Re: fragging with rootkit detectors?

[Mark <mark () vulndev org>]

<top_post>

Morning all,
(yeah ok so not morning everywhere but I can live with being
wrong for 12 hours out of 24, that's pretty normal).

I hasten to add that this is a general rambling so if you're bored by this
point just close the email, log off (I said log!) and get on with the rest
of your day....

I would be very surprised if CSA or other similar
products (everyone knows i'm vendor neutral in my general sarcasm)
are not detected by a product which is doing it's job correctly with a
thought towards rootkit detection, this includes insertion points,
helping show where the int overflows or other such things may be etc..

Did I say that?

Of course maybe there will be a Pd project (wow, the power of linking
threads!!!) which will allow rootkit
detectors to only detect rootkits which are not on a "preference" list?

hmm.. encrypted rootkit channels..

Oh yes, it's been done.

anyway, feel better for that little ramble extract from it what you will,

Time for coffee,

M

</top_post>

On Sun, 19 Jun 2005, Rodney Thayer wrote:

> Do you think these rootkit detectors would have any efficacy in
> detecting policy enforcement packages?   Is there something
> out there that can detect the insertion points of oh, say, CSA?
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave

--
                VulnDev\[.\]org
"Paranoia, keeping us clothed and fed since _init();"

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave