Re: nouser - rootkit ?

[Dave Dittrich <dittrich () cac washington edu>]

> I wonder if there are really attackers out there installing bogus-rootkits
> in order to protect the real ones. Has anybody on this list detected such
> kind of "feints"?

I have seen multiple rootkits on a single system, but was not entirely
sure that the box hadn't been rooted twice by two different
attackers/methods.  I've also seen a combo "trojaned binary and LKM"
rootkit (I couldn't tell if the trojans were red-herrings or training
wheels for the LKM.)

The Honeynet Project Forensic Challenge also had a single rootkit that
*looked* like multiple rootkits, because it was cobbled together from
several different rootkits (in fact some replaced programs were so old
they didn't work with the system's kernel, and the SSH daemon was
trojaned and the attacker using it didn't even know he was installing
a pre-owned service!)

The one thing you can say about a population as large as the attacker
community is that no two attack(er)s are exactly the same. (Life would
be boring if they were. ;)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com