Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sebek2 - A Kernel-based Data Capture Tool

Posted by michael on Saturday September 27, 2003 @08:52AM from the i-spy-with-my-little-eye dept.

LogError writes "Sebek is a piece of code the lives entirely in kernel space and records either some or all data accessed by users on the system. This paper is a detailed discussion of Sebek, how it works and its value."

2 of 74 comments (clear)

Min score:

Reason:

Sort:

Great tool in the right hands by mpeg4codec · 2003-09-27 08:55 · Score: 4, Insightful

This can just as easily be modified and used by blackhats as an advanced rootkit, though. Like everything, it's a double-edged sword.
1. Re:Great tool in the right hands by moreati · 2003-09-27 09:15 · Score: 5, Insightful
  
  True, like anthing this has Good and Evil uses, but since it is kernel resident then it requires either a reboot or a siutable set of hooks in the running kernel so it can be loaded as a module.
  
  Thus the impact of malicuous use of this technology could be mitigated by disabling loadable modules once booted, limiting access to kernel structures by loaded modules, using some varient of TCPA (rootkit module not signed), and/or only accepting shutdown signals from the local console.
  
  In a corporate environment however I could see this used as a virtually undetectable piece of snitch software, ie for spying on employees at their workstation, even if they have root.
  
  Regards
  
  Alex