The Anti-Virus approach to rootkits

Posted Sep 30, 2004 10:20 UTC (Thu) by dps (guest, #5725)
Parent article: Interview with Rootkit Hunter author Michael Boelen

The AV approach to rootkits is probably the least effective one. Instead you can construct broad-spectrum tools that look for the *effects* of root kits. In the case of adore, it only patches kill() and access via /proc. If netstat and ps output are not falsified one wonders how protective the rootkit is.

Brute force the remainder of the system calls that take a process id generates a real process list. The fact that kill() gives different results is a definite evidence of fun and games. Note that this method also reveals the real infomration inside various forms of sandbox.

Once you have a good process lsit you can then determine a real connection list via /proc/<pid>/fd/*, even if <pid> is something that is hidden. Comaprison with ps output would tell you than your system has been owned.

checkps, my background version of this, can also stop or kill the hidden processes with using ptrace if you ask it to and most of a netstat test is also included. I am open to offers if to maintain this beast.

Generic logic is also included in chkrootkit (albeit less exhaustive logic). A good default deny firewall is also effective against many remote access tools, especially if it implements fascism in both directions.