Re: Announcement: Solaris loadable kernel module backdoor

[steve () CELL2000 NET (Steven Alexander)]

----- Original Message -----
From: Marc Esipovich <marc () MUCOM CO IL>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Wednesday, December 22, 1999 3:20 AM
Subject: Re: Announcement: Solaris loadable kernel module backdoor

> > With the proliferation of these types of backdoors, is there any way to
> > prevent your 'r00t3d' box from being backdoored?

Not completely.  Being root means they can change almost anything.  One
helpful thing is to install a progrm such as tripwire that stores checksums
of your files.  However, tripwire can also be duped into believing
everything is alright(perhaps by modifying the kernel).

Another idea would be to store copies of /bin, /usr/bin, /usr/sbin,
/sbin,etc. on a cd-rom drive and backup up from those frequently, need it or
not.  This will ensure that if any of these is tampered, an original will be
restored on a regular basis.

> Basically it comes down to this, can you trust your own kerenl?...
> you wake up one morning, read an article about backdoor kerenl modules,
> and quickly run off to fix your system,  at that point, how can you tell
> you're not already infected by such a module? when you can't trust your
> kernel, you can't trust anything on your entire system system.

Often, you can't.  UNIX users have had this problem for awhile because of
loadable kernel modules and because you can recompile the kernel.

Recently, Windows NT users have begun to face the same problem(see Phrack55)
because there are are now known ways to patch the NT kernel.  See
www.phrack.com and www.cell2000.net/security/ for more information.  I have
source code(C++) for a program that can add one of the described patches and
remove both of them from an sp3 kernel under NT.

-steven