[Linux-aus] Stand up for Linux. Stop Microsoft killing Desktop Linux.

[Russell Coker]

On Sat, 24 Sep 2011, Adam Nielsen <a.nielsen at shikadi.net> wrote:
> This is going to go a little off topic, but I'm not so worried about
> preventing root from doing bad things, I'm more interested in preventing
> root from doing something that makes disinfection difficult.

You mean like reconfiguring PAM, adding accounts, changing passwords, or 
finding a daemon that starts as root and reconfiguring it to be insecure?

> The rootkit
> in question replaced /bin/ls and a bunch of other system commands with
> compromised versions, so that running one of those files would immediately
> reinstall the whole rootkit.

If you take an image of the system (via a snapshot from the Dom0 if it's a VM 
or by booting from trusted media otherwise) then you can compare checksums to 
deal with this.

> Now granted I haven't thought this through in every minor detail, but if
> there were signatures being verified from the new-BIOS down, then a
> compromised kernel wouldn't run, compromised modules wouldn't load, and
> compromised commands wouldn't reinstall any infection.

But you could have all manner of open daemon configurations.

> Scripts of course would still run, but I think it would be much easier if
> you could boot to single-user mode (where you can be certain there is no
> malicious code running), clean up your initscripts then reboot to go back
> to your normal system minus any live infection.

What about all the custom scripts?

> Now you can tell me what I'm missing ;-)

As you have the source code for everything, why don't you create a proof of 
concept and publish it for everyone to test.  Ruxcon is coming up soon, I'm 
sure they would give you a late entry speaker position if you get this done in 
time.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/