chokepoint.net
ChokePoint: Detecting Userland Preload Rootkits
http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
Friday, February 14, 2014. Detecting Userland Preload Rootkits. We recently released a new userland rootkit on BHL. It's similar to previous versions of Jynx/Jynx2, but is more advanced and focused on anti-debugging and anti-detection methods. This leads us into a current major problem with rootkit detection mechanisms such as rkhunter. Now here's an example run against Azazel. LD PRELOAD=/lib/libselinux.so ./preloadcheck Checking open syscall. [! Libc address: 0x7fe1bf65ab40 Next address: 0x7fe1bfb1d67...