links for 2008-09-29

• Slashdot | New Approach To Malware Modifies Linux Kernel
  Hugh Pickens writes "Professor Avishai Wool has unveiled a program to watch for malware on servers with a modification to the Linux kernel. 'We modified the kernel in the system's operating system so that it monitors and tracks the behavior of the programs installed on it,' says Wool. Essentially, Wool says, his software team has built a model that predicts how software running on a server should work (pdf). If the kernel senses abnormal activity, it stops the program from working before malicious actions occur. 'When we see a deviation, we know for sure there's something bad going on,' Wool explains. Wool cites problems with costly anti-virus protection. 'Our methods are much more efficient and don't chew up the computer's resources.'"
  (tags: linux security)
• Quick way to find out if you “ps” has been compromised | andrelop’s blog
  Here’s a really quick way to find out if your “ps” binary has been compromised :

  # ls -d /proc/* | grep [0-9] | wc -l ; ps aux | wc -l

  The commands above are going to show you two numbers : the first one is the number of running processes according to your kernel and the second one is the number of running processes according to you “ps” binary.

  If the second one differs from the previous one, something is wrong and this could mean your “ps” binary was compromised. If this happens to you, maybe your system is not a trusted system anymore.

  (tags: tips security linux)
• Rootkit Hunter
  (tags: tools sysadmin security rootkit)
• Bug 397375 – Log Out button hangs session (gnome-main-menu)
  (tags: bugs gnome)