Re: 'rooted' NT/2K boxen?

From: Droby10 (droby10@onebox.com)
Date: 05/03/02


Date: Fri, 03 May 2002 15:09:29 -0500
From: "Droby10" <droby10@onebox.com>
To: mfrd@attitudex.com

i think there is a misunderstanding of the difference between a compromised
host and a "rooted" box (and i could very well be the one who doesn't
understand). but, i have always understood a rooted box to be a compromised
host that displays no symptoms or characteristics of that situation.

ie. even replacing /bin/login with a simple backdoor version is detectable
with file signatures, user, processor, and network statistics. to me
a unix rootkit would need to effect the way that those variables/lists
are gathered/collected [or in this case omitted] at a kernel/system level
- not an application, user, or even service level. with that definition,
ntrootkit is the only (or the closest to) true rootkit for windows platforms
that has been publicly released (AFAIK).

sure there are plenty of ways to compromise a host, and many are very
savy at keeping as silent as possible, but they still create/leave traces
that can easily be exposed. even with the "as-is" ntrootkit, the simple
detectionary measure is to attempt to start/stop the service. but it
does very well to hide itself and "_root" others from queries into the
filesystem, registry, and process list/tree, scm, etc.

-- 
droby10@onebox.com - email

PGP Fingerprint-- DD5A 7272 69A2 8CC5 2F30 6035 8528 3D58 0056 57A9



Relevant Pages

  • Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test
    ... determine weather the host was compromised or not. ... Subject: Crying wolf: False alarms hide attacks: Eight IDSs fail to ... > "We considered an attack to be any compromise of any computing resource on ...
    (Focus-IDS)
  • Re: looks like a worm to me.
    ... reporting the extent of *their* compromise. ... Drop a sniffer beside the host and then reboot ... Mind you that his *sniffer dump* has a bunch of information in it ... view of the fact he changed the root password. ...
    (comp.os.linux.security)
  • RE: Session Hijacking
    ... compromise is a relative term in this case. ... DNS cache poisoning that redirects the attack to another hosts allowing for MITM. ... Subject: Session Hijacking ... attacker A has to compromise some host in host B's network in Ohio or at host C's network in Florida inorder to conduct MITM attack. ...
    (Security-Basics)
  • Re: SSH Fingerprint Validation and Authentication
    ... >the user to a possible compromise, but how does this initial warning ... If the user contacts me and asks "what is your SSH RSA ... Surely you don't think that SSH can help you figure out if a host has ... say agrees with what his client has printed, ...
    (comp.security.ssh)