Dailydave mailing list archives
RE: Britney and Kevin are Chaotic
From: "El Nahual" <nahual () g-con org>
Date: Fri, 27 May 2005 12:02:31 -0500
As soon as attacker tries to execute the BDs problem arises, se46 is right on kernel, pull it down kernel goes with it, so no binaries can actually run at all without the signature (a sha-1 signature with revocation on line) I know that if you probably get stuck with lets say syscall proxy, hey it doesn't touch the HD CIS cant stop it, as soon as you DL shit you have a problem since you have to exec(), no exec for unsigned binaries you would have to patch a memory segment and have it run by a jmp (we check threads too) Windows policies restriccions do it by binary and path, we do it by changes so if you patch a DLL, DLL becomes unsuable and if its ring0 your puter is going down or at least you get an email... What ya think? Works or we missing something? //Nahual -----Mensaje original----- De: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] En nombre de joanna Enviado el: Friday, May 27, 2005 2:16 AM Para: dailydave Asunto: Re: [Dailydave] Britney and Kevin are Chaotic El Nahual wrote:
Fastly and stupidly saying, there is a nice solution to stop all malware
and
virus and bds, sign your shit and get anal on getting it to work, you can heck out the stuff on www.se46.se we are coding the unix version of it (so
i
wont get that tramped once it gets known)
attacker exploits some bug in the legitimate (certified) system process; the shellcode downloads and installs rootkit in the system; the rootkit makes traditional HIDSes, like Tripwire and probably your se46 (idea seems quite similar to thing called "Windows Software Restriction Policies" btw), completely blind to what is happening in the system... what I would like to stress is that file system integrity is just the very beginning of host-based IDS. even if desktop computers are concerned. joanna. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Britney and Kevin are Chaotic, (continued)
- Re: Britney and Kevin are Chaotic Chris Anley (May 26)
- Re: Britney and Kevin are Chaotic byte_jump (May 26)
- Re: Britney and Kevin are Chaotic Chris Anley (May 26)
- Re: Britney and Kevin are Chaotic Adam Shostack (May 26)
- Re: Britney and Kevin are Chaotic byte_jump (May 26)
- Re: Britney and Kevin are Chaotic Holden Williamson (May 26)
- Re: Britney and Kevin are Chaotic dan (May 26)
- Re: Britney and Kevin are Chaotic Andrew R. Reiter (May 26)
- RE: Britney and Kevin are Chaotic El Nahual (May 26)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- RE: Britney and Kevin are Chaotic El Nahual (May 27)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- Re: Britney and Kevin are Chaotic Steve Lord (May 27)