IDS mailing list archives
RE: rootkit and trojan hunting
From: "oherrera" <oherrera () prodigy net mx>
Date: Wed, 26 Mar 2008 20:36:36 -0600
Take a look at NIST's NSRL Project: http://www.nsrl.nist.gov/. They have been doing this for several years now. However, observe the size of the database; whitelisting approach is not efficient for what you want to achieve if you intend to provide a general solution (i.e. something to be useful out-of-the-box for different users and environments). Another approach being promoted by Microsoft and others is the use of digital signatures in drivers and executables: http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx. Personally, I think it is much better, but you need support from developers and many companies don't digitally sign their software. My suggestion: Let your software digitally sign every approved executable and driver to create a baseline and check digital signatures before execution, if it's not signed then don't allow it to run (actually it gets more complicated with processes and executables calling each other, but you get the idea). In each company the whitelist would be relatively small and manageable. Note that this approach would work well within companies with a well defined software change control management and certification process, it is not something that individual users will find useful for their computers unless they have certain IT/security background and know what they are doing, otherwise you know what happens: Ok->ok->next->next. Whitelisting requires intervention by someone who knows what to do, that's the reason we still rely on blacklisting approaches in these cases and I don't believe there's much we can do about it. Handling updates is something that I haven't seen being done properly. Usually, you send a patch and then need to update your whitelist database with signatures of the resulting executable. Doing this is messy with most products I've seen so far. In theory, your software could recognize a digitally signed update, detect changes and locally sign the resulting executables which you would then trust, since you trust the update. Hope this helps, Omar Herrera -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Return C Sent: miƩrcoles, 26 de marzo de 2008 12:06 a.m. To: focus-ids () securityfocus com Subject: rootkit and trojan hunting all, i am developing a small host integrity scanner / checker, to hunt rootkits and trojans. offcourse, i need to add more methods / techniques to detect. I am currently hashing out important files like kernel, /boot dir and System.map files. Is there any other possible way to code it better and anyother suggestion would be really helpful in my coding. return C; ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ No virus found in this incoming message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.0/1344 - Release Date: 26/03/2008 08:52 a.m. No virus found in this outgoing message. Checked by AVG. Version: 7.5.519 / Virus Database: 269.22.0/1344 - Release Date: 26/03/2008 08:52 a.m. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- rootkit and trojan hunting Return C (Mar 26)
- Re: rootkit and trojan hunting "Zow" Terry Brugger (Mar 26)
- Re: rootkit and trojan hunting Jeff D (Mar 26)
- Re: rootkit and trojan hunting Nuno Treez (Mar 28)
- Re: rootkit and trojan hunting "Zow" Terry Brugger (Mar 28)
- Re: rootkit and trojan hunting Return C (Mar 28)
- Re: rootkit and trojan hunting "Zow" Terry Brugger (Mar 28)
- Re: rootkit and trojan hunting "Zow" Terry Brugger (Mar 26)