With Linux, Even Rootkits Are Open Source
September 8th, 2008 by Justin Ryan
Linux has traditionally been regarded as significantly more secure than other common platforms, and in particular the Windows line. Part of the security equation has been the lack of large numbers of malware applications, along with the difficulty of deploying those applications covertly. That may well have changed last Thursday, however, as a commercial "penetration testing" firm released what may be the most difficult to detect Linux rootkit to date — under an open source license.
The company in question — Immunity, Inc. — released the rootkit branded "Debug Register" under the GPL Version 2, as part of its Canvas toolkit for security professionals. The rootkit operates differently than previous examples, eschewing the more traditional system call attack in favor of cloaking itself as a kernel debugger. According to reports, the rootkit utilizes debugging mechanisms within Intel chip architecture — potentially meaning vendors like AMD are immune. Regardless, every Linux user will now have to be on the lookout, as the availability of a pre-packaged — and open source — Linux rootkit means that, in the words of one security researcher, "the gap between a script kiddie and a hacker just got a little smaller."
Immunity, which is offering — of all things — commercial support for Debug Register, will no doubt find itself on the receiving end of a great deal of discussion — some, we suspect, less than civil — of the cost/benefit involved in the release. Whatever is said, the one thing that can't be changed is the reality that easy, pre-packaged Linux malware is now in the hands of every hacker from here to Helsinki and back.
__________________________
Justin Ryan is the News Editor for Linux Journal.
Look for him in the #linuxjournal IRC channel.
Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Post to TwitterSubscribe now!
The Latest
Newsletter
Tech Tip Videos
Recently Popular
From the Magazine
December 2009, #188
If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.
The community searches for
On April 9th, 2009 Anonymous (not verified) says:
The community searches for exploits fairly often. Some post how to fix them, others create "proof of concept" and show how bad the vulnerability is. My guess is people will find ways to prevent this type of malware from spreading. (it also is likely you cannot install it without root access so it would probably be entirely user propagated)
That's the beauty of Linux.
On April 6th, 2009 Anonymous (not verified) says:
The community searches for exploits fairly often. Some post how to fix them, others create "proof of concept" and show how bad the vulnerability is. My guess is people will find ways to prevent this type of malware from spreading. (it also is likely you cannot install it without root access so it would probably be entirely user propagated)
Follow the money
On September 8th, 2008 Anonymous (not verified) says:
I want to see who is paying Immunity Inc.'s checks.
Someone should follow the money and see if it leads to Microsoft as they are doubtless going to pounce on this news.
This doesn't bode well for the Linux community.
It bodes fine. You can't
On September 10th, 2008 Anonymous (not verified) says:
It bodes fine. You can't improve your security without threats against it. Immunity did a great service by releasing the rootkit with source code. Now it can be examined, and defenses built. There have been rootkits for years, there have also been detection tools. As new hiding methods are uncovered, new detection methods are created. This is the normal cycle of things. Immunity by releasing the source code brought this "problem" to light so that it can be fixed. If the bad guys created this rootkit, the problem would be underground and much harder to solve.
Yes, another "might be" to counter, Microsoft *is* hacked.
On September 10th, 2008 Spanky (not verified) says:
That's it really. Sure these things need to be looked at. Sure we *do* need to follow the money. Sure there will be sensationist article titles. Yet, who is being hacked each and every month, and who isn't?
"Potential" is a far cry from *is* being hacked. If you believe the Microsoft defenders, when they say Windows is hacked only because of popularity, then I have some swap land that's not too wet, for you.
Build on a solid foundation!
On the other hand ...
On September 10th, 2008 Henaway (not verified) says:
... with the code open, it should be pretty simple for the distros/kernel maintainers to see what makes it tick and lock down the hole that makes it possible, right?
Still, you DO have to wonder what would make a company release something like that publicly and open source. That's the kind of proprietary tool crackers would pay dearly to have!
I hate to tell you this...
On September 10th, 2008 The Doctor [412/724/301/703] (not verified) says:
...but crackers have been using rootkits for just about a decade now, and it's not hard to find the source code to most but not all of them (there are some which are in use that haven't been 'officially' released yet) with a couple of Google searches. There are rootkits for Linux, BSD, Windows, Solaris (as far back as 7, if I recall correctly), and even Irix.
It's one more threat to keep an eye on and one more thing to search for in suspect systems, but it really isn't all that earth shattering.
Post new comment