|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: IDS: Re: Windows rootkit detection
From: Talisker (Talisker
networkintrusion.co.uk)Date: Sat Dec 02 2000 - 09:21:34 CST
- Next message: Joćo Abrantes: "NIDS: Current research and future directions"
- Previous message: Keiji Takeda: "IDS: Windows rootkit detection"
- In reply to: Keiji Takeda: "IDS: Windows rootkit detection"
- Reply: Talisker: "IDS: Re: Windows rootkit detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Archive: http://msgs.securepoint.com/ids
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Keiji
I think Intact from Pedestal uses a 2 pronged attack, the first is to detect
changes made to a system using a traditional file integrity checking MD
"looking for unusual changes to system components." The second approach is
to prevent even administrators installing drivers etc, in this they
specifically mention rootkits:
"A prominent mechanism that hackers use to disguise their activities on
compromised systems is to install a "rootkit", which is typically a suite of
programs used to cover up evidence of intrusion and to hide trojans and
other applications and data (such as Distributed Denial of Service (DDOS)
tools). One of the most powerful rootkit applications is to alter the
behavior of the operating system by running as a kernel driver in privileged
mode. These applications are capable of hiding processes in the process
table, hiding files, directories, registry keys and values, alter the access
control mechanisms and manipulate the OS in other ways.
The Intact Integrity Protection Driver is designed to block new drivers from
being installed by any account, including Administrator or System. The goal
is to block any new privileged code from executing at all even on a
compromised system. The Driver does this by disallowing new drivers and
services from being installed, by protecting existing drivers from
alteration, and by protecting existing driver registry information. Further,
the Driver protects itself by forbidding its removal once engaged."
Personally I'd have more faith in the traditional method of file integrity
checking, than the blocking method for catching them, but that's just my
paranoia and not based on fact, that being said Pedestal do have both
methods in their tool
Toby Miller submitted a nice article to Sans on t0rn
http://www.sans.org/y2k/t0rn.htm
Nelson Murilo has produced a tool that will try to find rootkits on *nix
systems, Nelson advises that the bug in detecting t0rn has been rectified
http://www.chkrootkit.org/ he's also got some good rootkit related links at
the bottom of his page
Andy
http://www.networkintrusion.co.uk
Talisker's Network Security Tools List
'''
(0 0)
----oOO----(_)----------
| The geek shall |
| Inherit the earth |
-----------------oOO----
|__|__|
|| ||
ooO Ooo
taliskernetworkintrusion.co.uk
The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.
----- Original Message -----
From: "Keiji Takeda" <keijisfc.keio.ac.jp>
To: <idsuow.edu.au>
Sent: Saturday, December 02, 2000 4:21 AM
Subject: IDS: Windows rootkit detection
> Archive: http://msgs.securepoint.com/ids
> FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
> FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> --------------------------------------------------------------------------
--- > Hello, > > It seems that there have been discussion on > the detection of rootkit(www.rootkit.com). > > Pedestalsoftware (http://www.pedestalsoftware.com/) > claims that their Intact can detect rootkit > but rootkit developpers say noone can detect it. > > Is there anyone who examined this issue? > > > Keiji Takeda ( http://www.sfc.keio.ac.jp/~keiji/ ) >
- Next message: Joćo Abrantes: "NIDS: Current research and future directions"
- Previous message: Keiji Takeda: "IDS: Windows rootkit detection"
- In reply to: Keiji Takeda: "IDS: Windows rootkit detection"
- Reply: Talisker: "IDS: Re: Windows rootkit detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]