Full Disclosure mailing list archives
Re: Microsoft GhostBuster Opionions
From: Valdis.Kletnieks () vt edu
Date: Thu, 17 Mar 2005 13:42:35 -0500
On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
Also, this is not just like tripwire. If the kernel is compromised and reporting false data to tripwire then tripwire can run along merrily thinking every thing's great. This is why booting to a trusted kernel is important for the process. Exploiting Software by Hoglund and McGraw has a discussion on these types of rootkits. Tripwire, however does great at detecting other sorts of intrusions.
Actually, the "prior art" *is* tripwire. If you run tripwire on the live system, then run it while booted from a CD, and they produce different results, you have a problem. And that's what they're doing by doing a 'dir /a /s' on the live system, then booting the Windows PE CD, and looking for differences....
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)
- Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
- Re: Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opinions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 17)
- Re: Microsoft GhostBuster Opinions Jeremy Bishop (Mar 17)
- Re: Microsoft GhostBuster Opinions J u a n (Mar 18)
- Re: Microsoft GhostBuster Opinions Dave King (Mar 18)
- Re: Microsoft GhostBuster Opinions dk (Mar 18)
- Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 18)
- Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)