RE: rootkit behavior

["Beauford, Jason" <jbeauford () EightInOnePet com>]

rainmann () sbcglobal net wrote:
> Can a rootkit hide on a seperate physical disk from the operating
> system? In other words, if WINNT is on c:\ can the rootkit live on
> physically seperate data drives e:\ and f:\?  
>
>
> I have a client who wants his c:\ drive reformatted and reloaded to
> insure that no rogue program remains.  I haven't been able to give
> him a definitive answer concerning his extensive data drives.  
>
>
> Also, does anyone know of any useful detection tools other than
> RootKit Revealer and Blacklight? I saw the post the other day about
> Helios but read that 1) it requires the .Net framework (ouch!) and 2)
> doesn't work for Win2K.   
>
>
> Any advice here would be greatly appreciated.

A very simple (somewhat time consuming however) rootkit detection is by
using built in commands from within the OS in conjunction with a BartPE
boot disk built from a secure source; meaning that the box it is
configured from is verifiably free of any kind of infection or
contamination.

Check it out:  http://research.microsoft.com/rootkit/

JMB

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------