Full Disclosure mailing list archives

RE: Removing ShKit Root Kit

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 22 Dec 2003 18:58:00 -0600

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Brian Eckman
Sent: Monday, December 22, 2003 4:24 PM
To: Nathan Bates
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Removing ShKit Root Kit

OK, so how does the attacker get the ADS to run? If you open 
something.txt in notepad, it doesn't launch the ADS 
'trouble.exe' as an executable file. It's ignored.

Remember, the machine was formatted and reinstalled from clean media. 
However that ADS was called is now long gone...


Until you restored it from backup.

Formatting and reinstalling the OS is only half the battle.  If you
restore the data that was on the compromised disk, you cannot possibly
guarantee its integrity unless you did checksums on every file prior to
the compromise, can you?

There's an assumption going on here - that it's not possible to
compromise "data" in ways that could endanger a machine.  Yet, some have
already suggested possibilities - ADS, accounts in databases and other
types of software that have their own account mechanisms, macros in
documents, etc., etc.  All an attacker needs is a way to begin the
process - something that the user would execute - like say an email
message?  Then the code can be hidden inside existing files and
reassembled by the stub that began the process.  Many "modern" viruses
begin with a small executable that then fetches the rest of the code,
"compiles" it and bam, you're compromised again.

Folks were asking these same questions before the first macro virus came
along, weren't they?  Didn't we, at one time, think it wasn't possible
to send a virus through email without using attachments that users had
to launch?  Yet all these have proven wrong.  Haven't we seen the use of
tftp and tunneled http to "get" those pieces needed to complete the
process of compromise?

As someone tasked with security in an organization, why should we make
assumptions about *anything* that existed on a compromised box?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Removing ShKit Root Kit, (continued)
- - - Re: Removing ShKit Root Kit Nathan Bates (Dec 22)
    - Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
    - Re: Removing ShKit Root Kit Nathan Bates (Dec 23)
    - Re: Removing ShKit Root Kit Larry W. Cashdollar (Dec 22)
    - Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
    - Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 22)
    - Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)
  - Re: Removing ShKit Root Kit Paul J. Morris (Dec 22)
  - RE: Removing ShKit Root Kit Nick FitzGerald (Dec 22)
  - Re: Removing ShKit Root Kit Alexander Schreiber (Dec 22)
- RE: Removing ShKit Root Kit Schmehl, Paul L (Dec 22)
  - Re: Removing ShKit Root Kit Jason (Dec 22)
    - Re: Removing ShKit Root Kit Cael Abal (Dec 23)
    - Re: Removing ShKit Root Kit Brian Eckman (Dec 23)
- RE: Removing ShKit Root Kit John . Airey (Dec 23)
  - Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 23)
- RE: Removing ShKit Root Kit Chris Carlson (Dec 23)
  - Re: Removing ShKit Root Kit Jason (Dec 23)