Full Disclosure mailing list archives

Re: Microsoft GhostBuster Opionions

From: Valdis.Kletnieks () vt edu
Date: Thu, 17 Mar 2005 13:42:35 -0500

On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:

    Also, this is not just like tripwire.  If the kernel is compromised 
and reporting false data to tripwire then tripwire can run along merrily 
thinking every thing's great.  This is why booting to a trusted kernel 
is important for the process.  Exploiting Software by Hoglund and McGraw 
has a discussion on these types of rootkits.  Tripwire, however does 
great at detecting other sorts of intrusions.


Actually, the "prior art" *is* tripwire.  If you run tripwire on the live
system, then run it while booted from a CD, and they produce different
results, you have a problem.

And that's what they're doing by doing a 'dir /a /s' on the live system,
then booting the Windows PE CD, and looking for differences....

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)
  - Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
    - Re: Microsoft GhostBuster Opionions Dave King (Mar 17)
  - Re: Microsoft GhostBuster Opinions Dave King (Mar 17)
    - Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 17)
    - Re: Microsoft GhostBuster Opinions Jeremy Bishop (Mar 17)
    - Re: Microsoft GhostBuster Opinions J u a n (Mar 18)
    - Re: Microsoft GhostBuster Opinions Dave King (Mar 18)
    - Re: Microsoft GhostBuster Opinions dk (Mar 18)
    - Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 18)
- Re: Microsoft GhostBuster Opionions Jeroen Massar (Mar 18)