Re: LKM rootkits in 2.6.x

From: Dave Jones
Date: Thu Mar 11 2004 - 20:00:02 EST


On Thu, Mar 11, 2004 at 05:51:33PM -0700, Dax Kelson wrote:
> On Thu, 2004-03-11 at 16:50, Dave Jones wrote:
> > On Thu, Mar 11, 2004 at 09:35:32PM +0100, Christophe Saout wrote:
> >
> > > > It _is_ forbidden. This isn't any kind of accident we are talking about,
> > > > this is out and out fraud.
> > >
> > > I'm talking about binary modules, not rootkits. Vendors aren't doing
> > > forbidden things, are they?
> > Yes.
> What Vendors and modules?

Most recent one I saw was some 'antivirus' filescanning module.
The name escapes me. It was mentioned on l-k at the time.
It wasn't the first by any means however. This trick has been used
since vendors stopped exporting sys_call_table.

Dave

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/