Re: Rootkit discovery tools

[Graham Toal <gtoal () UTPA EDU>]

> On Tue, 27 Jun 2006 09:42:14 EDT, Caroline Couture said:
> > How would do this kind of scan? Would you have the computer on the 
> > network and scan the ip with nmap or do something else so 
> the computer 
> > is not live on the network?
>
> I'd configure their port 'down' at the switch end of the 
> cable, and then unplug the cat-5 at the system end, and 
> replace it with a crossover cable connected to a laptop 
> that's been ifconfig'ed to appear to be on the subnet the 
> computer was on, and then launch the nmap from the laptop.

you know, I have always wondered why the hackers weren't smart enough
to put a firewall on their backdoor ports so that they could only
be accessed (or detected) from specific addresses owned by the
hackers. (I.e. so we couldn't find them in a scan).

Then I realised, for all we know, they already are :-(

However with the degree of campus, corporate and home firewalling
nowadays, it's no longer productive for backdoors to be implemented
using call-in ports.  That's why they all connect to IRC C&C servers
and take commands on the return channel.  It's also why botted systems
are relatively easy to detect.  Once they get wise to that and start
using some popular and legitimate web site for their C&C, over SSL,
I think it'll be game over for the good guys.  The balance of technology
is always in favour of the bad guys, as long as we don't get draconian
about privacy.  And if we ever do, we've still lost, because the bad
guys will be us.


G