Re: Thoughts about Cross-View based Rootkit Detection

[Dave Aitel <dave () immunitysec com>]

I'm not sure exactly what is meant by "cross view" in this context. Is 
there a simple dictionary for us non-rootkit developers to follow? Is it 
any detector that follows a "low level" view with a "high level" view 
and then does a compare?

Just out of curiosity, do any of the win32 rootkits out there move their 
files out of the way? I.E. if I'm in the kernel, I can watch you read 
sectors, and if I see a sector that looks like me, I can move myself to 
an earlier sector, right? Kinda core-wars-esq, if you've ever played 
that game.

I still do like the idea of hiding in plain sight. There's just so much 
entropy on a normal system - you can replace explorer.exe and be pretty 
happy.

-dave





Joanna Rutkowska wrote:

> Recently, cross-view based approach to rootkit detection, especially in
> regards to hidden files and registry keys, became very popular. This is
> mostly because of the recent release of the tools like Rootkit Revealer
> and Black Light as well as Microsoft research project, with a friendly
> name GhostBuster. Many people started to think that it is going to be
> the ultimate way for detecting all rootkits and system compromises in
> general...
>
> So, I decided to put some of my thoughts about this into a short
> article, which can be found here:
>
> http://invisiblethings.org/papers/crossview_detection_thoughts.pdf
>
> Best Regards,
> joanna.
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave
>  

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave