Menu
I'm working on some new techniques for Linux Kernel Rootkit Detections as my thesis. I need some sample of rootkits to test my method and also do some machine learning tests. But not the old-dusty ones in packetstorm that could be found in computer history books as well. I've read alot about it and I've seen some new methods of rootkit implementations in phrack and some other resources. It would take a lot of time to just implement PoC rootkits out of them for me and I would just get to the starting point for my project by then.
If anyone could help me with this it would be greatly appreciated. Any site, ftp, compromised system, unknown rootkit libraries, anything that might be a sample for my work is appreciated. But with this in mind that what I need are Linux kernel Rootkits. Any type, LKM, System Call Hooking, Object hooking, system.map /dev/mem working stuff
Thanks
p.s by new rootkits I don't mean like non-reported or all-over-the-news rootkit, something that would work on ubuntu 10.04 or newer would be great (Kernel version 2.6.32+)
614
Linux rootkits have been evolving over the years to keep pace with detection mechanisms. For example, some of the earliest Linux rootkits weren't as much of a rootkit as they were just series of backdoored commands that would prevent a system administrator from detecting a malicious process, shell, file, etc.
Rootkits that run in the kernel, also known as kernel-mode rootkits, can alter the entire operating system. Such modifications in the kernel aim to the concealment of the compromise. Therefore, the detection of a kernel rootkit becomes extremely hard. Different techniques exist to alter a system's kernel.
Using the Linux Kernel Module, a rootkit can modify the kernel's syscall table. By doing this, the rootkit can replace a system call to point to a program of its own. Another technique that a rootkit can use is to delete a log entry on a system so there will be no log entry of the attackers' activities.
User mode rootkits and DLL injection In Windows, API hooking is a technique that is commonly employed to modify or change the flow of API calls. A user mode rootkit exploits this technique to inject malicious code into a program's memory while remaining concealed.
For obvious reasons, you aren't going to find any rootkits available for download on the public internet. Doing so would be a huge liability exposure to anyone hosting them. Your options are: make some friends in the security research or black hat communities, or run some honeypots and capture them yourself.
179
you can get some kernel rk from the follow link http://www.ussrback.com/UNIX/penetration/rootkits/
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
