[ale] New Backdoor App

Transam@cavu.com transam at cavu.com
Sun Jul 15 14:18:23 EDT 2001


SAngell at nan.net wrote:
> Has anybody seen this little gem hands on? Looks like this may cause a
> new round of headaches for all security folks out there. Is supposed to
> be unvieled on the 18th of this month at DefCon. It's a loadable kernal
> module for Linux, almost completely undetectable from what I have read. It
> can send a packet from a spoofed address to the system of choice on ANY
> port that is available. Its name KIS (Kernal Intrusion System)

I wonder how it manages to hide from lsmod.  Perhaps lsmod uses a different
piece of data in the kernel (that this hack stomps on) than is used by the
kernel to actually find the code.

After thinking about it a few minutes, I could not come up with a good
simple defense or detection.  (While certainly the executable could be
spotted, a cracker just has to encrypt it for long term storage on disk.)

Since it only modifies the running kernel, not even a Trojan sweep of the
disk using a trusted path (booted from a trusted floppy/CD-ROM) will detect
a modified kernel on disk.


I see the need now, as part of building the kernel and loadable modules at
each Linux site for the following.  The SysAdmin building them signs each
one cryptographically (GPG or PGP) and the running kernel verifies itself
and each module upon loading and rejects those with bad signatures.

The mechanism used to avoid lsmod detection (whatever it is) should be
fairly easy to block in the next revision of 2.2 and 2.4.

> Read more at:

> http://www.uberhax0r.net/kis/

> Also, note the logo! Being a fan of KISS for many years I loved the obvious
> influence.

> Steve Angell,  MCSE, CCNA
> MIS Operations Manager
> TSYS Total Debt Management
> Phone 770-409-5570
> Fax      770-416-1752

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My book: "Real World Linux Security"]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and software consulting since 1990.

GPG Public key available at http://www.cavu.com/pubkey.txt (book at cavu.com)
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at cavu.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list