Carbonite v1.0

A Linux Kernel Module to aid in RootKit detection.

Incident Response vs. Loadable Kernel Module Rootkits

Rootkits are collections of commonly trojaned system processes and scripts that automate many of the actions an attacker takes when he compromises a system. Rootkits will trojan ifconfig, netstat, ls, ps, and many other system files to hide an attacker's actions from unwary system administrators. They are freely available on the Internet, and one exists for practically every Unix release. The state-of-the-art rootkits are Loadable Kernel Modules (a feature unique to most Unix systems) that hide files, hide processes, and create illicit backdoors on a system. Solaris, Linux, and nearly all Unix flavors support Loadable Kernel Modules. Attacker tools that are Loadable Kernel Modules, or LKMs, have added to the complexity of performing initial response and investigations on Unix systems.

All operating systems provide access to kernel structures and functions through the use of system calls. This means whenever an application or command needs to access a resource the computer manages via the kernel, it will do so through system calls. This is practically every command a user types! Therefore LKM rootkits such as knark, adore, and heroin provide quite a challenge to investigators. The typical system administrator who uses any user space tools (any normal Unix commands) to query running process could overlook critical information during the initial response.

Therefore we created a Linux kernel module called Carbonite, an lsof and ps at the kernel level. Carbonite "freezes" the status of every process in Linux's task_struct, which is the kernel structure that maintains information on every running process in Linux.