Hi jdow!

 On 2016.09.07 at 19:18:32 -0700, jdow wrote next:

> Is the part of the filesystem which handles links in kernel space or user
> space? That would make a great deal of difference as this rootkit tool

In kernel (except for soft links, for them it's partially in user space,
kind of, application can check where it's linked to and is free to
ignore such link; if it doesn't do that, then still in kernel)

> I figure with all malware the best thing to do is not catch it, use "safe
> computing" with condoms like SELinux enabled and screwed down even tighter
> than RHEL out of the box. I'm mostly musing about how it could be made more
> likely for "the usual tools" to discover the hacking. (And as noted I am
> bemused because this resembles several pieces of old Amiga malware.)

Well this is one of the reasons why modern approaches such as atomic
host (http://www.projectatomic.io/ - there is corresponding RHEL version
as well) have appeared. With these technologies, host system updates
completely in a single step from one state to another, and all your
applications run in docker containers, it's impossible for such
infection to spread from one into another, so only a single application
would be affected. And - if you write your dockerfiles properly - all
the system files in every container are immune to changes and additions,
ie you can change it if you got privileges, but when you restart
container for that application, all the changes would be reset.

That said, since not many use this technology yet, I suspect that
malware that explicitly targets its users might appear in the future, if
it is to become popular. Obviously it looks secure and everything, but
such major redesigns usually present some oversight which might be
exploited once people discover it. Which is possible in the future, at
least in theory. Still, it looks very secure against conventional
malware and root kits and everything.

-- 

Vladimir