Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Removing ShKit Root Kit

From: Nathan Bates <nathan.bates () wpni com>
Date: Tue, 23 Dec 2003 10:16:45 -0500
Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 04:24:08PM -0600)


OK, so how does the attacker get the ADS to run? If you open 
something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as an 
executable file. It's ignored.


A quick google shows:

        http://patriot.net/~carvdawg/docs/dark_side.html

If they're able to create the datastream in the first place, you'd think they'd be able to get it to run or
add it into the registry somewhere..  I'm not completely certain, but you shouldn't be able to see them in the
task list either.


Remember, the machine was formatted and reinstalled from clean media. 
However that ADS was called is now long gone...


If you're restoring from backup you may very well restore ADSs as well.  In the context of a fresh install and
rebuild, this would have no effect.  Unless of course you don't prevent the very vulnerability that allowed
the attacker access in the first place.

        Just my 2 cents,
        Nathan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: