[dundee] Linux Security & Botnets

Lee Hughes toxicnaan at yahoo.co.uk
Fri Jan 25 23:13:37 GMT 2008 

Well, a rootkit can be installed if you can get uid 0 (root) on the machine.
Once you've got ring 0 access , you can do anything, without the aide
of the kernel. It's just one of those things that monolithic kernels suffer
from, there's a lot of code running in ring 0 , and if that code has exploits
it's easy to take control of the entire system.

Prevention is better than the cure, and there are tools , hardware and
best practices that can reduce your expose to zero day rootkits..

Looking at advisories, these seem pretty old kernel's, and if you don't
patch you asking for trouble.

Microkernel operating systems have hope of improving this situation,
but while the kernel run is one large shared address space then a full machine
compromise is still possible. Microkernels run their services in user space
so the amount of ring 0 code is very small. that's good for security! :-)..

in fact, booting from cdrom is an interesting idea, I've not seen anything
yet that can write to a full cd twice..so boot from cdrom and you know
you'll never have a persistent rootkit!!! it's not practical...but!! 
 I read somewhere of security researchers using command
blockers on harddisks  which prevent any write access to the drive in hardware,
unless you flick a physical switch..

it might not save you from attack, but it's harder for the rootkit persist after
a power cycle.

Again, a background daemon that verified kernel code in real time would
be able to detect memory injection attacks , in fact gordon you may
have gave me and idea for a project. ;-)

someone could rewrite your bios, and store the rootkit there.... paranoid...
you will be.



gordon dunlop <astrozubenel at googlemail.com> wrote: The news this week is about Linux botnets, this has been going on for
the past year or so. It is not about the security of Linux or Apache
but about the security of data centers. A data center holds
information about farms of servers that operate Linux servers and
holds pertinent information including root passwords of servers that
operate thousands of web sites. a root kit can only deployed on Linux
servers if the root password is known. Data centers can be
compromised, electronically this can be hard, easier to get an
employee to get the necessary information. So security is not just
electronically but also human, this is just conjecture but until the
security leak is defined and answered then the problem is not solved.
It begs the question, how often must one change the security password
in case of compromise of upstream systems. To all the ethical hackers
this presents an opportunity for your ideas of security and how to
create secure systems to minimize this type of occurrence. I hope this
gives you brain storming ideas.

Gordon

_______________________________________________
dundee GNU/Linux Users Group mailing list
dundee at lists.lug.org.uk  http://dundee.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/dundee
Chat on IRC, #tlug on dundee.lug.org.uk


       
---------------------------------
 Sent from Yahoo! &#45; a smarter inbox.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/dundee/attachments/20080125/decf23ef/attachment-0001.html

More information about the dundee mailing list