A New Linux Rootkit Technique Presented

Recommended Posts

17 April 2009, 13:06

A new Linux rootkit technique presented

Anthony Lineberry, a Linux expert, announced during his presentation, "Alice in User-Land: Hijacking the Linux Kernel via /dev/mem", at the Black Hat security conference now taking place in Amsterdam that he will shortly be publishing the libmemrk library. He says Libmemrk works in both 32-bit and 64-bit environments.

This offers rootkit developers a new way to hide files or processes, or interfere with network traffic. The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory. For example XServer and DOSEmu, both use it. Lineberry says introducing rootkits via /dev/mem is also less obvious than the established route via loadable kernel modules (LKMs).

The library relieves a rootkit programmer of the "laborious" work of translating virtual memory addresses to physical ones and identifying a memory range that can be exploited for the attack. An attacker can't overwrite the existing system calls and replace them with his own code until the suitable ranges, normally used by the kernel, have been located. The real contents written into memory by the kernel are meanwhile shifted into a buffer.

Heise security - http://www.h-online.com/security/A-new-Lin...d--/news/113092


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.