Re: [Full-disclosure] Microsoft GhostBuster Opinions

From: Ron DuFresne (dufresne_at_winternet.com)
Date: 03/18/05

  • Next message: Paul Laudanski: "[Full-disclosure] Social Engineering: You Have Been A Victim"
    Date: Thu, 17 Mar 2005 19:58:43 -0600 (CST)
    To: Dave King <davefd@davewking.com>
    
    

    On Thu, 17 Mar 2005, Dave King wrote:

    > Valdis.Kletnieks@vt.edu wrote:
    >
    > >On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
    > >
    > >
    > >
    > >> Also, this is not just like tripwire. If the kernel is compromised
    > >>and reporting false data to tripwire then tripwire can run along merrily
    > >>thinking every thing's great. This is why booting to a trusted kernel
    > >>is important for the process. Exploiting Software by Hoglund and McGraw
    > >>has a discussion on these types of rootkits. Tripwire, however does
    > >>great at detecting other sorts of intrusions.
    > >>
    > >>
    > >
    > >Actually, the "prior art" *is* tripwire. If you run tripwire on the live
    > >system, then run it while booted from a CD, and they produce different
    > >results, you have a problem.
    > >
    > >And that's what they're doing by doing a 'dir /a /s' on the live system,
    > >then booting the Windows PE CD, and looking for differences....
    > >
    > >
    > Ok, this is true. I guess what I meant by what I said was running
    > tripwire as a cron job daily or whatever on a system without booting to
    > a known good kernel could yeild incorrect results if the kernel has been
    > compromised. A similar result can be had using tripwire on the system
    > then booting to a known good kernel and running it again.
    >

    If the kernel is modified, on a windows or *nix system, you are going to
    have a clear clue upfront; the system will have rebooted. Course, a
    failing system that reboots or blue screens every few weeks rather then
    runs stable unless there is a total power outage or a maint window when such
    things are done is another problem altogether...

    Of course, I'm not sure you understand what tripwire is or does, further
    research might be in order.

    Thanks,

    Ron DuFresne

    -- 
    "Sometimes you get the blues because your baby leaves you. Sometimes you get'em
    'cause she comes back." --B.B. King
            ***testing, only testing, and damn good at it too!***
    OK, so you're a Ph.D.  Just don't touch anything.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://www.secunia.com/
    

  • Next message: Paul Laudanski: "[Full-disclosure] Social Engineering: You Have Been A Victim"

    Relevant Pages

    • Re: Kernel-loadable Root Kits
      ... But activity in /tmp is normal and will be ignored by tripwire, ... >> appropriate lock in kernel code but I don't know if it's possible. ... >> and compare MD5 checksums. ... from;)) some time ago there were proprietary device drivers (sound cards, ...
      (FreeBSD-Security)
    • Re: [Full-disclosure] Microsoft GhostBuster Opinions
      ... this is not just like tripwire. ... >>and reporting false data to tripwire then tripwire can run along merrily ... This is why booting to a trusted kernel ...
      (Full-Disclosure)
    • Crashes on machines running tripwire
      ... tripwire includes some kind of kernel module that it uses when it is ... If indeed tripwire is what is "tripping up" this system, ... Kernel panic: Aiee, killing interrupt handler! ...
      (RedHat)
    • Re: LKM support (Was: Re: possible compromise or just misreading logs)
      ... >> there is no way tripwire can be assured it is verifying the binary it ... >> asks the kernel for information about. ... If you get a root compromise so that a KLM can be ... I think tripwire makes it very ...
      (FreeBSD-Security)
    • Re: [Full-disclosure] Microsoft GhostBuster Opionions
      ... On Thu, 17 Mar 2005 11:28:55 MST, Dave King said: ... > and reporting false data to tripwire then tripwire can run along merrily ... then booting the Windows PE CD, ...
      (Full-Disclosure)