On Tuesday 15 May 2007, Dan Farrell <dan@spore.ath.cx> wrote about 'Re: 
[gentoo-user] Managing my kernel':
> On Tue, 15 May 2007 09:21:17 +0200
> Etaoin Shrdlu <shrdlu@unlimitedmail.org> wrote:
> > On Tuesday 15 May 2007 03:57, Dan Farrell wrote:
> > > On Tue, 15 May 2007 12:33:22 +1200
> > > Mark Kirkwood <markir@paradise.net.nz> wrote:
> > > > 2/ disables loadable modules completely
> > >
> > > But Why?  What's the benefit?
> >
> > [S]ome rootkits
> > use LKMs, and removing loadable modules support might help to prevent
> > such attacks.
>
> I'd never heard of LKM rootkits, although the
> concept is I suppose a good one, as far as defeating security goes.  I
> must say I'm not going to start worrying about it, but point taken

The (GPL'd) rootkit I was able to look at didn't even use LKMs, it simply 
patched the kernel live via /proc/kcore.  The version I saw probably 
wouldn't work anymore, but LKMs aren't the only way a rootkit can take 
hold.

-- 
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss03@volumehost.net                      ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.org/                      \_/