Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adore-ng 0.31 released and POC code for do_mremap()

Published: 2004-01-06
Last Updated: 2004-01-07 02:50:20 UTC
by Tom Liston (Version: 1)
0 comment(s)
Adore-ng 0.31 released



A new version of the "adore" rootkit for Linux systems has been released. According to the information found within the source tarball, the new version has the following feature set:


- runs on kernel 2.4.x UP and SMP systems

- first test-versions successfully run on 2.6.0

- file and directory hiding

- process hiding

- socket-hiding (no matter whether LISTENing, CONNECTED etc)

- full-capability back door

- does not utilize sys_call_table but VFS layer

- KISS principle, to have as less things in there as possible but also being as much powerful as possible



Something to watch out for...




POC Code for the Linux Kernel do_mremap() exploit posted at bugtraq



Christophe Devine and Julien Tinnes have posted proof-of-concept code at bugtraq for the recently announced do_mremap() flaw in Linux kernels 2.2, 2.4 and 2.6. Once proof-of-concept code is released, working exploits are generally not far in the future. Although at first blush this vulnerability appears to be limited to being a local exploit, it could be used to escalate privilege following a successful remote attack. Time to get patching those kernels folks...



Mailbag:



In today's mailbag we received this question, "MS says I have the blaster worm
on my computer. How do I get rid of it?" Well, Microsoft generally doesn't
tell you that you are infected with any particular worm or virus, so most
likely what you saw was a Windows Messenger pop-up spam advertising an
anti-virus product.



But if you do suspect that you are infected with Blaster, Symantec has a
nice removal tool at:



http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html




Once you have removed it - you will want to make sure you update your
computer. Go to http://v4.windowsupdate.microsoft.com/en/default.asp and
make sure that you get all of the service packs and patches on your
computer. You will need to click on the "Scan for Updates" link and it will
advise you of which updates have not been applied to your computer. Please
install all of the recommended items. This will help to prevent a
reinfection in the near future.



It is important that you run a good Anti-Virus program and keep it up to
date, install service packs and patches as recommended by Microsoft, and
avoid opening attachments on emails that are suspicious in nature.



If you recently purchased a new WinXP system, or received one as a gift, be sure to get help in securing your new system:



http://isc.sans.org/presentations/xpsurvivalguide.pdf



Many thanks to Marcus Sachs for his suggestions on this entry.



---------------------------------------

Handler on duty: Tom Liston - http://www.labreatechnologies.com
Keywords:
0 comment(s)
Diary Archives