d

Rootkit: The Complete Documentation

• This category contains 19 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Abuse of the Linux Kernel for Fun and Profit

Published on April 09, 1997, by halflife, ©Phrack Magazine.

Loadable modules are a very useful feature in linux, as they let you load device drivers on a as-needed basis. However, there is a bad side: they make kernel hacking almost TOO easy. What happens when you can no longer trust your own kernel...? This article describes a simple way kernel modules can be easily abused.

Adding Chkrootkit to Your Unix Auditing Arsenal

Published on February 26, 2001, by Bill Hutchison, ©SANS Institute.

When auditing any Unix system, it is advantageous to have a diverse selection of tools to help monitor a system for unusual and unexpected changes. As stated in the GIAC Level One Security Essentials Course, basic system auditing is the technique that is used to detect and record such changes in order to assure a system is secure. Those changes can be caused by any number of sources. The reports that are collected by regular audits assist in watching for intrusion attempts and discovering security break-ins. This same audit trail is also vital when assessing the damage that has been done after a system's security has been breached.

Analysis of Rootkit/Smurf Payload Toolkit v 1.1

Published on 1/11/00, by SANS Institute, SANS institute.

A number of systems here were compromised on or about 12/22/99. The primary targets were Solaris systems, however, Compaq (formerly DEC) and SGI IRIX systems were compromised as well. Prompt action by the local sysadmins prevented the hackers from running their cleanup scripts. Consequently, we were able to get the toolkit that they were using against us. I had seen some of these files in earlier breakins dating from 9/99 but wasn't able to piece it together until we got the toolkit.

Analysis of the KNARK Rootkit

Published on March 12, 2001, by Toby Miller, SecurityFocus.

The purpose of this paper is to identify signatures related to the KNARK rootkit. This paper does not show how to install the rootkit nor does it make any comparisons between this rootkit and other rootkits. This paper will attempt to educate the readers on the various signatures and problems related to this rootkit.

Analysis of the T0rn rootkit

Published on 2000, by Toby Miller, SANS Institute.

The purpose of this paper is to inform the IDS community of signatures related to the t0rn rootkit. This paper will not serve as a how-to guide to the t0rn rootkit; rather, it is designed to identify binaries and ports that t0rn uses. This paper will also provide md5sums of binaries and analysis on how to detect t0rn.

Art of Rootkits (The)

Published on 2004-04-06, by Marcus Unknown, ©Marcus Unknown.

A rootkit is a program. Rootkits come in all different shapes and styles, some more advance than others. Rootkits are basically programs that help attackers keep their position as root. Notice it's called a "rootkit". 'root' meaning the highest level of administration on *nix based systems and 'kit' meaning a collection of tools. Rootkits contain tools which help attackers hide their presence as well as give the attacker full control of the server or host continuously without being noticed.

Attacking FreeBSD with Kernel Modules

Published on June 1999, by Pragmatic, ©The Hackers Choice (THC).

FreeBSD is an often used server operating system. Lots of ISPs, universities and some firms are using it. After releasing my Linux LKM text van Hauser asked my to take a look at the FreeBSD kernel, so here we go. This text will show you that most Linux LKMs can be ported to BSD systems (FreeBSD). On FreeBSD we can even do some things that were harder to implement on Linux systems. This text only deals with ways to backdoor/intercept system calls. I had a little conversation with Solar Designer who tought me that there are lots of other ways to attack the FreeBSD kernel, but this will come in a further release.

Avoiding Trojans and Rootkits

Published on March 06, 2003, by Dru Lavigne, ©O'Reilly.

Trojans, rootkits, and DDoS agents are a sad reality. It's a little disheartening to think that software exists which, given a chance, can install unwanted files on your system, overwrite or destroy your own files, send your data or user input elsewhere, or use your computer to attack another system.

Complete Linux Loadable Kernel Modules

Published on 03/1999, by pragmatic, THC.

The use of Linux in server environments is growing from second to second. So hacking Linux becomes more interesting every day. One of the best techniques to attack a Linux system is using kernel code. Due to its feature called Loadable Kernel Modules (LKMs) it is possible to write code running in kernel space, which allows us to access very sensitive parts of the OS. There were some texts and files concerning LKM hacking before (Phrack, for example) which were very good. They introduced new ideas, new methodes and complete LKMs doing anything a hacker ever dreamed of. Also some public discussion (Newsgroups, Mailinglists) in 1998 were very interesting.

Detecting Loadable Kernel Modules (LKM)

Published on 2000, by Toby Miller, ©CISSP/RHCE.

The purpose of this paper is cover LKM basics, detecting \"trojaned\" LKM\’s and figuring out which LKM is installed on your machine.

Hacker Tools and their Signatures, Part Three: Rootkits

Published on August 14, 2001, by Toby Miller, SecurityFocus.

This is the third installment of a series devoted to examining hacker tools and their signatures. In this installment we will be looking at some of the signatures related to the KOH rootkit. The purpose of this paper is to assist the reader in detecting the KOH rootkit. Through this process, it is hoped that the reader will also learn steps to take to defend against the installation of these types of rootkits.

Kernel-mode backdoors for Windows NT

Published on 2004-07-13, by firew0rker and the nobodies, ©Phrack Magazine.

This article is intended for those who know the architecture of the Windows NT kernel and the principles of operation of NT drivers. This article examines issues involved in the development of kernel-mode tools for stealthy remote administration of Windows NT. Recently there has been a tendency of extending the use of Windows NT (2000, XP, 2003) from it's classical stronghold as home and office OS to servers. At the same time, the outdated Windows 9x family is replaced by the NT family. Because of this it should be evident that remote administration tools (backdoors) and unnoticeable access tools (rootkits) for the NT family have a certain value. Most of the published utilities work in user-mode and can thus be detected by Antivirus tools or by manual inspection. It's quite another matter those works in kernel-mode: They can hide from any user-mode program. Antivirus software will have to suplly kernel- mode components in order to detect a kernel-mode-backdoor. Software exists that protects against such backdoors (such as IPD, "Integrity Protection Driver"), but it's use is not widely spread. Kernel mode backdoors are not as widely used as they could be due to their relative complexity in comp- arison with user-mode backdoors.

Knark - Kernel Based Linux Rootkit

Published on December 24, 1999, by Creed, ©b4b0.

Knark is a kernelbased \"rootkit\" for Linux 2.1-2.2 (and some 2.3 kernels). This package includes knark.c, the heart of the package, the evil lkm (loadable kernel module) which wraps some syscalls.

Knark: Linux Kernel Subversion

Published on April 18, 2001, by Jonathan Clemens, SANS Institute.

Knark is one of the second generation of a relatively new form of rootkit—a loadable kernel module (LKM) designed to mask the presence of system activity. The author places an explicit disclaimer in the code and readme file, indicating that it is not to be used for illegal activity. However, it is easily used for this purpose, and covert usage has indeed been reported to the author.

Linux Kernel Hardening

Published on January 23, 2002, by Anton Chuvakin, SecurityFocus.

This article will cover the issues of Linux hardening, with a specific focus on kernel hardening and its use on production systems. Several kernel-hardening approaches and their usability will be analyzed.

NTIllusion: A portable Win32 userland rootkit

Published on 2004-07-13, by Kdm, ©Phrack Magazine.

This paper describes how to build a windows user land rootkit. The first part deal with the basis and describe a few methods to show how code injection and code interception are possible, while the rest of the paper covers the strategy that makes stealth possible in userland. A bigger version of the paper is also available at so that novice peoples can refer to a preliminary article about injection and interception basics.

Protection Against The Lion Worm

Published on date n.c, by Chris Brenton, IRIA (Dartmounth College).

The Lion worm propagates by attacking vulnerable systems running Bind versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. Your best method of protection is to upgrade your version of Bind.

REAL NT Rootkit, patching the NT Kernel (A)

Published on september 09, 1999, by Greg Hoglund, ©Phrack Magazine.

First of all, programs such as Back Orifice and Netbus are NOT rootkits. They are amateur versions of PC-Anywhere, SMS, or a slew of other commercial applications that do the same thing. If you want to remote control a workstation, you could just as easily purchase the incredibly powerful SMS system from Microsoft. A remote-desktop/administration application is NOT a rootkit.

Rootkit Attack

Published on June 21, 2001, by MyCERT (Malaysian Computer Emergency Response Team), MA-026.062001.

MyCERT received reports lately of intruders activity of root compromise involving Linux and SUNOS machines. Upon analysis of victim's machines, MyCERT discovered that the machines have been attacked and installed with rootkit, versions 't0rnkit', or 'tornkit', lrk, adore and rootkitsunos which cause root compromise of the machines.