Re: Sebek detection

[Edward Balas <ebalas () iu edu>]

On Mon, 29 Mar 2004, Gabriel Armbrust Araujo wrote:

>       Hi,
>
>       There's been a fake phrack edition which has a paper
>
> 'Local Honeypot Identification'
> http://www.phrack.org/unoffical/p62/p62-0x07.txt
>
>       I have not tested the technics described on the text - is it real or 
> just nonsense ?

Gabriel,

I dont consider them nonsense.  For instance, the 
unsebek technique should work.  Its more an issue of robustness, 
for instance how well would unsebek work if sebek was a kernel 
patch or if it used some other hooking point.  Take another 
example, the sebek_rape tool.  It works only for a very specific 
version of the client(ie does not work with the current version of
the linux client).  

Keep in mind that there most likely impossible to make such code 
undetectable or uninstallable.  Once an intruder has root access 
its theoretically just a matter of time.  If they want to install
a compeletely new OS they can, if they want to exhaustively search
memory for signs of sebek, they can do that too.  

What we have is an arms race.  Until intruders start to use more
robust techniques for the detection of hidden code such as sebek, it 
will continue to be such.  

Edward