|
|
|
|
|
|
by jeroenhd
618 days ago
|
|
|
The article describes a hooking library as a rootkit but I can't see any indication of this rootkit inserting itself into the boot process. Instead, it seems to LD_PRELOAD itself into processes at a later stage. Secure boot won't help here. In theory one could configure a system to only trust executables and DLLs signed by a trusted, external signatory (like a locally hosted package repository) but I don't know of any Linux distros that make it easy to set up something like that. You'd also need to invent something to sign scripts, because signing binaries is only a part of the problem (in theory you could set this up Powershell, I think? But I doubt many Linux systems will boot with PS in the place of /bin/sh). Once the kernel launches the init process, the rest secure boot verification chain essentially ends. It seems to me that prevention isn't hard by simply updating old software and perhaps running antivirus software on your servers. |
|
|