The day was generally quiet on the handlers' list. There was
some ongoing discussion about DNS spoofing. A few people wrote in with
(unrelated) DDOS attacks, now handled by either their providers or their
own border routers.
Loadable Kernel modules
Michael thought his web server had a Loadable Kernel Module
installed, confirmed by
. I reminded him that
when a system - Linux or Windows - has a loadable kernel module, normal
forensics can't be trusted any more. The LKM has the ability to
completely control what data is returned to the userspace programs, so
even using statically linked forensic tools won't help.
To regain control over the system, you need to boot from a
known good kernel, perhaps from
first installation CD for your operating system.
Ed Skoudis and Lenny Zeltser (two of the other handlers)
cover kernel-mode rootkits in more detail in their book
- well worth reading. They had nothing to do with this shameless
The handlers would like to thank T.C. at
for his help with
the keylogger application provided by Jan.
-- Handler on Duty,
Apr 21st 2005
1 decade ago