Re: NKADM rootkit - Something new?

["'Ansgar -59cobalt- Wiechers'" <bugtraq () planetcobalt net>]

On 2004-06-01 Levinson, Karl wrote:
> On Monday, May 31, 2004 5:09 PM, Ansgar -59cobalt- Wiechers wrote:
>
> > Microsoft has documented a way to create a memory dump on demand [1].
> > Could this be considered sufficient to preserve the system's state?
>
> The question is, sufficient for what?

To preserve the current state of the system for future examination, of
course.

> Doing such a memory dump writes the entire contents of memory to the
> hard drive, thus altering a large portion of the hard disk image and
> possibly overwriting useful information. In some scenarios, this could
> possibly cause problems, e.g. if something important on the drive is
> overwritten, or if the hard drive needs to stand up as evidence in
> court.

You mean overwriting deleted but not erased files? Probably, but how
relevant is that for the given case of determining whether (and how) a
system was compromised?

> The question is probably academic.  You cannot do this memory dump on
> demand unless you previously added the registry value AND rebooted,
> before the compromise took place.  

True.

> And as Harlan pointed out, if you did do this dump, you would have a
> lot of data to go through in the dump.  You would have to be prepared
> with the knowledge, tools and time to go through that dump, or else
> making the dump will probably not help anyone.  Examining a Windows
> memory dump is not trivial.

Agreed. OTOH there is the problem of a rootkit manipulating the data
requested by tools running on the compromised system itself (or at least
requesting data from it). Harlan described how one could use tools or
scripts to log the data to a remote host, but how trustworthy would that
data be?

Regards
Ansgar Wiechers