Language Selection

English French German Italian Portuguese Spanish

Unix/Linux rootkits 101

Filed under
Security

The term rootkit originated with a reference to the root user account on Unix systems. Rootkits are not limited to Unix, however, or even to administrative user accounts like the Unix root account. No matter what operating system you use, you should be familiar with good practices for detecting and dealing with the threat of rootkits.

What is a rootkit?

As Mike Mullins explained in Windows rootkits 101, rootkits are not exploits. They are not the means of cracking security and accessing your system in the first place. Instead, rootkits are inserted into your system after it has already been compromised for the first time. Rootkits then cover the malicious security cracker’s tracks when he or she revisits the system later, or the tracks of other malicious software left behind. A rootkit may also include a “back door” allowing the security cracker to gain access at any time in the future.

On Unix systems such as Solaris or FreeBSD, and on Unix-like systems such as Linux, a number of different means may be employed to cover the security cracker’s tracks. Common tactics include replacing system utility binaries such as ls and diff so that when they are used they will hide changes to the system and files on it from the user. The key point to keep in mind when dealing with the threat of rootkits is that once a rootkit has been installed on your system, you are no longer able to trust any of the tools installed on that system to give you accurate information.

This can make accurate detection of rootkits and other changes to a system by malicious security crackers a challenge.

Rootkit detection




Also:

Like a lot of people, I use the free anti-virus program Clamav on my mail server. Last week, I was seriously impressed with its performance.

It started last wednesday, 25 July. At about noon, I received a mail by amavisd-new that it had blocked an e-mail containing a virus, Trojan.Downloader-11827. What was strange, is that I received this message on an e-mail account which is protected by my ISPs proprietary anti-virus solution. So it had not caught this virus, while Clamav did. Then I submitted the file to virustotal.com, and apparently only a few (about five) anti-virus programs detected the virus. Amongst others, Kaspersky, F-Secure, NOD32, Bitdefender, Symantec and of course Clamav. In the clamav-virusdb mailing list archives, I found that Clamav had detection for this virus since 7h21 CEST, so it was really amongs the first to detect this virus.

Clamav is great

More in Tux Machines

RancherOS: A tiny Linux for Docker lovers

Like the various Linux server and desktop distributions, the container-oriented Linux distributions mix and match various projects and components to construct a complete container infrastructure. These distros generally combine a minimal OS kernel, an orchestration framework, and an ecosystem of container services. RancherOS not only fits the mold, but takes the minimal kernel and the container paradigm to extremes. Read more

Review: System76’s Galago Pro solves “just works” Linux’s Goldilocks problem

The Linux world has long maintained a very specific rite of passage: wiping the default operating system from your laptop and plugging in a USB stick with your favorite distro's live CD. Some of us get a little, dare I say, giddy every time we wipe that other OS away and see that first flash of GRUB. Of course, rites of passage are supposed to be one-time events. Once you've wiped Windows or OS X a time or two, that giddiness vanishes—replaced by a feeling of annoyance, a kind of tax on being a Linux user. Read more

Didier Roche: Ubuntu GNOME Shell in Artful: Day 3

After introducing yesterday a real GNOME vanilla session, let’s see how we are using this to implement small behavior differences and transforming current Ubuntu Artful. For more background on this, you can refer back to our decisions regarding our default session experience as discussed in my blog post. Read more

GNOME and Debian: Debian Turning 24, GNOME Turning 20

  • Debian Celebrates Its 24th Birthday
    Yesterday marked GNOME turning 20 while today Debian developers and users have its 24th birthday of the project to celebrate.
  • GNOME desktop environment for Linux and BSD is 20 years old today
    When many people think of Linux, they incorrectly assume it is an operating system. Actually, Linux is merely the kernel which many operating systems leverage. An actual operating system is compromised of many things, including a user interface -- after all, users need to interface with their computer! Most computer users will obviously want a graphical UI nowadays, and for BSD and Linux-based operating systems there are many such desktop environments from which to choose. One of the most popular environments is GNOME. Not only is GNOME a DE, but it has evolved into much more, such as a collection of apps and design rules (Human Interface Guidelines). Today, GNOME is celebrating a very important milestone -- it is an impressive 20 years old!
  • Happy birthday, GNOME!
    The GNOME desktop turns 20 today, and I'm so excited! Twenty years is a major milestone for any open source software project, especially a graphical desktop environment like GNOME that has to appeal to many different users. The 20th anniversary is definitely something to celebrate!
  • Linux desktop GUI GNOME celebrates its 20th birthday
    By 1997, there had long been graphical Unix and Linux graphical user interface (GUI) desktops, but none of them had gathered much support. KDE, which was destined to become a major desktop, had started in 1996, but it was still facing opposition for its use of the Qt license. The GNOME Project, founded by Miguel de Icaza and Federico Mena Quintero on August 15, 1997, was created to build a GUI without the use of any non-General Public License (GPL) software. Thus, a struggle began between the two Linux desktops, which continues to this day.