Re[2]: Crash Monitor -- rootkit discussion

[Adam Pal <pal_adam () gmx net>]

Hi

Well, concerning the crash-issue:
As mentioned in the list, check your logs (run compmgmt.msc and go to
the eventlog), there you will find 100% some hints on what caused the
crash. Usualy it can be some driver issue and/or registry fscked up.

as about the rootkit-issue:
If, and only if you are sure to be infected
(http://www.windowsreference.com/security/list-of-free-anti-rootkitrootkit-detection-software-for-windows/)
A clean reinstall is the only possibility to get rid of it, if
a forensic investigation is needed better let someone quallifyed to do
it.
Actualy, you can be pretty sure for rootkits Philippe, but its messy
since you need some tools like helix offers and compare valid and
actual output of the commands.
If i`d write a windows rootkit, i would try to compromise services
which can reveal its presence such as msinfo.msc , taskmanager,
tasklist, clean the eventlog, etc...

-- 
Best regards,
 Adam Pal   

Wednesday, July 2, 2008, 10:10:00 PM, you wrote:

<==============Original message text===============
RP> First off, the first post seemed to be able to format. In the case he can't,
RP> he would still have to get someone who can (which is a lot easier then
RP> someone who can investigate and remove root kits).

RP> All I wanted to say (I knew I would get hit by this) is that if you are
RP> investigating for the possibility of a rootkit, you must have some serious
RP> doubt about the security of your pc. At that point it would be faster and
RP> safer to format it and reinstall.

RP> Yes backup can screw up, you can not do them or forget. But again.. this
RP> would be the issue if you find the root kit and cant remove it. Save your
RP> files to the D drive format the C, do an external backup.

RP> As for the house & termite, your example is flawed. As you can be sure that
RP> there is no termite left. You can't really be sure for root kits.



RP> Merci / Thanks
RP> Philippe Rivest, CEH
RP> Vérificateur interne en sécurité de l'information
RP> Courriel: Privest () transforce ca
RP> Téléphone: (514) 331-4417
RP> www.transforce.ca


RP> -----Message d'origine-----
RP> De : Scott Race [mailto:srace () jdaarch com] 
RP> Envoyé : 2 juillet 2008 15:56
RP> À : Rivest, Philippe; infolookup () gmail com; GremaGehan () web de;
RP> listbounce () securityfocus com; security-basics () securityfocus com
RP> Objet : RE: Crash Monitor


RP> Philippe, your proposed solution is like demolishing your house and
RP> rebuilding because you think you "might" have termites.

RP> I beg to differ than home PC data is less important than corporate data.
RP> Home PC data is very important to that home user. If you assume "expertise is
RP> lacking", then a format/reinstall could easily result in data loss (family
RP> pictures, financial info, etc).

RP> Bottom line is that if expertise is lacking, the user should find someone who
RP> knows what they're doing and check out how severe it is.  

RP> And what if there is no rootkit?  You can at least get an idea of the risk
RP> factor by using the various tools of the trade (search and destroy products,
RP> netstat for listening ports, software firewall to check for incoming/outgoing
RP> connections, task mgr for running processes, etc).

RP> To me, format and reinstall would be a better solution for a corporate PC, as
RP> generally data is stored on file servers and not on the local machine, thus
RP> there is little risk of a format losing sensitive data (of course this varies
RP> from network to network).  Home PCs generally have lots of data on them, and
RP> are generally not backed up.  

RP> Case in point, my father-in-law just called Dell with a problem (he's an
RP> older guy), Dell ended up having him format the drive.  He had burned his
RP> data to a CD a few days before, but guess what, the CD didn't burn correctly
RP> (and he's a home user, he didn't test it).  DATA LOSS.  Sucks for him, all
RP> his Quicken data and family pics are gone.

RP> Format should be a last resort.  Yes, it works, but there are other things to
RP> try first to get an idea of what solution is necessary.  


RP> Scott

RP> -----Original Message-----
RP> From: listbounce () securityfocus com
RP> [mailto:listbounce () securityfocus com] On
RP> Behalf Of Rivest, Philippe
RP> Sent: Wednesday, July 02, 2008 12:22 PM
RP> To: infolookup () gmail com; GremaGehan () web de; listbounce () securityfocus com;
RP> security-basics () securityfocus com
RP> Subject: RE: Crash Monitor

RP> To add to the previous post.

RP> If you are going to look for rootkits I would suggest formatting and
RP> re-installing. If you suspect you have a root-kit on your PC theres no need
RP> to identify it or KNOW you have one. Just do a full format & reinstall.

RP> If you have a rootkit,theres no complete way to remove it. I mean to know
RP> 100% that everything critical is removed. The time you are going to spend
RP> investigating this, cleaning it and worrying about the after effects would be
RP> better spent reinstalling.

RP> For all those who are going to hit me with "you should know if there's a
RP> rootkit", this is a stand alone PC, not corporate and the expertise and time
RP> may be lacking. Also the lvl of sensitivity of the PC is probably very low.


RP> Format and move on


RP> Merci / Thanks
RP> Philippe Rivest, CEH
RP> Vérificateur interne en sécurité de l'information
RP> Courriel: Privest () transforce ca
RP> Téléphone: (514) 331-4417
RP> www.transforce.ca


RP> -----Message d'origine-----
RP> De : listbounce () securityfocus com
RP> [mailto:listbounce () securityfocus com] De la
RP> part de infolookup () gmail com
RP> Envoyé : 2 juillet 2008 15:13
RP> À : GremaGehan () web de; listbounce () securityfocus com;
RP> security-basics () securityfocus com
RP> Objet : Re: Crash Monitor

RP> Virus protection up to date? Any P2P software like lime wire that could bring
RP> in tones of problems? Did you recently add any new software or hardware? Also
RP> go to Microsoft site and download a root kit program and scan your pc.
RP> ------Original Message------
RP> From: GremaGehan () web de
RP> Sender: listbounce () securityfocus com
RP> To: security-basics () securityfocus com
RP> Sent: Jul 2, 2008 2:20 PM
RP> Subject: Crash Monitor

RP> Hello list,

RP> my wife using Win 2000 + MS Office to writing her thesis. Of course
RP> there are also such important tools like a Skype, ICQ ...... etc. (you
RP> know ... ) At now it is daily that this PC is crashing. I don't know
RP> why. It is possible to detect the crashing application? Do you know some
RP> tool (something like DrWatson.)? The PC ist patched, Event Viewer show
RP> nothing.
RP> The most probably case is: ca. 1 hour after login hanging this PC up.
RP> Independently of runnig applications. After restart its work normally.

RP> Thank you in advance

RP> Martin 


RP> _______________________________________________________________________
RP> EINE FÜR ALLE: die kostenlose WEB.DE-Plattform für Freunde und Deine
RP> Homepage mit eigenem Namen. Jetzt starten! http://unddu.de/?kid=kid@mf2



RP> Sent from my Verizon Wireless BlackBerry

<===========End of original message text===========

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature