Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 2 Jun 2004 08:19:44 -0700 (PDT)
Valdis,
Note that loading statically linked binaries from a CD, but doing so under control of a possibly compromised operating system, is still unsafe. You really need to boot a known-trusted kernel as well (as far as I know, nobody is currently hacking the boot/BIOS ROMs to backdoor the boot process, but even THAT can be suspect... ;)
A couple of comments... First, booting to a known good kernel destroys the extremely valuable volatile data available on a live system. Let's say that you suspect that a Trojan/backdoor is running. If you boot to any of the available distros to do your forensics, you may find the backdoor files w/ last access times, but you won't know things like, was the backdoor running at the time you shut the system down, and was anyone connected to it? Also, one thing to keep in mind is that it's very easy to keep saying things like "the boot process could be backdoored" and "MAC times on files could have been altered", but at some point, your paranoia overwhelms your ability to do anything. With all of the things that *could* happen, what is the point of doing forensics at all?
Current thread:
- Re: NKADM rootkit - Something new? Ansgar -59cobalt- Wiechers (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 01)
- Re: NKADM rootkit - Something new? Gadi Evron (Jun 01)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
- Incident investigation methodologies Harlan Carvey (Jun 02)
- Re: Incident investigation methodologies Gadi Evron (Jun 02)
- Re: Incident investigation methodologies Harlan Carvey (Jun 03)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)