Did you know that you can navigate the posts by swiping left and right?
Rootkits. A word that gives whitehats goosebumps and makes sys admins cry in their shower. In a nutshell, rootkits are binaries that are executed in the kernel of the OS, which practically means they are a God and your machine is their pet. Of course in order to add a rootkit in the kernel you need root permissions, but social engineering and 0-days make this two or three pieces of cake.
Let’s see what a typical rootkit will do:
All of the above are realized by altering the system call table. Scary stuff, right? In Mr. Robot rootkits are described as
A crazy serial rapist with a very big dick.
There are ways to protect yourself from them, but of course it’s a mouse and cat game that never ends.
A few years ago my job was to protect linux servers from rootkits and later I kept digging deeper as a hobby, and it’s about time to open source this work.
The suite includes the following (whitehat) rootkits:
Protects the system call table. In case of an attempt of modifying it, snapshots of the processes running in the system are logged remotely and the machine gets frozen (that’s why it’s called Carbonite).
Blocks all the attempts to insert rootkits in the kernel, dumps their instruction memory and logs a critical message.
Logs all network communication by probing the inet stack of the kernel.
In the future I will post about some interesting snippets of the source code. The repo lives here and don’t forget to star.