Linux Users Now Protected With New Rootkit Technique
- 0 Comments
During the Black Hat security conference in Amsterdam, the presentation entitled “Alice in User-Land: Hijacking the Linux Kernel via/dev/mem” of the Linux professional, Anthony Lineberry, said to the public that he will soon publish the Libmemrk library. Libmemrk is operationable in both 32- and 63-bit systems.
The Libmemrk shall enable rootkit developers to hide processes and files and also interfere in network goings-on. What it really does is that it employs the /dev/mem device driver, without the need for rights, to write into the main memory an arbitrary code from the users space. This driver shows an interface that allows the use of the memory that can be physically addressed. The Xserver and DOSEmu are now using it. Lineberry emphasized that getting things rolling with rootkits through /dev/mem is less distinguishable than the usual route which is through loadable kernel modules or LKMs.
This latest library will get the load off the backs of rootkit programmers by not requiring them anymore to go through the translation of virtual memory addresses into physical addresses and recognizing the memory bounds that can be studied before the attack. This way, the attacker will not be able to overwrite whatever system calls exist and replace them with another code up to the moment that the right ranges used by the kernel have been found. The actual contents found in the memory by the kernel are concurrently being shifted into a buffer.
For an attack to be successful, careful and detailed procedures are required which can be done by Libmemrk. These steps are described by Lineberry in his paper entitled “Malicious Code Injection via /dev/mem.” Lineberry furthers says that attacks usually do not succeed in virtual systems since hypervisors behave in a different way as compared to unvirtualized environments. He reminded everyone that even with libmemrk, the attack should still be programmed manually using assemble language. He intends to use libcc in the future so that whatever impact it creates should be lessened.
Lineberry usefully gave some tips how Linux users can protect themselves against these kinds of rootkits. He thought that modifying the memory driver is enough to disallow the write/read pointer 1seek to find at least 16 kb in the memory. The latest versions of Fedora and Red Hat are secure in a built-in manner since their kernels integrate SELinx or Security Enhanced Linux features into the system.
The publishing is not possible at the moment, according to Lineberry, since he is still in the process of getting rid of the last weaknesses that it has. This is something Linuxers should look forward to to protect themselves from possible attacks.