Re: Removing ShKit Root Kit

[Gino Thomas <g.thomas () nux-acid org>]

Brian Eckman <eckman () umn edu> wrote:

> Hmmm. Well, if the execute bit isn't set, then I'd assume it can be 
> considered relatively safe. If the attacker can later find a way to 
> chmod it and then execute it with the privliges needed to make it 
> harmful, then I imagine that they could find other ways of
> compromising your machine as well.
>
> For Windows, if it's a backdoor that is named something.txt, well, 
> again, the attacker would have to find a way to rename that file and 
> execute it with appropriate permissions. Again, I imagine that if they
> can do that, that they could find other ways of compromising your 
> machine as well.

The backdoor could for example be a nasty makro trojan placed in a .doc 
that would later (most likely) executed by an user and so do the dirty 
work without remote interaction. Nothing to rename or execute. I agree
with Paul that data from a compromised system can't be trusted anymore, 
regardless what it is, it has to be checked for integrity or wiped (at
least in a secure environment).

regards
-gt

-- 
Gino Thomas | mailto: g.thomas () nux-acid org | http://nux-acid.org
GPG: E6EA9145 | 4578 F871 893E 1FEC 31FC 5B5E 8A46 4CC8 E6EA 9145

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html