Re: [Full-Disclosure] Removing ShKit Root Kit

[Gino Thomas <g.thomas@nux-acid.org>]

Brian Eckman <eckman@umn.edu> wrote:
> What is a secure environment? If it was a secure environment, the 
> machine would not have been compromised. Period.

As we all know nothing is 100% secure, so it can be compromised if
in a high secure environment or not.

> That might be a threat for those still running Office 97 or earlier. 
> Unless it's a signed macro from a trusted source. Unless I'm missing 
> something, Macros haven't been much of a threat since Office 2000 came 
> out (That was roughly four years ago if you aren't counting).

That was one of a million possible ways for the attacker to modify
any data to become malicious in a way or two.

> Regardless, is anyone reading Microsoft Word docs using Microsoft Office 
> on a system that is *that* critical that you absolutely cannot risk it 
> getting compromised again regardless of cost? If so, perhaps you need to 
> keep that machine off of a network.

If the compromised box was for example a FTP-Server holding many .doc,
.mped, .avi,... files? The attacker could made the trojan general, so
any workstation that will execute any of the "backup" files could get
compromised.

> For example, if it would take hundreds of hours to check the integrity 
> of all of the data or recreate it, that had better be one mission 
> critical database we're talking about, or else anybody in their right 
> mind won't think twice about accepting the risk of copying that data 
> back where it came from. Security isn't always ideal circumstances. Your 
> company still needs to make a profit.

I agree. I did not claim this to be possible for every environment.


-- 
Gino Thomas | mailto: g.thomas@nux-acid.org | http://nux-acid.org
GPG: E6EA9145 | 4578 F871 893E 1FEC 31FC 5B5E 8A46 4CC8 E6EA 9145

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html