The Linux root kit includes Trojan code for login and ps
that allow an intruder to login through a "back door" and
hide their activities from system administrators. We have
traced use of this Trojan code as well as normal versions of
login and ps. One complication in comparing the two is that
the Trojan code with the Linux root kit is fairly old (last
edit date in 1993 for login, 1994 for ps). So there are
significant differences between the normal code these Trojan
programs were based on and the normal code that we use today,
in addition to the changes made to break in to a system.
In an effort to test more rigorously our ability to recognize
Trojan programs, we have created Trojan versions of login and
ps based on current versions, but including the modifications
used in the Linux root kit. We call these our "homegrown"
Trojan programs for login and ps to distinguish them from
the versions "recovered" from installations of the Linux
Data were collected on a single machine running a
version of the 2.0.35 Linux kernel which we have modified to
collect system call traces. The version of login used for
normal data and modified for our homegrown Trojan code is
from Red Hat util-linux-2.5.38. The version of ps used
for login and modified for our homegrown Trojan code is
from Red Hat procps v.1.01.
Use the Linux 4.2 mapping file for these traces.
There are 24 normal traces each for login and ps. However, half of
the login traces consist of a single system call each. These are
not very useful traces, but are included for completeness.
login normal data (08/28/98 - 09/18/98 and 09/22/98 - 09/25/98)
ps normal data
A number of traces have been collected from each version of the Trojan
code. Only some of these traces actually correspond to use of the
back door to break into the system, while others are from ordinary
users logging in in the usual fashion. However, ideally we would like
to detect the presence of such code as soon as possible, whether or not
it is being used in an actual intrusion at the time.
recovered Trojan login data (09/22/98)
homegrown Trojan login data (09/18/98)
recovered Trojan ps data
homegrown Trojan ps data