-
July 6th, 2004, 10:03 PM
#11
It is naive to imagine you can tell what things are from their names. Does a Windows rootkit need to start up extra processes to be effective? No. Can it it hide entirely from this type of tools? Yes.
If a machine has definitely been compromised, there is never any valid course of action which doesn't involve a reformat (and very careful restore from backups)
Slarty
-
July 6th, 2004, 10:31 PM
#12
Unlikely, yes. Naive, no. You give people more credit than I do....I assume the skiddies are too lazy to make sure everything is properly hidden.
I have seen rootkits where modules are visible so that the person who put it there in the first place could find it again...
If a machine has definitely been compromised, there is never any valid course of action which doesn't involve a reformat (and very careful restore from backups)
Ditto, that was the advice given.
-
July 6th, 2004, 10:44 PM
#13
There are two types of "rootkit'. There is a kernel-mode rootkit and a non-kernel-mode rootkit. A non-kernel rootkit subverts individual utilities such as netstat, cmd etc. in such a way that certain things are ignored. So a subverted netstat would contain code that says
"IF listen_port = 12345 THEN NoPrint"
or cmd has a line of code that says
"IF dir_name = "Hackers stuff" THEN NoPrint".
So when you use the subverted tools they won't show you the things that would make you sit up and say "WTF is that?????" The same is done with Task Manager to hide processes etc..... It's quite insidious and why one must use trusted tools from trusted media that is read only, (hardware read only, not software), when you conduct a forensic investigation).
A kernel mode rootkit is even worse. The kernel itself is subverted. This means that anything can be hidden from any utility you want to run. Thus, in most cases, even trusted tools from trusted media are useless because they rely upon kernel functions to give them information.
In either case you are pretty much screwed if you have been rooted that deeply since the chances of being alerted to the compromise are slim to none even for high end users.
Even looking at the Task Manager is a waste of space in many compromises since each process listed there is made up of several "threads". The threads are not reported there and it isn't too far from trivial for a good coder to be able to attach a thread to a running process in such a way that it becomes hidden within it. There's a tool to list the running threads within each process but Google is down right now or I'd list it....... Sorry, memory failing..... It's either a sysinternals utility or a foundstone IIRC.
Hah.... so, there's PStat.exe for windows XP and PSList from sysinternals, (memory, memory, memory )
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|