Re: [Full-Disclosure] Removing ShKit Root Kit

[Nathan Bates <nathan.bates@wpni.com>]

Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 04:24:08PM -0600)

> OK, so how does the attacker get the ADS to run? If you open 
> something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as an 
> executable file. It's ignored.

A quick google shows:

        http://patriot.net/~carvdawg/docs/dark_side.html

If they're able to create the datastream in the first place, you'd think they'd 
be able to get it to run or
add it into the registry somewhere..  I'm not completely certain, but you 
shouldn't be able to see them in the
task list either.

> Remember, the machine was formatted and reinstalled from clean media. 
> However that ADS was called is now long gone...

If you're restoring from backup you may very well restore ADSs as well.  In the 
context of a fresh install and
rebuild, this would have no effect.  Unless of course you don't prevent the 
very vulnerability that allowed
the attacker access in the first place.

        Just my 2 cents,
        Nathan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html