krd: kcore reader
krd is a rootkit detection utility which scan /proc/kcore for interesting data. Suspicious programs (sk, adore, etc.), worms/backdoors/viruses are detected even if running silently in your kernel. For instance, the ASCII string OSF indicates the ELF infector GMON.A is present.
We don't want our boxes owned, so we try our best to keep them secure in the first place. But what happens when our machines are compromised anyway? Many admins will notice their OS has become unstable, as the rootkit hides files, users, and processes - and simply halt and reinstall backups. But why not learn the source of the problem? This is where krd comes in.
krd is a /proc/kcore reader which checks for various attack signatures. File integrity checkers are useful to install before your servers are compromised, but quickly become useless after the fact. This is where krd becomes important.
* krd-pre0.1 can be downloaded here : http://krd.linux.edu/krd.tgz
* General information on the structure and use of krd: general
* Information on the use of the signature file: signatures
* Information on signature generation: siggen
* Information on krd's module: reader
Currently, the main problem with krd stems from the fact that /proc/kcore can be a huge file:
-r——– 1 root root 393M 2005-10-14 11:35 /proc/kcore
As such, it takes a very long time to scan. This issue has not yet been solved, but in the future we will attempt to optimize the reading and signature engine. Threading krd to scan different parts of /proc/kcore at the same time will also help.
An experiment of scanning speed with krd 0.1 can be found here: speed test for krd 0.1
The next goal is to generate a large signature database to detect malicious programs. Currently, the prototype version of krd only has a few random signatures and one for the suckit backdoor. We are actively working to increase the size of this database. Please check our signatures page for more information, and send in your signatures.
Do not hesitate to contact krd's main coder if you have comments: guill [at] ism-o [dot] com
Or, you can email here for questions and signature information: jameskrd [at] keystrike [dot] net
Want to be part of the linux.edu community? Contact memor [at] linux [dot] edu
pasmal is a packet authentication sniffer: a so called port knocking daemon, you can find it here: http://pasmal.casino770.com
sec6.net provides free hosting and all the usual things: http://www.sec6.net (Yes, krd and pasmal are coded under this label…)
Miami Programmer Guild: http://groups.google.com/group/Miami-programmer-Guild/