Full Disclosure mailing list archives
Re: Microsoft GhostBuster Opinions
From: Ron DuFresne <dufresne () winternet com>
Date: Thu, 17 Mar 2005 19:58:43 -0600 (CST)
On Thu, 17 Mar 2005, Dave King wrote:
Valdis.Kletnieks () vt edu wrote:On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:Also, this is not just like tripwire. If the kernel is compromised and reporting false data to tripwire then tripwire can run along merrily thinking every thing's great. This is why booting to a trusted kernel is important for the process. Exploiting Software by Hoglund and McGraw has a discussion on these types of rootkits. Tripwire, however does great at detecting other sorts of intrusions.Actually, the "prior art" *is* tripwire. If you run tripwire on the live system, then run it while booted from a CD, and they produce different results, you have a problem. And that's what they're doing by doing a 'dir /a /s' on the live system, then booting the Windows PE CD, and looking for differences....Ok, this is true. I guess what I meant by what I said was running tripwire as a cron job daily or whatever on a system without booting to a known good kernel could yeild incorrect results if the kernel has been compromised. A similar result can be had using tripwire on the system then booting to a known good kernel and running it again.
If the kernel is modified, on a windows or *nix system, you are going to have a clear clue upfront; the system will have rebooted. Course, a failing system that reboots or blue screens every few weeks rather then runs stable unless there is a total power outage or a maint window when such things are done is another problem altogether... Of course, I'm not sure you understand what tripwire is or does, further research might be in order. Thanks, Ron DuFresne -- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)
- Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
- Re: Microsoft GhostBuster Opionions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opinions Dave King (Mar 17)
- Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 17)
- Re: Microsoft GhostBuster Opinions Jeremy Bishop (Mar 17)
- Re: Microsoft GhostBuster Opinions J u a n (Mar 18)
- Re: Microsoft GhostBuster Opinions Dave King (Mar 18)
- Re: Microsoft GhostBuster Opinions dk (Mar 18)
- Re: Microsoft GhostBuster Opinions Ron DuFresne (Mar 18)
- Re: Microsoft GhostBuster Opionions bkfsec (Mar 17)
- Re: Microsoft GhostBuster Opionions Valdis . Kletnieks (Mar 17)