Hi jdow! On 2016.09.07 at 19:18:32 -0700, jdow wrote next: > Is the part of the filesystem which handles links in kernel space or user > space? That would make a great deal of difference as this rootkit tool In kernel (except for soft links, for them it's partially in user space, kind of, application can check where it's linked to and is free to ignore such link; if it doesn't do that, then still in kernel) > I figure with all malware the best thing to do is not catch it, use "safe > computing" with condoms like SELinux enabled and screwed down even tighter > than RHEL out of the box. I'm mostly musing about how it could be made more > likely for "the usual tools" to discover the hacking. (And as noted I am > bemused because this resembles several pieces of old Amiga malware.) Well this is one of the reasons why modern approaches such as atomic host (http://www.projectatomic.io/ - there is corresponding RHEL version as well) have appeared. With these technologies, host system updates completely in a single step from one state to another, and all your applications run in docker containers, it's impossible for such infection to spread from one into another, so only a single application would be affected. And - if you write your dockerfiles properly - all the system files in every container are immune to changes and additions, ie you can change it if you got privileges, but when you restart container for that application, all the changes would be reset. That said, since not many use this technology yet, I suspect that malware that explicitly targets its users might appear in the future, if it is to become popular. Obviously it looks secure and everything, but such major redesigns usually present some oversight which might be exploited once people discover it. Which is possible in the future, at least in theory. Still, it looks very secure against conventional malware and root kits and everything. -- Vladimir