Security Incidents mailing list archives
Re: nouser - rootkit ?
From: Dave Dittrich <dittrich () cac washington edu>
Date: Mon, 11 Mar 2002 23:33:39 -0800 (PST)
I wonder if there are really attackers out there installing bogus-rootkits in order to protect the real ones. Has anybody on this list detected such kind of "feints"?
I have seen multiple rootkits on a single system, but was not entirely sure that the box hadn't been rooted twice by two different attackers/methods. I've also seen a combo "trojaned binary and LKM" rootkit (I couldn't tell if the trojans were red-herrings or training wheels for the LKM.) The Honeynet Project Forensic Challenge also had a single rootkit that *looked* like multiple rootkits, because it was cobbled together from several different rootkits (in fact some replaced programs were so old they didn't work with the system's kernel, and the SSH daemon was trojaned and the attacker using it didn't even know he was installing a pre-owned service!) The one thing you can say about a population as large as the attacker community is that no two attack(er)s are exactly the same. (Life would be boring if they were. ;) -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- Re: nouser - rootkit ? Ryan Russell (Mar 11)
- Re: nouser - rootkit ? Konrad Rieck (Mar 11)
- Re: nouser - rootkit ? Bruce Ediger (Mar 12)
- Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
- Re: nouser - rootkit ? Jose Nazario (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
- Re: nouser - rootkit ? Dave Dittrich (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? Brian Hatch (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- <Possible follow-ups>
- Re: nouser - rootkit ? Bill_Royds (Mar 12)