With Linux, Even Rootkits Are Open Source

Linux has traditionally been regarded as significantly more secure than other common platforms, and in particular the Windows line. Part of the security equation has been the lack of large numbers of malware applications, along with the difficulty of deploying those applications covertly. That may well have changed last Thursday, however, as a commercial "penetration testing" firm released what may be the most difficult to detect Linux rootkit to date — under an open source license.

The company in question — Immunity, Inc. — released the rootkit branded "Debug Register" under the GPL Version 2, as part of its Canvas toolkit for security professionals. The rootkit operates differently than previous examples, eschewing the more traditional system call attack in favor of cloaking itself as a kernel debugger. According to reports, the rootkit utilizes debugging mechanisms within Intel chip architecture — potentially meaning vendors like AMD are immune. Regardless, every Linux user will now have to be on the lookout, as the availability of a pre-packaged — and open source — Linux rootkit means that, in the words of one security researcher, "the gap between a script kiddie and a hacker just got a little smaller."

Immunity, which is offering — of all things — commercial support for Debug Register, will no doubt find itself on the receiving end of a great deal of discussion — some, we suspect, less than civil — of the cost/benefit involved in the release. Whatever is said, the one thing that can't be changed is the reality that easy, pre-packaged Linux malware is now in the hands of every hacker from here to Helsinki and back.

______________________

Justin Ryan is a Contributing Editor for Linux Journal.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

The community searches for

Anonymous's picture

The community searches for exploits fairly often. Some post how to fix them, others create "proof of concept" and show how bad the vulnerability is. My guess is people will find ways to prevent this type of malware from spreading. (it also is likely you cannot install it without root access so it would probably be entirely user propagated)

That's the beauty of Linux.

Anonymous's picture

The community searches for exploits fairly often. Some post how to fix them, others create "proof of concept" and show how bad the vulnerability is. My guess is people will find ways to prevent this type of malware from spreading. (it also is likely you cannot install it without root access so it would probably be entirely user propagated)

Follow the money

Anonymous's picture

I want to see who is paying Immunity Inc.'s checks.
Someone should follow the money and see if it leads to Microsoft as they are doubtless going to pounce on this news.
This doesn't bode well for the Linux community.

It bodes fine. You can't

Anonymous's picture

It bodes fine. You can't improve your security without threats against it. Immunity did a great service by releasing the rootkit with source code. Now it can be examined, and defenses built. There have been rootkits for years, there have also been detection tools. As new hiding methods are uncovered, new detection methods are created. This is the normal cycle of things. Immunity by releasing the source code brought this "problem" to light so that it can be fixed. If the bad guys created this rootkit, the problem would be underground and much harder to solve.

Yes, another "might be" to counter, Microsoft *is* hacked.

Spanky's picture

That's it really. Sure these things need to be looked at. Sure we *do* need to follow the money. Sure there will be sensationist article titles. Yet, who is being hacked each and every month, and who isn't?

"Potential" is a far cry from *is* being hacked. If you believe the Microsoft defenders, when they say Windows is hacked only because of popularity, then I have some swap land that's not too wet, for you.

Build on a solid foundation!

On the other hand ...

Henaway's picture

... with the code open, it should be pretty simple for the distros/kernel maintainers to see what makes it tick and lock down the hole that makes it possible, right?

Still, you DO have to wonder what would make a company release something like that publicly and open source. That's the kind of proprietary tool crackers would pay dearly to have!

I hate to tell you this...

The Doctor [412/724/301/703]'s picture

...but crackers have been using rootkits for just about a decade now, and it's not hard to find the source code to most but not all of them (there are some which are in use that haven't been 'officially' released yet) with a couple of Google searches. There are rootkits for Linux, BSD, Windows, Solaris (as far back as 7, if I recall correctly), and even Irix.

It's one more threat to keep an eye on and one more thing to search for in suspect systems, but it really isn't all that earth shattering.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState