A growing darkness

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's dark and storming here - not rare for Miami.

For those of you who like to read about heap overflows, Nico's blog has 
some information on the work he did to make the Citrix bug CANVASized:
http://eticanicomana.blogspot.com/

Likewise his post on the rollarcoaster ride that is writing heap 
overflows is a good one. :>

We find that ready-to-use kernel rootkits are a key part of what people 
want in an attack platform these days. To this end Daniel Palacio (an 
intern at Immunity this summer) wrote a Linux rootkit we hope to release 
shortly as part of CANVAS. Bas has since written a loader for it [1] 
that uses the debug registers to "hook" things. You may or may not have 
seen this technique being used [2] but it's good to have something ready 
to go in your toolkit. There's some other cool features in the CANVAS 
Linux rootkit but I'll wait till it's ready sometime next week to post 
about them.

- -dave
[1] The loader itself is in CANVAS Early Updates for those of you who 
want to play with it.
[2] I think a Windows rootkit uses this hooking technique but I can't 
remember which one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpIvPtehAhL0gheoRAsjMAJ0dV6QtjYeKxTMIXJ3B4lQh6DCMSgCffqqQ
Grzmj+AKSj37bABrA8nANaw=
=oOeE
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave