turtle rootkit
Sofian Brabez
sbz at FreeBSD.org
Tue Jul 3 23:08:20 UTC 2012
Hi,
On Tue, Aug 30, 2011 at 11:53:12AM +0200, Clément Lecigne wrote:
>
> What do you want? It's just a basic rootkit that hooks some specific
> entries inside the sysent table. It can be detected by checking if a
> device /dev/turtle2dev exists or by sending an ICMP echo request with
> a payload starting with a double '_' and if rootkit is loaded no reply
> will be returned.
>
> [root at clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1
> HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes
> [main] memlockall(): No such file or directory
> Warning: can't disable memory paging!
>
> --- 127.0.0.1 hping statistic ---
> 1 packets tramitted, 0 packets received, 100% packet loss
>
> These tricks can be implemented inside rkhunter or/and chkrootkit.
>
It's implemented since rkhunter 1.4.0 [1], and now security/rkhunter port version [2]
is able to detect it during the check scan:
% sudo rkhunter --version | head -1
Rootkit Hunter 1.4.0
% sudo rkhunter --list rootkits | grep -i turtle2
trNkit, Trojanit Kit, Turtle2, Tuxtendo, URK, Vampire,
% sudo rkhunter --check --sk
...
Turtle Rootkit [ Not found ]
Btw, the best way to avoid such rootkit is to use sysctl kern.securelevel in
order to avoid untrusted kernel modules loading at runtime (but can be bypassed at
boot time...)
Regards
[1] http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG?revision=1.226&view=markup
[2] http://docs.freebsd.org/cgi/getmsg.cgi?fetch=471258+0+current/cvs-all
--
Sofian Brabez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20120703/69d02b45/attachment.pgp
More information about the freebsd-security
mailing list