StMichael is a LKM that attempts to provide a level of protection against kernel-module rootkits. It provides this protection by monitoring various portions of the kernel, and optionally the entire kernel text itself, for modifications that may indicate the presence of a malicious kernel module.
If rootkit-like activity is detected, StMichael will attempt to recover the kernel's integrity by rolling back the changes made to a previously known-good state.
The following is a brief list of the capabilities of the StMichael kernel module:
* Can generate and check MD5, and optionally SHA1, checksum of various kernel data structures, such as the system call able, and filesystem call out structures
* Can checksum (md5 only) the base kernel, and detect modifications to the kernel text such as would occur during a silvo-type attack.
* Can backup a copy of the kernel, storing it in a weekly encrypted form, for later restoration if a catastrophic kernel compromise is detected.
* Can detect the presence of simplistic kernel rootkits upon loading.
* Can modify the Linux kernel to protect immutable files from having their immutable attribute removed.
* Can disable write-access to kernel memory through the /dev/kmem device.
* Can conceal the Stmichael module and its symbols.
* Can monitor kernel modules being loaded and unloaded to detect attempts to conceal the module and its symbols, and attempt to 'reveal' the hidden module.
