Re: An alternative method to check LKM backdoor/rootkit
From: Paul Starzetz (paul@starzetz.de)Date: 04/17/02
- Previous message: Microsoft: "Microsoft Security Bulletin MS02-019: Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309)"
- In reply to: Wang Jian: "An alternative method to check LKM backdoor/rootkit"
- Next in thread: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
- Reply: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Apr 2002 15:54:26 +0200 From: Paul Starzetz <paul@starzetz.de> To: Wang Jian <lark@marsec.net>, bugtraq@securityfocus.com
Wang Jian wrote:
>THE ALTERNATIVE METHOD
>
>Our alternative method uses the first style: to find the differences
>between the fake view and the real view.
>
>We read the raw disk and traverse the filesystem on disk, bypass the
>live filesystem, and create a real view of files on disk; then traverse
>the live filesystem to get the fake view. Compare the two view, we can
>find the differences. We will find the stealth files.
>
Be sure that this will be fixed in the next 'generation' of LRKM's.
Patching the device methods for disk special nodes is not a big deal -
why not to incorporate even your code into one of the nice LRKM's? You
probably found a weaknes of 'current' LRKM's but in general it is a bad
idea to check your machine while running a compromised kernel.
/ih
- Previous message: Microsoft: "Microsoft Security Bulletin MS02-019: Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309)"
- In reply to: Wang Jian: "An alternative method to check LKM backdoor/rootkit"
- Next in thread: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
- Reply: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
