On Wed, 2002-02-13 at 17:56, Anton Chuvakin wrote: > Hello Chris and all, > > Thanks for the message. > > >What won't work in this situation is attackers that have the md5sums > >or signatures for various binaries on the machine that you are > >intending to replace.
> Hmm, that was the point of my question, to some extent. How would an > attacker (possesing the md5sums for valid packages and md5sumes for hacked > packages) go about updating the rpm database to pass the ? Are there any > tools (in rootkits or elsewhere) to accomplish it? The root kits need not modify the RPM database, rather either modify the kernel image in /boot, or install a kernel module back door. The latter method would be easier mode of attack for red hat systems. The kernel module need then only intercept the open commands, and depending on certain conditions (such as calling program, user, group, time of day, file requested) redirect the operation to the original or legitimate file, while allowing all other operations (such as execve()) operate on the original file. For example, an existing linux backdoor in the wild opperates as follows: To insert the backdoor/rootkit, the init binary is replaced with a trojan utility that loads a kernel module that is linked to the /sbin/init Trojan. After the rootkit is loaded into kernel space, the rootkit will redirect all subsequent calls to the init binary (or its inode) to the original init binary (that is hidden from directory lists in a secret directory) Once loaded, the kernel rootkit can do anything a userspace rootkit can do -- just better, and harder to detect. -- Tim Lawless [EMAIL PROTECTED] http://www.wwjh.net > > Best regards, > -- > Anton A. Chuvakin, Ph.D. > http://www.chuvakin.org > http://www.info-secure.org >
signature.asc
Description: This is a digitally signed message part
