Re: Two thoughts for the day:

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There's no paper out right now, although I am writing a generalized 
overview to all the trojans in CANVAS today. Essentially the kernel 
rootkit is very simple - it sits underneath the network layer polling 
for trigger packets (UDP) which then can contain a command to tell it to 
send a MOSDEF connection to a listening post. Also it can hide network 
connections (ioctl-based command-set).

There's a lot more to do, of course, but the innovation in the CANVAS 
trojan set is not in specialized hooking techniques or new feature sets, 
but more in how the whole package integrates. You'll want to be able to 
send messages over your internal RootkitBus via your HTTP-MOSDEF 
callback, etc. As we integrate Immunity Debugger into CANVAS you'll see 
lots of "specialized hook for X app" stuff come through. Trojans are 
important and I've always felt that penetration testing kits leave them 
a bit behind. We'll fix that. :>

You can always buy CANVAS Early Updates and test it for yourself. :>

Of course, it breaks the CANVAS license for AV vendors to write 
signatures for CANVAS, so there won't be any "CANVAS Rootkit" 
signatures, although we do get picked up by generic signatures for 
things sometimes.

- -dave



|
| Is there a technical paper about your Kernel Rootkit available somewhere?
|
| joanna.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIFe9otehAhL0gheoRArJqAJ0Rmpg83GFNYhxrGPGVabR3b4M8wQCfTP4q
5NfeNg69CFxJJeP0O4/NI0g=
=lvSZ
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave