¨More sinister, devious, and nasty than traditional RootKits
¨Operating system kernel replaced by a Trojan horse kernel that appears to be well-behaved but in actuality is rotten to the core
¨Critical system files such as ls, ps, du, ifconfig left unmodified
¨Trojanized kernel can intercept system calls and run another application chosen by atttacker
–Execution request to run /bin/login is mapped to /bin/backdoorlogin
–Tripwire only checks unaltered system files
¨If the kernel cannot be trusted, nothing on the system can be trusted
¨