Yes. Offline is how a lot of rootkits are analyzed after the admin notices pecul... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		KZerda 21 days ago \| parent \| context \| favorite \| on: Singularity Rootkit: SELinux bypass and netlink fi... Yes. Offline is how a lot of rootkits are analyzed after the admin notices peculiar behavior. There are a lot of other tells that could be run online to find this rootkit though, most notably, its behavior with ftrace. Disabling ftrace, and then running a program that uses ftrace would tell right away that something's wrong.

bflesch 21 days ago [–]

Thanks. So for virtualized systems it would make sense to routinely clone the HDD and do such a comparison. Could easily be included in the backup software.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact