Dailydave mailing list archives
Re: Usenix w00t (ddz)
From: "John Dohrr" <sf003 () gmx net>
Date: Wed, 03 Oct 2007 14:54:47 +0200
I was checking out Dino's Usenix paper a couple days ago, and a few questions stuck in my head. http://www.usenix.org/events/woot07/tech/full_papers/daizovi/daizovi_html/
Um, nothing new here. I recall seeing this kind of thing (ElGamal + DES + ptrace(2) games to prevent tracing) back in the days of SunOS 4.1.3. Unfortunately, on a SPARC 2, _any_ kind of encryption introduces a CPU hit, so it was relatively easy to tell that something was up. A sploit was used to transfer the encryption 'client' across (primary payload), which was then used to conceal whatever (secondary) rootkit was installed[1].
From my experience with openssl, things change regularly enough to ensure that using the OS' crypto libraries is more pain that it's worth. You might get away with just using the bigint routines, and rolling the rest yourself....
J. [1] Interestingly enough, I know of at least one rootkit in the wild that uses a bastardised EKE/SPEKE protocol to authenticate connections to the backdoor and prevent MITM attacks. -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Usenix w00t (ddz) Dave Aitel (Oct 01)
- Re: Usenix w00t (ddz) Alexander Sotirov (Oct 01)
- <Possible follow-ups>
- Re: Usenix w00t (ddz) John Dohrr (Oct 03)