[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Removing ShKit Root Kit
- To: Nathan Bates <nbates@wpni.com>
- Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
- From: Brian Eckman <eckman@umn.edu>
- Date: Mon, 22 Dec 2003 16:24:08 -0600
Nathan Bates wrote:
Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 02:12:53PM -0600)
[...]
For Windows, if it's a backdoor that is named something.txt, well,
again, the attacker would have to find a way to rename that file and
execute it with appropriate permissions. Again, I imagine that if they
can do that, that they could find other ways of compromising your
machine as well.
Not if it's an Alternative Data Stream; you could launch it without any audit
trail. These are generally tied
to the main file, which could be anything (eg. something.txt:trouble.exe).
These aren't detectable without
specifically looking. You can fairly easily execute an ADS without it showing
in the task list and other
niceties. I'm not certain if common BU utilities actually save ADSs.
OK, so how does the attacker get the ADS to run? If you open
something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as an
executable file. It's ignored.
Remember, the machine was formatted and reinstalled from clean media.
However that ADS was called is now long gone...
Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html