Honeypots mailing list archives
Re: Sebek detection
From: Edward Balas <ebalas () iu edu>
Date: Mon, 29 Mar 2004 10:20:00 -0500 (EST)
On Mon, 29 Mar 2004, Gabriel Armbrust Araujo wrote:
Hi, There's been a fake phrack edition which has a paper 'Local Honeypot Identification' http://www.phrack.org/unoffical/p62/p62-0x07.txt I have not tested the technics described on the text - is it real or just nonsense ?
Gabriel, I dont consider them nonsense. For instance, the unsebek technique should work. Its more an issue of robustness, for instance how well would unsebek work if sebek was a kernel patch or if it used some other hooking point. Take another example, the sebek_rape tool. It works only for a very specific version of the client(ie does not work with the current version of the linux client). Keep in mind that there most likely impossible to make such code undetectable or uninstallable. Once an intruder has root access its theoretically just a matter of time. If they want to install a compeletely new OS they can, if they want to exhaustively search memory for signs of sebek, they can do that too. What we have is an arms race. Until intruders start to use more robust techniques for the detection of hidden code such as sebek, it will continue to be such. Edward
Current thread:
- Sebek detection gconnell (Mar 28)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- Re: Sebek detection Thorsten Holz (Mar 29)
- Re: Sebek detection Lance Spitzner (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- <Possible follow-ups>
- Re: Sebek detection Ty Bodell (Mar 29)
- Re: Re: Sebek detection Guilhem (Mar 29)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)