[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Removing ShKit Root Kit

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
From: Nathan Bates <nbates@wpni.com>
Date: Mon, 22 Dec 2003 16:15:15 -0500

Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 02:12:53PM -0600)

[...]

> For Windows, if it's a backdoor that is named something.txt, well, 
> again, the attacker would have to find a way to rename that file and 
> execute it with appropriate permissions. Again, I imagine that if they 
> can do that, that they could find other ways of compromising your 
> machine as well.

Not if it's an Alternative Data Stream; you could launch it without any audit 
trail.  These are generally tied
to the main file, which could be anything (eg.  something.txt:trouble.exe).  
These aren't detectable without
specifically looking.  You can fairly easily execute an ADS without it showing 
in the task list and other
niceties.  I'm not certain if common BU utilities actually save ADSs.

        Regards,
        Nathan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Removing ShKit Root Kit
  - From: Brian Eckman <eckman@umn.edu>

References:
- RE: [Full-Disclosure] Removing ShKit Root Kit
  - From: "Schmehl, Paul L" <pauls@utdallas.edu>
- Re: [Full-Disclosure] Removing ShKit Root Kit
  - From: Brian Eckman <eckman@umn.edu>

Prev by Date: Re: [Full-Disclosure] Removing ShKit Root Kit
Next by Date: Re: [Full-Disclosure] Removing ShKit Root Kit
Previous by thread: Re: [Full-Disclosure] Removing ShKit Root Kit
Next by thread: Re: [Full-Disclosure] Removing ShKit Root Kit
Index(es):
- Date
- Thread