funsec mailing list archives

RE: Homeland Security Official Suggests Outlawing Rootkits

From: "Brian Azzopardi" <brian () gfi com>
Date: Fri, 17 Feb 2006 17:32:10 +0100

Yes, but simply replacing whatever Windows uses as a /bin/ps


I don't think its that 'simply' in Windows, as first of all, there is no
ps. The way to do it would be to have a user-land rootkit that hijacks
explorer. Though a dir on the cmd line would still show the files.

http://www.cert.org/advisories/CA-2001-04.html


I knew someone would bring this up. Yes, that is indeed a possibility -
but I contend that, if not stopping all malware, then it drastically
increases the difficulty of successfully deploying one in the wild.

Brian


-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
Sent: Friday, February 17, 2006 5:19 PM
To: Brian Azzopardi
Cc: Fergie; funsec () linuxbox org
Subject: Re: [funsec] Homeland Security Official Suggests Outlawing
Rootkits 

On Fri, 17 Feb 2006 16:03:13 +0100, Brian Azzopardi said:

In Vista kernel code such as device drivers and Sony's best will not 
run in ring 0 but ring 1 - so stuff like hiding files/processes/etc 
which depend on hijacking kernel data will be very, very hard*


Yes, but simply replacing whatever Windows uses as a /bin/ps, with a
version that hides the naughty bits, will fool 98% of the people.  So
the ring 0/1 distinction will only really matter to the 109 or so people
that actually reverse engineer the sucker...

Additionally, starting with Vista x64, only corps who pay an annual 
license fee to Verisgn for a certificate to sign their drivers with 
will be able to play in kernel-land.


http://www.mountain-america.net

http://www.cert.org/advisories/CA-2001-04.html

Now, as you were saying?

  
This mail was checked for viruses by GFI MailSecurity. 
GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and 
management software (GFI LANguard) - www.gfi.com 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Homeland Security Official Suggests Outlawing Rootkits, (continued)
- - Re: Homeland Security Official Suggests Outlawing Rootkits Dude VanWinkle (Feb 17)
- RE: Homeland Security Official Suggests Outlawing Rootkits Brian Azzopardi (Feb 17)
  - RE: Homeland Security Official Suggests Outlawing Rootkits Barrie Dempster (Feb 17)
  - Re: Homeland Security Official Suggests Outlawing Rootkits Valdis . Kletnieks (Feb 17)
- RE: Homeland Security Official Suggests Outlawing Rootkits Fergie (Feb 17)
  - Re: Homeland Security Official Suggests Outlawing Rootkits Richard Cox (Feb 17)
    - Re: Homeland Security Official Suggests Outlawing Rootkits Kevin McAleavey (Feb 17)
    - Re: Homeland Security Official Suggests Outlawing Rootkits Valdis . Kletnieks (Feb 17)
    - Re: Homeland Security Official Suggests Outlawing Rootkits Kevin McAleavey (Feb 17)
- RE: Homeland Security Official Suggests Outlawing Rootkits Brian Azzopardi (Feb 17)
- RE: Homeland Security Official Suggests Outlawing Rootkits Brian Azzopardi (Feb 17)