Re: Rootkit discovery tools

[Wyman Miles <wm63 () CORNELL EDU>]

> > Our requirement is to build a "toolkit" for our technicians
> > to be able scan and detect on each server in our environment.
>
> The biggest problem you may have will be that *all* rootkit
> detectors almost by definition have to be stand-alone booting.
>
> This doesn't scale too well to an enterprise, if you have to
> implement it by someone going machine to machine.
>
> My suggestion then would be to come up with a bootstrap mechanism
> (such as a netboot) which first booted the rootkit detector, which
> would run on every boot, which when finished would then invoke
> the 'normal' bootstrap for the operating system itself, whichever
> one that happened to be.

I fixed up the netboot stuff in our re-package of Helix 1.7 to do this.
Well, strictly, it was to run spider remotely on a pile of machines.  We
threw Clamscan and BitDefender in the bargain, though, which makes
essentially what you describe.

The systems PXE boot, do their stuff from helix.  It does require that the
clients be manually rebooted the following morning, as there's a
chicken-and-egg problem in the process.

> I'm none too clear on how one might do this, but I'd guess that
> maybe netbooting for the first bootstrap might be involved..
>
>
> Graham
> PS Rootkitrevealer is the only one I know of that is even likely
> to work from within windows itself, if we can't come up with a
> clever chained bootstrap trick.


Wyman Miles
Senior Security Engineer
Cornell University