Full Disclosure mailing list archives
RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
From: James.Cupps () sappi com
Date: Thu, 23 Sep 2004 11:19:37 -0400
Again true, The thing that has me worried about this (at least enough to justify the posts) is that this seems to be an avenue for growth in kits. One of the things that has been protecting (perhaps that is too optimistic of a word here) people from rootkits is that most of them don't work very well or if so very pervasively. (admittedly there are exceptions to this) Admin's may never find the actual kits but the kits (or their operators) cause enough problems that he admin rebuilds the box to get rid of the annoying unexplainable problems (OK only in a shop that is well kept, this might not pertain in many IT departments) If there is a new source of revenue I expect the quality and therefore the danger from kits will greatly increase. You are probably right in what you were saying about the need to get the word out. In addition to setting proper user rights (something that can be exceedingly irritating to do in a Windows environment although I am sure they are working on it [I don't want to get into a religious war here]) and tightening system account settings admins need to start looking at tools like Tripwire or other MD5 based monitoring mechanisms. There are a number out there and they don't all cost a fortune. For those who are hazy we are not talking about typical BO or NC type stuff here (as useful as those tools might be to hackers [and geeky/slightly independent admins]) This is stuff that either replaces Kernel components or for some of the more advanced stuff sits between the kernel and the hardware/bios. This means the OS can't even see what is happening let alone the Admin or AV programs (Properly configured AV's could probably be made to look for default settings but for alterable kits this wouldn't matter. Obviously that makes it difficult to make it Hardware, OS/Patch or system independent. It also tends to mean that the more comprehensive ones are not that small (again a few notable exceptions). Still development funds can make a lot happen. To go a step further if the code gets small enough and public enough there is a potential for some of it to end up in viruses. I would think this is pretty difficult but ... By the way good site. James Cupps Information Security Officer -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Harlan Carvey Sent: Thursday, September 23, 2004 9:25 AM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
Nothing new about rootkits. They aren't big news because they are old news. Although depressing this is defiantly possible.
Old news, yes...but to some, not everyone. Taking users (home, corporate, academic, etc.) out of it, sysadmins and LEOs are still way behind when it comes to understanding rootkits. Certain privileges are required for the installation of user-mode rootkits, and in the absence of those privs, the rootkits have been shown to *not* install. For some level of detail about this, check out "Windows Forensics and Incident Recovery" (http://www.windows-ir.com <http://www.windows-ir.com> ). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html <http://lists.netsys.com/full-disclosure-charter.html> This message may contain information which is private, privileged or confidential and is intended solely for the use of the individual or entity named in the message. If you are not the intended recipient of this message, please notify the sender thereof and destroy / delete the message. Neither the sender nor Sappi Limited (including its subsidiaries and associated companies) shall incur any liability resulting directly or indirectly from accessing any of the attached files which may contain a virus or the like.
Current thread:
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses James . Cupps (Sep 23)
- <Possible follow-ups>
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses James . Cupps (Sep 23)