With Linux, Even Rootkits Are Open Source
Linux has traditionally been regarded as significantly more secure than other common platforms, and in particular the Windows line. Part of the security equation has been the lack of large numbers of malware applications, along with the difficulty of deploying those applications covertly. That may well have changed last Thursday, however, as a commercial "penetration testing" firm released what may be the most difficult to detect Linux rootkit to date — under an open source license.
The company in question — Immunity, Inc. — released the rootkit branded "Debug Register" under the GPL Version 2, as part of its Canvas toolkit for security professionals. The rootkit operates differently than previous examples, eschewing the more traditional system call attack in favor of cloaking itself as a kernel debugger. According to reports, the rootkit utilizes debugging mechanisms within Intel chip architecture — potentially meaning vendors like AMD are immune. Regardless, every Linux user will now have to be on the lookout, as the availability of a pre-packaged — and open source — Linux rootkit means that, in the words of one security researcher, "the gap between a script kiddie and a hacker just got a little smaller."
Immunity, which is offering — of all things — commercial support for Debug Register, will no doubt find itself on the receiving end of a great deal of discussion — some, we suspect, less than civil — of the cost/benefit involved in the release. Whatever is said, the one thing that can't be changed is the reality that easy, pre-packaged Linux malware is now in the hands of every hacker from here to Helsinki and back.
Justin Ryan is a Contributing Editor for Linux Journal.
Free DevOps eBooks, Videos, and more!
Regardless of where you are in your DevOps process, Linux Journal can help!
We offer here the DEFINITIVE DevOps for Dummies, a mobile Application Development Primer, and advice & help from the expert sources like:
- Linux Journal
- Users, Permissions and Multitenant Sites
- New Products
- Flexible Access Control with Squid Proxy
- Security in Three Ds: Detect, Decide and Deny
- High-Availability Storage with HA-LVM
- Tighten Up SSH
- DevOps: Everything You Need to Know
- Solving ODEs on Linux
- Non-Linux FOSS: MenuMeters
- diff -u: What's New in Kernel Development