Full Disclosure mailing list archives
Re: Microsoft GhostBuster Opionions
From: Dave King <davefd () davewking com>
Date: Thu, 17 Mar 2005 12:40:14 -0700
bkfsec wrote:
Valdis.Kletnieks () vt edu wrote:On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:Also, this is not just like tripwire. If the kernel is compromised and reporting false data to tripwire then tripwire can run along merrily thinking every thing's great. This is why booting to a trusted kernel is important for the process. Exploiting Software by Hoglund and McGraw has a discussion on these types of rootkits. Tripwire, however does great at detecting other sorts of intrusions.Actually, the "prior art" *is* tripwire. If you run tripwire on the livesystem, then run it while booted from a CD, and they produce different results, you have a problem. And that's what they're doing by doing a 'dir /a /s' on the live system, then booting the Windows PE CD, and looking for differences....In fact, it's even more simple than that. Tripwire is far more complex than a 'dir /a /s' and comparing the file differences.A 'dir /a /s' is more comparible to a 'tree -afi' (I believe these are the right command line switches - this was entered on memory) on Unix systems with the tree binary installed. All you need to do is boot from another media, rinse, repeat, and run a diff on the two files.This would place the prior art even further back in time. And dare I say that the output of tree would even be more useful than the dir output, not to mention the fact that the tripwire check is just in another league entirely. (Meaning far far far more useful output.)-Barry
That's true, I meant Tripwire no disrespect. I used tripwire for several years, and since have used Samhain and Osiris. All or which are great tools for checking the integrety of the files. A couple of things to think about though. First 'dir /a /s' can get through an entire drive much faster than these other tools and sometimes speed is important. Checking the entire drive will almost always be overkill, but that's just what the original paper talked about doing which is why I mentioned it. Second, as far as I can tell Tripwire for Windows isn't free like it is for Linux. While this shouldn't be the only reason to make a decission not to use a product it's not a bad idea to look at other possibilities as well. Osiris works on Windows and could possibly be used to check the file integrety. Another option would be to use Microsoft's File Checksum Integrity Verifier utility http://support.microsoft.com/?kbid=841290 . I have tried running Microsoft's tool on 25 GB of files and it took about 3 hours to check about 15,000 directories and 138,000 files.
So while Tripwire is a great tool with many great features it seems that there are tools that can perform the tasks needed to do one scan for free. It would also be very easy to build a small C++ program to make these hashes as well.
Thanks for the input, Dave King http://www.thesecure.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)
- Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
- Re: Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opinions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 17)
- Re: Microsoft GhostBuster Opinions Jeremy Bishop (Mar 17)
- Re: Microsoft GhostBuster Opinions J u a n (Mar 18)
- Re: Microsoft GhostBuster Opinions Dave King (Mar 18)
- Re: Microsoft GhostBuster Opinions dk (Mar 18)
- Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 18)
- Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)