Re: NKADM rootkit - Something new?

[Paul Schmehl <pauls () utdallas edu>]

Since I posted my response in this thread, I've gotten several requests for 
my "tool list".  There's really nothing magical about it.

Foundstone has a number of useful tools - Forensic Toolkit (good for 
examing files), Vision (shows open TCP and UDP ports and what process owns 
them), BinText (strings for Windows).

Go to http://www.foundstone.com/ and click on Resources/Free Tools.

Systinternals has a number of tools that you'll probably find in the 
hackers' toolkits as well, particularly pslist and pskill.  But look at 
their whole set.  ListDLLs is very useful, as is Handle, PMon, Process 
Explorer (find function is *very* helpful), PSTools (pskill, pslist, 
psservice and several others.)

Go to http://www.sysinternals.com/ and click on Utilities.
All these tools are very useful.  Particularly when you're dealing with a 
process or service that's been renamed and/or is elusive, something that 
can tie processes to PIDs and files with complete paths is a necessity.

Another good tool is Active Ports, which will show you the process, PID, IP 
address (local and remote), ports (local and remote), state (listen, 
established) and path to the executable is extremely useful.

Go to http://www.snapfiles.com/get/activeports.html

More good tools may be found at http://www.ntutility.com/ (including Active 
Ports.)

Of course Microsoft also has a useful set of utilities that few seem to 
know about.  Among them is sc,tskill, tasklist, eventquery.vbs, pstat.exe 
(part of the SDK).  These are handy in a pinch, but not as informative as 
the tools mentioned above.

Another tool that I've found invaluable is F.I.R.E.  It's a bootable, 
networkable CD ROM running Linux.  I've been able to mount ntfs hard drives 
and scp the entire contents to a server, saving all the data from a crashed 
machine before formatting it and reinstalling the OS.  (Saved the 
President's laptop once, becoming a hero in the process.)  I've done 
forensics on a Win2K box, mounting the ntfs drives and making copies of all 
the logs and binaries I found without disturbing the contents of the drive 
or changing any of the file access information.

Go to http://biatchux.dmzs.com/ to get a copy.

The most recent update is dated 5/14/2003, so I don't know if it's being 
maintained or updated.

You might want to consider Knoppix instead.  It comes with a boatload of 
extra stuff you won't use for forensics, but it's a good way to get 
familiar with unix, if you're not already.  It even has a working version 
of snort with ACID!

Go to http:www.knoppix.net/ for more information.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/