Monday, April 20, 2009

New Linux Rootkit Technique

A new rootkit technique is uncovered by a Linux expert using /dev/mem. This is also less obvious thant the established route via traditional LKM method to hide files or processes, or interfere with network traffic.

The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory.

Interestingly, some platforms are secure against this new rootkit (by default):
  • Current RedHat and Fedora (incorporates SELinux )
  • Virtual environment (another reason to be virtualized)
The detail of the new rootkit is documented in Malicious Code Injection via /dev/mem.