funsec mailing list archives
RE: Homeland Security Official Suggests Outlawing Rootkits
From: "Brian Azzopardi" <brian () gfi com>
Date: Fri, 17 Feb 2006 17:32:10 +0100
Yes, but simply replacing whatever Windows uses as a /bin/ps
I don't think its that 'simply' in Windows, as first of all, there is no ps. The way to do it would be to have a user-land rootkit that hijacks explorer. Though a dir on the cmd line would still show the files.
http://www.cert.org/advisories/CA-2001-04.html
I knew someone would bring this up. Yes, that is indeed a possibility - but I contend that, if not stopping all malware, then it drastically increases the difficulty of successfully deploying one in the wild. Brian -----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Friday, February 17, 2006 5:19 PM To: Brian Azzopardi Cc: Fergie; funsec () linuxbox org Subject: Re: [funsec] Homeland Security Official Suggests Outlawing Rootkits On Fri, 17 Feb 2006 16:03:13 +0100, Brian Azzopardi said:
In Vista kernel code such as device drivers and Sony's best will not run in ring 0 but ring 1 - so stuff like hiding files/processes/etc which depend on hijacking kernel data will be very, very hard*
Yes, but simply replacing whatever Windows uses as a /bin/ps, with a version that hides the naughty bits, will fool 98% of the people. So the ring 0/1 distinction will only really matter to the 109 or so people that actually reverse engineer the sucker...
Additionally, starting with Vista x64, only corps who pay an annual license fee to Verisgn for a certificate to sign their drivers with will be able to play in kernel-land.
http://www.mountain-america.net http://www.cert.org/advisories/CA-2001-04.html Now, as you were saying? This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Homeland Security Official Suggests Outlawing Rootkits, (continued)
- Re: Homeland Security Official Suggests Outlawing Rootkits Dude VanWinkle (Feb 17)
- RE: Homeland Security Official Suggests Outlawing Rootkits Brian Azzopardi (Feb 17)
- RE: Homeland Security Official Suggests Outlawing Rootkits Barrie Dempster (Feb 17)
- Re: Homeland Security Official Suggests Outlawing Rootkits Valdis . Kletnieks (Feb 17)
- RE: Homeland Security Official Suggests Outlawing Rootkits Fergie (Feb 17)
- Re: Homeland Security Official Suggests Outlawing Rootkits Richard Cox (Feb 17)
- Re: Homeland Security Official Suggests Outlawing Rootkits Kevin McAleavey (Feb 17)
- Re: Homeland Security Official Suggests Outlawing Rootkits Valdis . Kletnieks (Feb 17)
- Re: Homeland Security Official Suggests Outlawing Rootkits Kevin McAleavey (Feb 17)
- Re: Homeland Security Official Suggests Outlawing Rootkits Richard Cox (Feb 17)