[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Removing ShKit Root Kit
- To: Brian Eckman <eckman@umn.edu>
- Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
- From: Gino Thomas <g.thomas@nux-acid.org>
- Date: Mon, 22 Dec 2003 21:02:42 +0100
Brian Eckman <eckman@umn.edu> wrote:
> Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
> considered relatively safe. If the attacker can later find a way to
> chmod it and then execute it with the privliges needed to make it
> harmful, then I imagine that they could find other ways of
> compromising your machine as well.
>
> For Windows, if it's a backdoor that is named something.txt, well,
> again, the attacker would have to find a way to rename that file and
> execute it with appropriate permissions. Again, I imagine that if they
> can do that, that they could find other ways of compromising your
> machine as well.
The backdoor could for example be a nasty makro trojan placed in a .doc
that would later (most likely) executed by an user and so do the dirty
work without remote interaction. Nothing to rename or execute. I agree
with Paul that data from a compromised system can't be trusted anymore,
regardless what it is, it has to be checked for integrity or wiped (at
least in a secure environment).
regards
-gt
--
Gino Thomas | mailto: g.thomas@nux-acid.org | http://nux-acid.org
GPG: E6EA9145 | 4578 F871 893E 1FEC 31FC 5B5E 8A46 4CC8 E6EA 9145
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html