[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20161110155654.GL1555@brightrain.aerifal.cx>
Date: Thu, 10 Nov 2016 10:56:54 -0500
From: Rich Felker <dalias@...c.org>
To: oss-security@...ts.openwall.com
Subject: Re: Vlany: A Linux (LD_PRELOAD) rootkit
On Thu, Nov 10, 2016 at 01:18:44PM +0200, eov eov wrote:
> Features:
>
> Process hiding
> User hiding
> Network hiding
> LXC container
> Anti-Debug
> Anti-Forensics
> Persistent (re)installation & Anti-Detection
> Dynamic linker modifications
> Backdoors
> accept() backdoor (derived from Jynx2)
> PAM backdoor
> PAM auth logger
> vlany-exclusive commands
>
> Download: https://github.com/mempodippy/vlany
At a quick glance, this would be trivially noticed by using strace. It
also badly breaks thread-safety and AS-safety of lots of the
interfaces it overrides, so you would expect deadlocks and crashes and
other weird behavior in multithreaded processes and processes which
make significant use of signal handlers, which would suggest to the
user that something is badly wrong (and probably trigger them to try
strace or gdb) without them actively scanning for anything.
Rich
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
