Date: Thu, 10 Nov 2016 10:56:54 -0500 From: Rich Felker <dalias@...c.org> To: oss-security@...ts.openwall.com Subject: Re: Vlany: A Linux (LD_PRELOAD) rootkit On Thu, Nov 10, 2016 at 01:18:44PM +0200, eov eov wrote: > Features: > > Process hiding > User hiding > Network hiding > LXC container > Anti-Debug > Anti-Forensics > Persistent (re)installation & Anti-Detection > Dynamic linker modifications > Backdoors > accept() backdoor (derived from Jynx2) > PAM backdoor > PAM auth logger > vlany-exclusive commands > > Download: https://github.com/mempodippy/vlany At a quick glance, this would be trivially noticed by using strace. It also badly breaks thread-safety and AS-safety of lots of the interfaces it overrides, so you would expect deadlocks and crashes and other weird behavior in multithreaded processes and processes which make significant use of signal handlers, which would suggest to the user that something is badly wrong (and probably trigger them to try strace or gdb) without them actively scanning for anything. Rich
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ