Re: [Full-disclosure] Microsoft GhostBuster Opinions
From: Ron DuFresne (dufresne_at_winternet.com)
Date: Thu, 17 Mar 2005 19:58:43 -0600 (CST) To: Dave King <firstname.lastname@example.org>
On Thu, 17 Mar 2005, Dave King wrote:
> Valdis.Kletnieks@vt.edu wrote:
> >On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
> >> Also, this is not just like tripwire. If the kernel is compromised
> >>and reporting false data to tripwire then tripwire can run along merrily
> >>thinking every thing's great. This is why booting to a trusted kernel
> >>is important for the process. Exploiting Software by Hoglund and McGraw
> >>has a discussion on these types of rootkits. Tripwire, however does
> >>great at detecting other sorts of intrusions.
> >Actually, the "prior art" *is* tripwire. If you run tripwire on the live
> >system, then run it while booted from a CD, and they produce different
> >results, you have a problem.
> >And that's what they're doing by doing a 'dir /a /s' on the live system,
> >then booting the Windows PE CD, and looking for differences....
> Ok, this is true. I guess what I meant by what I said was running
> tripwire as a cron job daily or whatever on a system without booting to
> a known good kernel could yeild incorrect results if the kernel has been
> compromised. A similar result can be had using tripwire on the system
> then booting to a known good kernel and running it again.
If the kernel is modified, on a windows or *nix system, you are going to
have a clear clue upfront; the system will have rebooted. Course, a
failing system that reboots or blue screens every few weeks rather then
runs stable unless there is a total power outage or a maint window when such
things are done is another problem altogether...
Of course, I'm not sure you understand what tripwire is or does, further
research might be in order.
-- "Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back." --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/