RE: rootkit and trojan hunting

["oherrera" <oherrera () prodigy net mx>]

Take a look at NIST's NSRL Project: http://www.nsrl.nist.gov/. They have
been doing this for several years now. 

However, observe the size of the database; whitelisting approach is not
efficient for what you want to achieve if you intend to provide a general
solution (i.e. something to be useful out-of-the-box for different users and
environments). 

Another approach being promoted by Microsoft and others is the use of
digital signatures in drivers and executables:
http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx. Personally, I
think it is much better, but you need support from developers and many
companies don't digitally sign their software.

My suggestion: Let your software digitally sign every approved executable
and driver to create a baseline and check digital signatures before
execution, if it's not signed then don't allow it to run (actually it gets
more complicated with processes and executables calling each other, but you
get the idea). In each company the whitelist would be relatively small and
manageable.

Note that this approach would work well within companies with a well defined
software change control management and certification process, it is not
something that individual users will find useful for their computers unless
they have certain IT/security background and know what they are doing,
otherwise you know what happens: Ok->ok->next->next. Whitelisting requires
intervention by someone who knows what to do, that's the reason we still
rely on blacklisting approaches in these cases and I don't believe there's
much we can do about it. 

Handling updates is something that I haven't seen being done properly.
Usually, you send a patch and then need to update your whitelist database
with signatures of the resulting executable. Doing this is messy with most
products I've seen so far. In theory, your software could recognize a
digitally signed update, detect changes and locally sign the resulting
executables which you would then trust, since you trust the update.

Hope this helps,

Omar Herrera

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Return C
Sent: miércoles, 26 de marzo de 2008 12:06 a.m.
To: focus-ids () securityfocus com
Subject: rootkit and trojan hunting

all,
     i am developing a small host integrity scanner / checker, to hunt
rootkits and trojans. offcourse, i need to add more methods /
techniques to detect. I am currently hashing out important files like
kernel, /boot dir and System.map files. Is there any other possible
way to code it better and anyother suggestion would be really helpful
in my coding.

return C;

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------

No virus found in this incoming message.
Checked by AVG. 
Version: 7.5.519 / Virus Database: 269.22.0/1344 - Release Date: 26/03/2008
08:52 a.m.
 

No virus found in this outgoing message.
Checked by AVG. 
Version: 7.5.519 / Virus Database: 269.22.0/1344 - Release Date: 26/03/2008
08:52 a.m.
 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------