Re: 'rooted' NT/2K boxen?

From: Droby10 (droby10@onebox.com)
Date: 05/03/02


Date: Fri, 03 May 2002 15:09:29 -0500
From: "Droby10" <droby10@onebox.com>
To: mfrd@attitudex.com

i think there is a misunderstanding of the difference between a compromised
host and a "rooted" box (and i could very well be the one who doesn't
understand). but, i have always understood a rooted box to be a compromised
host that displays no symptoms or characteristics of that situation.

ie. even replacing /bin/login with a simple backdoor version is detectable
with file signatures, user, processor, and network statistics. to me
a unix rootkit would need to effect the way that those variables/lists
are gathered/collected [or in this case omitted] at a kernel/system level
- not an application, user, or even service level. with that definition,
ntrootkit is the only (or the closest to) true rootkit for windows platforms
that has been publicly released (AFAIK).

sure there are plenty of ways to compromise a host, and many are very
savy at keeping as silent as possible, but they still create/leave traces
that can easily be exposed. even with the "as-is" ntrootkit, the simple
detectionary measure is to attempt to start/stop the service. but it
does very well to hide itself and "_root" others from queries into the
filesystem, registry, and process list/tree, scm, etc.

-- 
droby10@onebox.com - email

PGP Fingerprint-- DD5A 7272 69A2 8CC5 2F30 6035 8528 3D58 0056 57A9