Re: Usenix w00t (ddz)

["John Dohrr" <sf003 () gmx net>]

> I was checking out Dino's Usenix paper a couple days ago, and a few questions stuck in my head.
> http://www.usenix.org/events/woot07/tech/full_papers/daizovi/daizovi_html/

Um, nothing new here. I recall seeing this kind of thing (ElGamal + DES + ptrace(2) games to prevent tracing) back in 
the days of SunOS 4.1.3. Unfortunately, on a SPARC 2, _any_ kind of encryption introduces a CPU hit, so it was 
relatively easy to tell that something was up. A sploit was used to transfer the encryption 'client' across (primary 
payload), which was then used to conceal whatever (secondary) rootkit was installed[1].

> From my experience with openssl, things change regularly enough to ensure that using the OS' crypto libraries is more 
> pain that it's worth. You might get away with just using the bigint routines, and rolling the rest yourself....

J.

[1] Interestingly enough, I know of at least one rootkit in the wild that uses a bastardised EKE/SPEKE protocol to 
authenticate connections to the backdoor and prevent MITM attacks.

-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave