Security Basics mailing list archives
Re[2]: Crash Monitor -- rootkit discussion
From: Adam Pal <pal_adam () gmx net>
Date: Wed, 2 Jul 2008 23:22:39 +0200
Hi Well, concerning the crash-issue: As mentioned in the list, check your logs (run compmgmt.msc and go to the eventlog), there you will find 100% some hints on what caused the crash. Usualy it can be some driver issue and/or registry fscked up. as about the rootkit-issue: If, and only if you are sure to be infected (http://www.windowsreference.com/security/list-of-free-anti-rootkitrootkit-detection-software-for-windows/) A clean reinstall is the only possibility to get rid of it, if a forensic investigation is needed better let someone quallifyed to do it. Actualy, you can be pretty sure for rootkits Philippe, but its messy since you need some tools like helix offers and compare valid and actual output of the commands. If i`d write a windows rootkit, i would try to compromise services which can reveal its presence such as msinfo.msc , taskmanager, tasklist, clean the eventlog, etc... -- Best regards, Adam Pal Wednesday, July 2, 2008, 10:10:00 PM, you wrote: <==============Original message text=============== RP> First off, the first post seemed to be able to format. In the case he can't, RP> he would still have to get someone who can (which is a lot easier then RP> someone who can investigate and remove root kits). RP> All I wanted to say (I knew I would get hit by this) is that if you are RP> investigating for the possibility of a rootkit, you must have some serious RP> doubt about the security of your pc. At that point it would be faster and RP> safer to format it and reinstall. RP> Yes backup can screw up, you can not do them or forget. But again.. this RP> would be the issue if you find the root kit and cant remove it. Save your RP> files to the D drive format the C, do an external backup. RP> As for the house & termite, your example is flawed. As you can be sure that RP> there is no termite left. You can't really be sure for root kits. RP> Merci / Thanks RP> Philippe Rivest, CEH RP> Vérificateur interne en sécurité de l'information RP> Courriel: Privest () transforce ca RP> Téléphone: (514) 331-4417 RP> www.transforce.ca RP> -----Message d'origine----- RP> De : Scott Race [mailto:srace () jdaarch com] RP> Envoyé : 2 juillet 2008 15:56 RP> À : Rivest, Philippe; infolookup () gmail com; GremaGehan () web de; RP> listbounce () securityfocus com; security-basics () securityfocus com RP> Objet : RE: Crash Monitor RP> Philippe, your proposed solution is like demolishing your house and RP> rebuilding because you think you "might" have termites. RP> I beg to differ than home PC data is less important than corporate data. RP> Home PC data is very important to that home user. If you assume "expertise is RP> lacking", then a format/reinstall could easily result in data loss (family RP> pictures, financial info, etc). RP> Bottom line is that if expertise is lacking, the user should find someone who RP> knows what they're doing and check out how severe it is. RP> And what if there is no rootkit? You can at least get an idea of the risk RP> factor by using the various tools of the trade (search and destroy products, RP> netstat for listening ports, software firewall to check for incoming/outgoing RP> connections, task mgr for running processes, etc). RP> To me, format and reinstall would be a better solution for a corporate PC, as RP> generally data is stored on file servers and not on the local machine, thus RP> there is little risk of a format losing sensitive data (of course this varies RP> from network to network). Home PCs generally have lots of data on them, and RP> are generally not backed up. RP> Case in point, my father-in-law just called Dell with a problem (he's an RP> older guy), Dell ended up having him format the drive. He had burned his RP> data to a CD a few days before, but guess what, the CD didn't burn correctly RP> (and he's a home user, he didn't test it). DATA LOSS. Sucks for him, all RP> his Quicken data and family pics are gone. RP> Format should be a last resort. Yes, it works, but there are other things to RP> try first to get an idea of what solution is necessary. RP> Scott RP> -----Original Message----- RP> From: listbounce () securityfocus com RP> [mailto:listbounce () securityfocus com] On RP> Behalf Of Rivest, Philippe RP> Sent: Wednesday, July 02, 2008 12:22 PM RP> To: infolookup () gmail com; GremaGehan () web de; listbounce () securityfocus com; RP> security-basics () securityfocus com RP> Subject: RE: Crash Monitor RP> To add to the previous post. RP> If you are going to look for rootkits I would suggest formatting and RP> re-installing. If you suspect you have a root-kit on your PC theres no need RP> to identify it or KNOW you have one. Just do a full format & reinstall. RP> If you have a rootkit,theres no complete way to remove it. I mean to know RP> 100% that everything critical is removed. The time you are going to spend RP> investigating this, cleaning it and worrying about the after effects would be RP> better spent reinstalling. RP> For all those who are going to hit me with "you should know if there's a RP> rootkit", this is a stand alone PC, not corporate and the expertise and time RP> may be lacking. Also the lvl of sensitivity of the PC is probably very low. RP> Format and move on RP> Merci / Thanks RP> Philippe Rivest, CEH RP> Vérificateur interne en sécurité de l'information RP> Courriel: Privest () transforce ca RP> Téléphone: (514) 331-4417 RP> www.transforce.ca RP> -----Message d'origine----- RP> De : listbounce () securityfocus com RP> [mailto:listbounce () securityfocus com] De la RP> part de infolookup () gmail com RP> Envoyé : 2 juillet 2008 15:13 RP> À : GremaGehan () web de; listbounce () securityfocus com; RP> security-basics () securityfocus com RP> Objet : Re: Crash Monitor RP> Virus protection up to date? Any P2P software like lime wire that could bring RP> in tones of problems? Did you recently add any new software or hardware? Also RP> go to Microsoft site and download a root kit program and scan your pc. RP> ------Original Message------ RP> From: GremaGehan () web de RP> Sender: listbounce () securityfocus com RP> To: security-basics () securityfocus com RP> Sent: Jul 2, 2008 2:20 PM RP> Subject: Crash Monitor RP> Hello list, RP> my wife using Win 2000 + MS Office to writing her thesis. Of course RP> there are also such important tools like a Skype, ICQ ...... etc. (you RP> know ... ) At now it is daily that this PC is crashing. I don't know RP> why. It is possible to detect the crashing application? Do you know some RP> tool (something like DrWatson.)? The PC ist patched, Event Viewer show RP> nothing. RP> The most probably case is: ca. 1 hour after login hanging this PC up. RP> Independently of runnig applications. After restart its work normally. RP> Thank you in advance RP> Martin RP> _______________________________________________________________________ RP> EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine RP> Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2 RP> Sent from my Verizon Wireless BlackBerry <===========End of original message text===========
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Crash Monitor GremaGehan (Jul 02)
- <Possible follow-ups>
- Re: Crash Monitor infolookup (Jul 02)
- RE: Crash Monitor Rivest, Philippe (Jul 02)
- RE: Crash Monitor Scott Race (Jul 02)
- RE: Crash Monitor -- rootkit discussion Rivest, Philippe (Jul 02)
- RE: Crash Monitor -- rootkit discussion kawasaki.lector (Jul 02)
- RE: Crash Monitor -- rootkit discussion Karl Lankford (Jul 03)
- Re[2]: Crash Monitor -- rootkit discussion Adam Pal (Jul 02)
- RE: Crash Monitor Rivest, Philippe (Jul 02)
- Message not available
- RE: Crash Monitor Unknown (Jul 07)
- Re: Crash Monitor Warner Tabor (Jul 07)
- Re: Crash Monitor Kelly Keeton (Jul 11)
- RE: Crash Monitor Banyan He (Jul 12)