funsec mailing list archives
RE: eWeek: Government-Funded Startup Blasts Rootkits
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Thu, 27 Apr 2006 10:44:52 -0400
http://www.komoku.com/pubs/USENIX-copilot.pdf "The monitor is an Intel StrongARM EBSA-285 Evaluation Board - a
single-board computer on a PCI add-in card inserted into the host's PCI bus. The monitor retrieves parts of host RAM for examination through Direct Memory Access (DMA) without the knowledge or intervention of the host kernel." This is all well and good and I see the value since the coproc is both real-time and off-line. I admit I haven't read all the paper, but I still don't know how it's supposed to tell the difference between legitimate and malicious behavior. It looks like the main thing Co-Pilot does is to monitor changes to key jump tables in the kernel. I think the key analogous structure in the Windows kernel is called the system service table. But aren't there legitimate reasons for software to hook it? Anti-virus software for example. I don't really know if legit software ever uses the same techniques, I'm genuinely curious. Where's Mark Russinovich when you need him? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: eWeek: Government-Funded Startup Blasts Rootkits, (continued)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Kevin McAleavey (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Barrie Dempster (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)
- Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Blanchard_Michael (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)