Security Basics mailing list archives
RE: rootkit behavior
From: "Andrew Blair" <Andrew.Blair () genmills com>
Date: Thu, 27 Jul 2006 13:24:29 -0500
Yes. The same as you can install applications and run executables from any drive or media. Most of the rootkits hijack system calls that ask what processes are running or files are in a directory, and remove themselves from the results. If it lived on the d: drive, it would just remove itself from d:\<%path%>\ instead of c:\<%path%>\. Reformatting c: wouldn't remove the code from the d: drive, but to be persistent the rootkit has to start somehow, and reformatting c: would remove whatever hooks it had in the startup sequence. Of course if the code was re-executed from d: somehow you would be right back where you started from, but after re-installing the OS the rootkit should not execute on its own. AB -----Original Message----- From: rainmann () sbcglobal net [mailto:rainmann () sbcglobal net] Sent: Tuesday, July 25, 2006 11:11 PM To: security-basics () securityfocus com Subject: rootkit behavior Can a rootkit hide on a seperate physical disk from the operating system? In other words, if WINNT is on c:\ can the rootkit live on physically seperate data drives e:\ and f:\? I have a client who wants his c:\ drive reformatted and reloaded to insure that no rogue program remains. I haven't been able to give him a definitive answer concerning his extensive data drives. Also, does anyone know of any useful detection tools other than RootKit Revealer and Blacklight? I saw the post the other day about Helios but read that 1) it requires the .Net framework (ouch!) and 2) doesn't work for Win2K. Any advice here would be greatly appreciated. ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- rootkit behavior rainmann (Jul 27)
- RE: rootkit behavior Andrew Blair (Jul 28)
- RE: rootkit behavior dave kleiman (Jul 28)
- <Possible follow-ups>
- Re: rootkit behavior shyaam (Jul 27)
- RE: rootkit behavior Beauford, Jason (Jul 28)