Resumen de Loadable kernel modules: the new frontier for indident response
What would you do if traditional incident response tools completely failed during an investigation? That is exactly what I experienced when up against a loaded evil kernel module. Loadable kernel modules are changing the techniques used to perform an incident response because the level of compromise is raised from user space to kernel space. Once the compromise breaches the kernel space, the effects trickle down to any user-space executable resident on the trojaned system. This effect allows an intruder to change the behavior for any command executed on the system without changing the program binaries themselves. With this in mind, any trusted toolkit you transfer to the victim machine will also be automatically compromised. Therefore, I will explain how one malicious kernel module works and describe a couple of tools I developed to cope with the problem.
