Security Basics mailing list archives

Re: Keen to test out root kits

From: H Carvey <keydet89 () yahoo com>
Date: 19 Feb 2004 20:25:22 -0000

In-Reply-To: <009601c3f48c$daf58c70$6502010a () coenholdings ie>

Mike,

There are tools available for many of these kits to discover their
presence on a system and even break passwords etc for the purpose of
hijacking them from another cracker. A crackers dream is to get one of
these kits installed on a system and you are proposing to do that for
them. Even if you took the security steps provided by these kits you
cannot secure yourself from attack.


I think that perhaps you're confusing terminology here a bit.  Rootkits are generally used to hide the presence of the 
attacker on a system, and may not in and of themselves be (or provide) backdoors.  I'm speaking largely (though not 
completely) from a Windows perspective, here.  A _backdoor_ will generally open a port or even have some way of 
contacting the attacker to let him know that it's online (a la an IRCBot, etc).  And yes, a rootkit can hide the 
presence of a backdoor.

In short the answer is unless you are installing them on a test system
which is isolated from any other network with no critical information,
and you can wipe and reformat the system you would be mad to try.


If you know what you're doing, there is no need whatsoever to do any of this.  I fully agree w/ your warning about 
production systems, but perhaps anyone foolish enough to do so deserves what happens.

On Windows systems, install InControl5, and run the first phase of a two-phase scan.  Install your rootkit (Vanquish, 
AFX Rootkit 2003, HackerDefender, etc).  Then reboot your (2K, XP) system into Safe Mode and run the second phase of 
InCtrl5.  This will let you know what you need to remove.  

AFX is easy.  The DLL injection-type user mode rootkits are easy, for the most part...they only seem so b/c they're 
called "rootkits".   

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_security-basics_040219
----------------------------------------------------------------------------

Current thread:

Keen to test out root kits Patrick Fong (Feb 13)
- Re: Keen to test out root kits Dedric Ramsey - Ramsey Consulting Svcs (Feb 16)
- RE: Keen to test out root kits Wolfgang Schramm (Feb 16)
- RE: Keen to test out root kits Mike (Feb 16)
- <Possible follow-ups>
- Re: Keen to test out root kits Tom Stowell (Feb 16)
- RE: Keen to test out root kits Matt Lyon (Feb 16)
- RE: Keen to test out root kits Shawn Jackson (Feb 16)
- Re: Keen to test out root kits H Carvey (Feb 19)