Dailydave mailing list archives
Re: We got owned by the Chinese and didn't even get a "lessons learned"
From: mark () vulndev org
Date: Thu, 25 May 2006 08:00:25 +0100 (BST)
I'm not going to join in on the stuff above, this thread is erm..big enough already. However!
As some colleague pointed out, the best HIPS ever should restrict program execution to "%ProgramFiles%" and "%SystemRoot%" (excluding "%temp%" and "%tmp%" maybe). Combined with a low privilege user, I don't think any existing spyware/malware/otherware would execute flawlessly with such restrictions.
would that be aslong as it doesn't exploit an object located in a place allowed execution? .. if you're basing execution on trust, and there's a flaw in a trusted location i'd imagine, but as ever I'm happy to be wrong, that you could juse get around the "where is this executing from" by using a vulnerable program as a trampoline.. you can restrict execution using policies etc to something similar, trusted hashes, (whatever!) and the above situation will get you around that as far as I know. you just need a flaw in a trusted executable then use that to launch the next stage, more convoluted and prone to error I agree. I'll head back to the woodwork now. Mark
Current thread:
- We got owned by the Chinese and didn't even get a "lessons learned" Dave Aitel (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" val smith (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" mark (May 25)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Nicolas RUFF (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Joanna Rutkowska (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Martin Johns (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Etaoin Shrdlu (May 24)
- Re: We got owned by the Chinese and didn't even get a "lessons learned" Andrew Simmons (May 24)
- Re: We got owned by the Chinese and didn't even get a"lessons learned" Halvar Flake (May 24)
- Re: We got owned by the Chinese and didn't even get a"lessons learned" Etaoin Shrdlu (May 24)
- air gap vs. covert channels (was: We got owned by the Chinese...) Joanna Rutkowska (May 24)