Friday, October 12, 2012

Analyzing the Phalanx 2 Rootkit with Volatility

Andrew Case has written a great blog post in which he analyzes  the Linux rootkit Phalanx2 with Volatility.

He explains all the common steps:
  • Dump the memory with lime .
  • List hidden processes.
  • File descriptors opened by the hidden process ( open sockets!).
  • Network connections.
  • Hooked system callas
  • Recover

At the end of the post, Andre Case makes a complete forensic analysis of the kernel modules and the binaries used to inject the rootkit

No comments:

Post a Comment