DR Linux 2.6 rootkit released

    [多云 September 8, 2008 20:38 | by !4p47hy ]
o Hide processes
o Hide network sockets
o Hide files
o Get a remote MOSDEF Node (via hidden userland-backdoor)

The major benefit of the DR rootkit is that all this happens transparently to the end user. The children of a hidden process are also automatically hidden. The sockets a hidden process creates are also hidden. But if you are a hidden process, you can see hidden resources. This makes the DR rootkit nicely manageable.

DR loads via insmod - we've tested the rootkit on a number of Linux distributions including CentOS and Ubuntu.

The CANVAS support and backdoor logic were written by Daniel Palacio during his Immunity summer internship. He provided both the kernel hooks and the userland backdoor to the project.

The rootkit engine (DR.c) was written by Bas Alberts and consists of a debug register based hooking engine that does not modify the IDT or syscall table at all. It was written as a reference implementation for people wanting to experiment with such a rootkit technology, and was designed to be able to integrate easily into existing syscall hook based
It has known limitations and considerations which you can read about in the attached README.
You can find the source to the DR rootkit at:

URL: http://www.immunityinc.com/downloads/linux_rootkit_source.tbz2
MD5SUM: 1256523fa8a87949c5e588c981108ee8

Tools | Comments(0) | Trackbacks(0) | Reads(14668)
Add a comment
Enable HTML
Enable UBB
Enable Emots
Nickname   Password   Optional
Site URI   Email   [Register]

Security code Case insensitive