Security Incidents mailing list archives

Re: NKADM rootkit - Something new?

From: Valdis.Kletnieks () vt edu
Date: Tue, 01 Jun 2004 13:08:16 -0400

On Tue, 01 Jun 2004 10:49:45 EDT, Dave Paris <dparis () w3works com>  said:

Definitely not a stupid question.  Most forensic toolkits are created from
statically-compiled executables, created on a known-safe system and then
loaded from CD or other removable media.


Note that loading statically linked binaries from a CD, but doing so under
control of a possibly compromised operating system, is still unsafe.  You really
need to boot a known-trusted kernel as well (as far as I know, nobody is
currently hacking the boot/BIOS ROMs to backdoor the boot process,
but even THAT can be suspect... ;)

Remember - that binary is trusting the operating system to behave itself
when the binary issues (for instance) a "read blocks 3956 through 3963"
command.  If the operating system lies to it and returns the "expected"
data rather than what's really on the disk, the binary doesn't have much
recourse.

Attachment: _bin
Description:

Current thread:

Re: NKADM rootkit - Something new? Ansgar -59cobalt- Wiechers (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)
  - Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
    - Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 01)
  - Re: NKADM rootkit - Something new? Gadi Evron (Jun 01)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
  - Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
    - Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
    - Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
    - Incident investigation methodologies Harlan Carvey (Jun 02)
    - Re: Incident investigation methodologies Gadi Evron (Jun 02)

(Thread continues...)