Open source release takes Linux rootkits mainstream
Script kiddies, the DR will see you now
The art of burying invisible malware deep inside a Linux machine is about to go mainstream, thanks to a new open-source rootkit released Thursday by Immunity Inc., a firm that supplies tools for penetration testers.
When implemented, Immunity's DR, or Debug Register, makes backdoors and other types of malware extremely difficult to detect or eradicate. It's notable because it cloaks itself by burrowing deep inside a server's processor and availing itself of debugging mechanisms available in Intel's chip architecture. The rootkit, in other words, mimics a kernel debugger.
By exploiting a CPU's native ability to generate interrupts, DR escapes some of the pitfalls that have visited more traditional types of rootkits, which modify an operating system's system call table. That's of increasing importance as more and more Linux distributions make it harder to make changes to the syscall table and rootkit detection programs such as chkrootkit and rkhunter actively check for such modifications.
Over the past few years, a growing body of malware has incorporated rootkits, making detection much harder. Until now, the benefit of using a rootkit was counterbalanced by the difficulty of building one. DR, which is available here under version 2 of the general public license, will make it profoundly easier.
"In the old days, to attack a computer, you needed to 1) find a bug, 2) write an exploit, 3) run the exploit 4) hide yourself," Charlie Miller, principal security analyst for Independent Security Evaluators, said in an email. "The gap between a script kiddie and a hacker just got a little smaller."
While DR simplifies the task of cloaking nasty malware on Linux boxes, it doesn't support symmetric multiprocessing or actively hide itself at the kernel level. The good news is that those are shortcomings that limit the rootkit's functionality and make it easier to detect.
The bad news: these features could be added with about a week's worth of development time. Indeed, Immunity is offering commercial support for DR as part of its Canvas toolkit, so stay tuned. ®
A little clarification...
I am a professional Penetration Tester who uses Immunity Canvas as a part of my job, I feel that some people here are missing the point so I thought I'd clarify this for people who are interested in the topic.
1> Rootkit is not an exploit, you need to have root access on the remote machine to be able to install a rootkit. Rootkit's are designed to maintain covert access on the system.
2> It's not a windows v/s linux war all OS'es are equally vulnerable to rootkits, once compromised.
3> Canvas is a completely legit commercial python based pentesting kit just like core impact, this stuff is nothing new, They charge for the hard work involved in security research, hence the commercial support.
4> Holy Father had released commercial rootkits for Windows long back called hacker defender, it even has various editions, depending on how covert one wants the rootkit to be.
5> There are many much better linux rootkits available out there for people who know,.
As if I had another reason to say Linux has no freaking place on the home desktop. Let's see: GUI that doesn't use file extensions so that .doc could be an executable, check. Rootkits that can integrate themselves completely seamlessly, check. User bin directory that executes before system commands, check. Open source commands that anyone can make adulterated versions of, check. And a need to go root and re-enter your password often, check.
If our current "home" versions of Linux were, today, deployed on the majority of users' desktops, it would be a security disaster of epic proportions. It is too freaking easy to elevate privileges, and too easy to trick users into executing malware without enforcing file extensions that match file type. Malware writers would be all over it.
@Steve Dommett - WTF?
In regard to your missive:
----- quote -----
Immunity Inc. are based in Florida. As such, they are accountable under US law. If the yanks can extradite a UK resident (Gary McKinnon) for cracking, surely they are also capable of bringing someone to account who makes a rootkit toolkit to facilitate this crime? Or is being accessory to cybercrime not yet a felony?
----- endquote -----
Over on this side of the pond, the laws - and especially legal precedent set by the Courts -- often make a distinction between "making available" and "inciting illegal activity."
For example, in Electra v. Barker (US District Court, Southern District of New York; Case No. 05-CV-7340-KMK) -- a RIAA / P2P / copyright case -- the judge determined that (to paraphrase) making a copyrighted work available via P2P is NOT the same as offering to illegally distribute a copyrighted work (or encouraging others to illegally distribute a copyrighted work) within the context of the law as written by Congress ("Opinion and Order"; March 31, 2008; about page 18 and following).
And let's not forget Sony Corp. of America v. Universal City Studios, Inc. (US Supreme Court; Case No. 464 US 417; Initial hearing January 18, 1983; Reargued October 3, 1983; Decided January 17, 1984). In this case, the US Supreme Court held that a device or technology cannot be outlawed if it has substantial legal and legitimate uses. This case, again, was argued in the context of copyright, but the theory holds.
Immunity's DR product can be used for nefarious purposes. However, the software also has substantial legitimate uses: It is a tool that can be used by security administrators to see how well their computer networks and servers stand up to unauthorized penetration.
So the short answer is, basically, "No, Immunity will probably never be held as an accessory in the commission of Cybercrime."