Results 1 to 2 of 2

Thread: LKM Rootkits

  1. #1
    Senior Member
    Join Date
    Aug 2002

    LKM Rootkits

    Post that i found very intresting in www.blackhat.info by TheWatcher


    Anti-forensics tools and skills to thwart investigators are emerging in the underground hacker scene.

    One example is a class of programs called the Loadable Kernel Modules (LKM) which, if used by hackers, can hide data even from forensics experts.

    LKMs are files that contain components that can run dynamically. Normally, LKMs are used to load hardware drivers.

    Hackers can create LKM rootkits that can access the kernel directly, while hiding processes, connections, directories and files without modifying the binaries of any program. A rootkit is a collection of programs that a hacker uses to mask intrusion and get access to a computer.

    While most hackers' rootkits activities can be detected by methods such as doing MD5 checksums, if LKM rootkits are used, any checksum methods become useless as no files would have been modified.

    It is not just a case of hidden files but the alteration of kernel processes so that queries on various information to the server would return fake results. For example, when a file search is made, even if the file were there, the search will turn up negative.

    By checking ports for unusual activities, it might be possible to detect that the computer system has been compromised or "rooted". Tools such as Kstat can be used to detect rooted systems, but there are limitations.

    Posted by: TheWatcher

    If you have been infected or think you are or just to make sure you can download a cleaner that i found at www.Astalavista.com

    Quoted from www.Astalavista.com

    This utility removes LKM rootkits that normally are undetectable via the help of vmalloc which manages the memory for a kernel module. Tested against Adore, Knark, Sinapse, Heroin, and others. - By cameleonu



  2. #2
    Senior Member
    Join Date
    Aug 2002

    Have you try "chkrootkit" ?. It's rootkit detection and able to detect more then 45 rootkit
    01. lrk3, lrk4, lrk5, lrk6 (and variants);
    02. Solaris rootkit;
    03. FreeBSD rootkit;

    04. t0rn (and variants);
    05. Ambient's Rootkit (ARK);
    06. Ramen Worm;

    07. rh[67]-shaper;
    08. RSHA;
    09. Romanian rootkit;

    10. RK17;
    11. Lion Worm;
    12. Adore Worm;

    13. LPD Worm;
    14. kenny-rk;
    15. Adore LKM;

    16. ShitC Worm;
    17. Omega Worm;
    18. Wormkit Worm;

    19. Maniac-RK;
    20. dsc-rootkit;
    21. Ducoci rootkit;

    22. x.c Worm;
    23. RST.b trojan;
    24. duarawkz;

    25. knark LKM;
    26. Monkit;
    27. Hidrootkit;

    28. Bobkit;
    29. Pizdakit;
    30. t0rn v8.0;

    31. Showtee;
    32. Optickit;
    33. T.R.K;

    34. MithRa's Rootkit;
    35. George;
    36. SucKIT;

    37. Scalper;
    38. Slapper A, B, C and D;
    39. OpenBSD rk v1;

    40. Illogic rootkit;
    41. SK rootkit.
    42. sebek LKM;

    43. Romanian rootkit;
    44. LOC rootkit;
    45. shv4 rootkit;

    46. Aquatica rootkit;
    47. ZK rootkit;
    I run this tool on my Linux and FreeBSD box

    Check out the link http://www.chkrootkit.org/ and you will find a lot of interesting links there..


    Not an image or image does not exist!
    Not an image or image does not exist!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts