Security Incidents mailing list archives
Re: NKADM rootkit - Something new?
From: Valdis.Kletnieks () vt edu
Date: Tue, 01 Jun 2004 13:08:16 -0400
On Tue, 01 Jun 2004 10:49:45 EDT, Dave Paris <dparis () w3works com> said:
Definitely not a stupid question. Most forensic toolkits are created from statically-compiled executables, created on a known-safe system and then loaded from CD or other removable media.
Note that loading statically linked binaries from a CD, but doing so under control of a possibly compromised operating system, is still unsafe. You really need to boot a known-trusted kernel as well (as far as I know, nobody is currently hacking the boot/BIOS ROMs to backdoor the boot process, but even THAT can be suspect... ;) Remember - that binary is trusting the operating system to behave itself when the binary issues (for instance) a "read blocks 3956 through 3963" command. If the operating system lies to it and returns the "expected" data rather than what's really on the disk, the binary doesn't have much recourse.
Attachment:
_bin
Description:
Current thread:
- Re: NKADM rootkit - Something new? Ansgar -59cobalt- Wiechers (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Re: NKADM rootkit - Something new? Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 01)
- Re: NKADM rootkit - Something new? Gadi Evron (Jun 01)
- RE: NKADM rootkit - Something new? Lachniet, Mark (Jun 01)
- RE: NKADM rootkit - Something new? Levinson, Karl (Jun 01)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- Re: NKADM rootkit - Something new? Harlan Carvey (Jun 02)
- Dead Thread: Re: NKADM rootkit - Something new? Daniel Hanson (Jun 02)
- Incident investigation methodologies Harlan Carvey (Jun 02)
- Re: Incident investigation methodologies Gadi Evron (Jun 02)
- Re: NKADM rootkit - Something new? 'Ansgar -59cobalt- Wiechers' (Jun 01)
- RE: NKADM rootkit - Something new? Dave Paris (Jun 01)