacing system utility binaries such as ls and diff so that when they are used they will hide changes to the system and files on it from the user. The key point to keep in mind when dealing with the threat of rootkits is that once a rootkit has been installed on your system, you are no longer able to trust any of the tools installed on that system to give you accurate information.

This can make accurate detection of rootkits and other changes to a system by malicious security crackers a challenge.

Rootkit detection




Also:

Like a lot of people, I use the free anti-virus program Clamav on my mail server. Last week, I was seriously impressed with its performance.

It started last wednesday, 25 July. At about noon, I received a mail by amavisd-new that it had blocked an e-mail containing a virus, Trojan.Downloader-11827. What was strange, is that I received this message on an e-mail account which is protected by my ISPs proprietary anti-virus solution. So it had not caught this virus, while Clamav did. Then I submitted the file to virustotal.com, and apparently only a few (about five) anti-virus programs detected the virus. Amongst others, Kaspersky, F-Secure, NOD32, Bitdefender, Symantec and of course Clamav. In the clamav-virusdb mailing list archives, I found that Clamav had detection for this virus since 7h21 CEST, so it was really amongs the first to detect this virus.

Clamav is great

More in Tux Machines

Leftovers: Software

Leftovers: Gaming

Android Leftovers

  • Android Candy: Intercoms
    Ever since my "tiny $20 tablet" project (see my Open-Source Classroom column in the March 2015 issue), I've been looking for more and more cool things to do with cheap Android devices. Although the few obvious ones like XBMC or Plex remotes work well, I've recently found that having Android devices around the house means I can gain back an old-school ability that went out of style in the late 1980s—namely, an intercom system.
  • There's a wild prank hidden in Google Maps that insults Apple in the most childishly inappropriate way
    Rawalpindi is a vibrant Pakistani city known for its bazaars, ancient ruins, and array of religious shrines. But if you pay it a visit on Google Maps, you're going to notice something very unusual on the outskirts of the city — the Android "droid" mascot urinating on the Apple logo.
  • There's an Android bot peeing on an Apple logo on Google Maps
    Sick of all the Apple Watch news today? You're in luck, because we have something completely different for you. An image of an Android mascot, also known as an Android bot or Bugdroid, peeing on an Apple logo has been discovered on Google Maps.
  • An Android robot is peeing on an Apple logo in Google Maps
  • An Android is urinating on the Apple logo in Google Maps (update)
    Google and Apple have always had their differences, but a new Easter egg inside Google Maps has just taken their rivalry to a whole new level. As spotted by Team Android, if you head to these coordinates with the regular Map view enabled, you'll see Google's iconic Android mascot taking a leak on the Apple logo. At the moment, it's unclear who created this little piece of mischief and whether Google is taking action. But if this hidden message is any indication, it was snuck through by a member of the public using Google's Map Maker service, rather than a Google employee. Regardless, it's a crazy (and pretty hilarious) addition that's sure to rile some of the employees in Cupertino. Shots fired!
  • Sony's Android TV-powered 4K televisions are ridiculously thin
    Four models from Sony’s 2015 Android TV-powered 4K television range are now available for pre-order, with shipping to begin in May. The Japanese electronics giant unveiled its 4K TV lineup for 2015 at the Consumer Electronics Show in January, but kept pricing and release information to itself, only saying the new sets would be available sometime in the spring. Those details are finally here and the TVs themselves aren’t far off.
  • Android Wear v1.1 APK has Apple references in it, but when is iOS support coming?
    That Google is working on iOS support for Android Wear is nearly undeniable at this point, but even more evidence has surfaced in case you aren’t a believer. We peeked inside the latest Android Wear update APK to see what hidden bits were swarming about, and we came across some very interesting references.
  • 5 Things to Expect from the Nexus 5 Android 5.1.1 Release
    A few weeks ago, an Android 5.1.1 update mysteriously appeared alongside an update for Google’s Android SDK. Earlier this week, Google finally confirmed the Nexus Android 5.1.1 release with an update for its Nexus Player. With an Android 5.1.1 update now on the minds of Nexus users, particularly Nexus 5 users dealing with Android 5.0 Lollipop problems, we want to take a look at what we expect from the Nexus 5 Android 5.1 release from Google.

The Turing Phone Is Super Durable and Ultra Secure

The device also sports a 13MP/8MP camera combo, 64GB / 128GB of internal storage and runs Android 5.0 Lollipop out of the box. Read more