Dailydave mailing list archives
Re: Playing Ball
From: Matthew Wollenweber <mjw () cyberwart com>
Date: Thu, 10 Sep 2009 16:32:46 -0400
Dave, My subscription to canvas isn't current so I can't test this myself. But from previous experience, one of the biggest problems with rootkits is AV software. Many AV suites behave similarly to rootkits thus if you're trying to manipulate the same kernel object or hook problems can quickly arise. Since you indicated testing was a major component, is there a data sheet listing Windows builds and AV bundles tested and the results? That would be quite helpful as nothing is as embarrassing as bringing down an important server because AV and a rootkit battled it out until the box fell over. On Thu, Sep 10, 2009 at 1:56 PM, dave <dave () immunityinc com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CANVAS release announcement: http://www.immunityinc.com/news-latest.shtml You can't have a penetration testing toolkit without a Windows rootkit. To that end, this month Immunity released HCN, the next generation of CANVAS Windows Kernel rootkits. People always underestimate how hard it is to write a rootkit. On one hand, it's like engineering. Specialized engineering, but engineering nonetheless. You aren't hunting down tiny gold nuggets the way you are with vulnerability finding and exploit development. But the testing is nightmarish. Writing a rootkit is like being able to stick a knife in someone, but in a way they can still play basketball afterwards. That's an expensive thing to do, and it's not something you do and then ever really call done. But the HCN Rootkit works across any Windows you care about, minus 64 bit for now. It can be set to call back to CANVAS, or simply used to hide another trojan of some kind. And in conclusion, commercially supported Windows rootkits are awesome. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkqpPbsACgkQtehAhL0ghepi+wCff8gdryQAVq9U+T3X3/y4K48A 8CcAn30IKYWC7XftAb6idmuJTGsOApVa =E/MR -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- Matthew Wollenweber mjw () cyberwart com 204-753-0281
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Playing Ball dave (Sep 10)
- Re: Playing Ball Matthew Wollenweber (Sep 10)