Hackers develop tools to thwart forensics

Tuesday, 10 June 2003, 4:10 PM EST

One example is a class of programs called the Loadable Kernel Modules (LKM) which, if used by hackers, can hide data even from forensics experts.

LKMs are files that contain components that can run dynamically. Normally, LKMs are used to load hardware drivers.

Hackers can create LKM rootkits that can access the kernel directly, while hiding processes, connections, directories and files without modifying the binaries of any program. A rootkit is a collection of programs that a hacker uses to mask intrusion and get access to a computer.

While most hackers' rootkits activities can be detected by methods such as doing MD5 checksums, if LKM rootkits are used, any checksum methods become useless as no files would have been modified.

It is not just a case of hidden files but the alteration of kernel processes so that queries on various information to the server would return fake results. For example, when a file search is made, even if the file were there, the search will turn up negative.

[ Read more ]

Related items




Spotlight

eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Wed, Dec 17th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //