Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20161110155654.GL1555@brightrain.aerifal.cx>
Date: Thu, 10 Nov 2016 10:56:54 -0500
From: Rich Felker <dalias@...c.org>
To: oss-security@...ts.openwall.com
Subject: Re: Vlany: A Linux (LD_PRELOAD) rootkit

On Thu, Nov 10, 2016 at 01:18:44PM +0200, eov eov wrote:
> Features:
> 
> Process hiding
> User hiding
> Network hiding
> LXC container
> Anti-Debug
> Anti-Forensics
> Persistent (re)installation & Anti-Detection
> Dynamic linker modifications
> Backdoors
> accept() backdoor (derived from Jynx2)
> PAM backdoor
> PAM auth logger
> vlany-exclusive commands
> 
> Download: https://github.com/mempodippy/vlany

At a quick glance, this would be trivially noticed by using strace. It
also badly breaks thread-safety and AS-safety of lots of the
interfaces it overrides, so you would expect deadlocks and crashes and
other weird behavior in multithreaded processes and processes which
make significant use of signal handlers, which would suggest to the
user that something is badly wrong (and probably trigger them to try
strace or gdb) without them actively scanning for anything.

Rich

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.