Security Basics mailing list archives

RE: rootkit behavior

From: "Andrew Blair" <Andrew.Blair () genmills com>
Date: Thu, 27 Jul 2006 13:24:29 -0500

Yes. The same as you can install applications and run executables from
any drive or media. 

Most of the rootkits hijack system calls that ask what processes are
running or files are in a directory, and remove themselves from the
results. If it lived on the d: drive, it would just remove itself from
d:\<%path%>\ instead of c:\<%path%>\.

Reformatting c: wouldn't remove the code from the d: drive, but to be
persistent the rootkit has to start somehow, and reformatting c: would
remove whatever hooks it had in the startup sequence.

Of course if the code was re-executed from d: somehow you would be right
back where you started from, but after re-installing the OS the rootkit
should not execute on its own.

AB
 

-----Original Message-----
From: rainmann () sbcglobal net [mailto:rainmann () sbcglobal net] 
Sent: Tuesday, July 25, 2006 11:11 PM
To: security-basics () securityfocus com
Subject: rootkit behavior

Can a rootkit hide on a seperate physical disk from the operating
system? In other words, if WINNT is on c:\ can the rootkit live on
physically seperate data drives e:\ and f:\?


I have a client who wants his c:\ drive reformatted and reloaded to
insure that no rogue program remains.  I haven't been able to give him a
definitive answer concerning his extensive data drives.


Also, does anyone know of any useful detection tools other than RootKit
Revealer and Blacklight? I saw the post the other day about Helios but
read that 1) it requires the .Net framework (ouch!) and 2) doesn't work
for Win2K.


Any advice here would be greatly appreciated. 

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

rootkit behavior rainmann (Jul 27)
- RE: rootkit behavior Andrew Blair (Jul 28)
- RE: rootkit behavior dave kleiman (Jul 28)
- <Possible follow-ups>
- Re: rootkit behavior shyaam (Jul 27)
- RE: rootkit behavior Beauford, Jason (Jul 28)