[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Removing ShKit Root Kit
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
- From: Cael Abal <lists@onryou.com>
- Date: Tue, 23 Dec 2003 10:07:35 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
|>> OK, so how does the attacker get the ADS to run? If you open
|>> something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as
|>> an executable file. It's ignored.
|
| The easy answer is start a command prompt and type
|
| start something.txt:trouble.exe
|
| it does not even have to be tagged .exe or .com or whatever. As an
| exercise, copy notepad.exe to calc.exe:notepad and then launch a command
| prompt and type "start calc.exe:notepad" You should be looking at
| notepad. I no longer have a handy M$ system to verify the steps on so if
| it does not work play with it for a few minutes.
Although Jason is exactly right about ADS' under NTFS as covert data
storage (in theory, even if his examples don't quite work) it's all a
bit off topic -- the server in question was a RH 8.0 box and besides,
ADS' are trivial to find if you're looking for them and aren't likely to
see much use in the wild.
All this discussion about particulars is beside the point -- the thrust
of the matter is that attacker/defender roles have been reversed,
leaving the good guy in an untenable position. Do you really think it's
wise to bet you're smarter or more resourceful than a person who has
(already) rooted the box once?
take care,
Cael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
iD8DBQE/6Fo3R2vQ2HfQHfsRAq87AJ93cpOZgTVTMGqFvK9uzQm+3B900wCgmQ3J
Hnjkp79WpgfQj/Y4oePcZQk=
=jrAR
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html