Security Incidents mailing list archives

Re: nouser - rootkit ?

From: "Bruce Ediger" <eballen1 () qwest net>
Date: Mon, 11 Mar 2002 20:26:00 -0700 (MST)

On Mon, 11 Mar 2002, Konrad Rieck wrote:

I wonder if there are really attackers out there installing bogus-rootkits
in order to protect the real ones. Has anybody on this list detected such
kind of "feints"?


I posted to usenet last year with the same question, because one
of the machines I tend got rooted.

In response, some guy claimed he found a rootkit that had at least
two layers:

http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net

I'm not at all sure I believe this story: IRIX is pretty obscure,
and not very widely used.  Why would anyone go to the effort of
doing a "feint" rootkit to mask a "real" rootkit for so few targets?


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
  - Re: nouser - rootkit ? Ryan Russell (Mar 11)
  - Re: nouser - rootkit ? Konrad Rieck (Mar 11)
    - Re: nouser - rootkit ? Bruce Ediger (Mar 12)
    - Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
    - Re: nouser - rootkit ? Jose Nazario (Mar 12)
    - Re: nouser - rootkit ? Eric Brandwine (Mar 12)
    - Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
    - Re: nouser - rootkit ? Dave Dittrich (Mar 12)
    - Re: nouser - rootkit ? Eric Brandwine (Mar 12)
    - Re: nouser - rootkit ? Brian Hatch (Mar 12)
- <Possible follow-ups>
- Re: nouser - rootkit ? Bill_Royds (Mar 12)