Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Removing ShKit Root Kit

From: Nathan Bates <nbates () wpni com>
Date: Mon, 22 Dec 2003 16:15:15 -0500
Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 02:12:53PM -0600)

[...]


For Windows, if it's a backdoor that is named something.txt, well, 
again, the attacker would have to find a way to rename that file and 
execute it with appropriate permissions. Again, I imagine that if they 
can do that, that they could find other ways of compromising your 
machine as well.


Not if it's an Alternative Data Stream; you could launch it without any audit trail.  These are generally tied
to the main file, which could be anything (eg.  something.txt:trouble.exe).  These aren't detectable without
specifically looking.  You can fairly easily execute an ADS without it showing in the task list and other
niceties.  I'm not certain if common BU utilities actually save ADSs.

        Regards,
        Nathan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: