Full Disclosure mailing list archives
RE: Removing ShKit Root Kit
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 22 Dec 2003 18:58:00 -0600
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Brian Eckman Sent: Monday, December 22, 2003 4:24 PM To: Nathan Bates Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Removing ShKit Root Kit OK, so how does the attacker get the ADS to run? If you open something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as an executable file. It's ignored. Remember, the machine was formatted and reinstalled from clean media. However that ADS was called is now long gone...
Until you restored it from backup. Formatting and reinstalling the OS is only half the battle. If you restore the data that was on the compromised disk, you cannot possibly guarantee its integrity unless you did checksums on every file prior to the compromise, can you? There's an assumption going on here - that it's not possible to compromise "data" in ways that could endanger a machine. Yet, some have already suggested possibilities - ADS, accounts in databases and other types of software that have their own account mechanisms, macros in documents, etc., etc. All an attacker needs is a way to begin the process - something that the user would execute - like say an email message? Then the code can be hidden inside existing files and reassembled by the stub that began the process. Many "modern" viruses begin with a small executable that then fetches the rest of the code, "compiles" it and bam, you're compromised again. Folks were asking these same questions before the first macro virus came along, weren't they? Didn't we, at one time, think it wasn't possible to send a virus through email without using attachments that users had to launch? Yet all these have proven wrong. Haven't we seen the use of tftp and tunneled http to "get" those pieces needed to complete the process of compromise? As someone tasked with security in an organization, why should we make assumptions about *anything* that existed on a compromised box? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Removing ShKit Root Kit, (continued)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 23)
- Re: Removing ShKit Root Kit Larry W. Cashdollar (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 22)
- Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)
- Re: Removing ShKit Root Kit Jason (Dec 22)
- Re: Removing ShKit Root Kit Cael Abal (Dec 23)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 23)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 23)
- Re: Removing ShKit Root Kit Jason (Dec 23)