Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Administrivia

From: Dave Aitel <dave () immunitysec com>
Date: Wed, 23 Feb 2005 12:00:14 -0500
Rootkit detection goes mainstream! :>

http://www.computerworld.com/securitytopics/security/story/0,10801,99843p2,00.html
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
*Sysinternals says this:
"
Can a Rootkit hide from RootkitRevealer?*
It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer."
Probably an easier way would just be to detect the load of RootkitRevealer itself, and do something special just for it, like serve it a nice clean /dev/. Rootkits are, as hoglund says, software filters. Let's go whitehats, it's been almost 4 hours, and it's time to update your rootkits! I think all the real rootkits already replace the raw disk images and hives with clean ones which is why a million sysadmins at .*.mil aren't going "hey!" this morning.
Speaking of filters, I've learned the hard way that you don't purchase refurbished hard drives, so today you may notice some changes in our hosting setup. After which, hopefully, you'll be able to log in and change your mailman subscription options. Immunity does have some cool new stuff coming out - one thing coming out Real Soon Now which is mostly for large companies, and another coming out in a few months that I think everyone will enjoy mightily. :>
Likewise, the Windows Exploitation training (2 days) on April 4th in NYC and the MSRPC training (April 6th, NYC), are coming along well, and we'll probably drop some of the new technology at one or the other of these. Sign up now by emailing admin [a+t] immunitysec.com! :> 

-dave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: