Questions regarding chkrootkit and Syslogk LKM rootkit

[SirDice]

In case of FreeBSD, Ring 0 means kernel.

On Windows and Linux too. If I recall correctly only 2 rings are actually used on most operating systems, ring 0 and ring 3.

One should insert that malicious code, infecting the BIOS, into the kernel.

Indeed. Or, and this might actually be easier to do, use an EFI update tool and modify the boot scripts on the EFI partition.

 

[gessel]

This topic drifted off the original question and I apologize for turning it back but security/chckrootkit is reporting INFECTED: Possible Malicious Syslogk LKM rootkit installed on two fresh boxes both running 14.0-RELEASE-p6 #0 when I execute chkrootkit -q -n.

I can't find any indication by any other means (such as security/rkhunter, sysutils/lsof, security/nmap, security/unhide). Even stranger, running the chkrootkit -x -n (expert, verbose output) and filtering with grep does not report any "infected" or "Syslogk" entries.

# chkrootkit -x -n | grep -B5 -i infected
.got.plt
.bss
.comment
.gnu_debuglink
not tested
not infected
--
.data
.got.plt
.bss
.comment
.gnu_debuglink
not infected
--
.data
.got.plt
.bss
.comment
.gnu_debuglink
not infected
/usr/local/sbin/chkrootkit: -SIGCONT: not found
/usr/local/sbin/chkrootkit: -SIGCONT: not found
--
not found
###
### Output of: /usr/local/sbin/ifpromisc
###
bge0 is not promisc
not infected
###
### Output of: /usr/local/sbin/chkwtmp -f wtmp
###
not infected
not infected

Nor any open ports found with X,F,T,N, or A nmap options that weren't expected and enumerated by sockstat.

I'm disinclined to be too concerned, though based on this article I did configure a rule to drop any packets with a source port of 59318 and a full file system search for PgSD93ql (nothing). Are we facing a novel Syslogk FreeBSD variant or false positives from security/chckrootkit?

 

[_martin]

The script that comes with it is a shell script /also/ doing this:

   ## Syslogk LKM rootkit
   if [ "${QUIET}" != "t" ]; then
      printn "Searching for Syslogk LKM rootkit... "; fi
      (${echo} 1> "${ROOTDIR}proc/syslogk") >/dev/null 2>&1
   if  ${ls} "${ROOTDIR}proc/syslogk" > /dev/null 2>&1 ; then
      echo "INFECTED: Possible Malicious Syslogk LKM rootkit installed"
   else
      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
   fi

It doesn't care if /proc is actually a pseudofs or not (by default it's not mounted on FreeBSD) and hence ${echo} 1> "${ROOTDIR}proc/syslogk") creates the file setting it up for false alarm. It shoots itself into a foot.
If you rmdir /proc completely (which you can on fresh install because procfs is not mounted) it triggers whole lot of different false alarms.

It seems this tool was not written for FreeBSD.

 

[gessel]

Ah, thanks _martin, that puts my mind at ease. It is clearly a linux utility and the points SirDice made about the kernel module not being loadable under Freebsd made sense but that it wasn't visible in kldstat, while a little reassuring, fell short of confidence inspiring after the detailed description of the steps taken to obfuscate it as a kernel module - in linux at least.