Re: nouser - rootkit ?

From: Dave Dittrich (dittrich@cac.washington.edu)
Date: 03/12/02

Previous message: Michal Zalewski: "very interesting 0day tool... http honeypot in action"
In reply to: Konrad Rieck: "Re: nouser - rootkit ?"
Next in thread: Brian Hatch: "Re: nouser - rootkit ?"
Next in thread: Eric Brandwine: "Re: nouser - rootkit ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 11 Mar 2002 23:33:39 -0800 (PST)
From: Dave Dittrich <dittrich@cac.washington.edu>
To: Konrad Rieck <kr@roqe.org>

> I wonder if there are really attackers out there installing bogus-rootkits
> in order to protect the real ones. Has anybody on this list detected such
> kind of "feints"?

I have seen multiple rootkits on a single system, but was not entirely
sure that the box hadn't been rooted twice by two different
attackers/methods. I've also seen a combo "trojaned binary and LKM"
rootkit (I couldn't tell if the trojans were red-herrings or training
wheels for the LKM.)

The Honeynet Project Forensic Challenge also had a single rootkit that
*looked* like multiple rootkits, because it was cobbled together from
several different rootkits (in fact some replaced programs were so old
they didn't work with the system's kernel, and the SSH daemon was
trojaned and the attacker using it didn't even know he was installing
a pre-owned service!)

The one thing you can say about a population as large as the attacker
community is that no two attack(er)s are exactly the same. (Life would
be boring if they were. ;)

-- Dave Dittrich Computing & Communications dittrich@cac.washington.edu University Computing Services http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Michal Zalewski: "very interesting 0day tool... http honeypot in action"
In reply to: Konrad Rieck: "Re: nouser - rootkit ?"
Next in thread: Brian Hatch: "Re: nouser - rootkit ?"
Next in thread: Eric Brandwine: "Re: nouser - rootkit ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Urgent!!! My computer seems to be hacked, pls HELP!!!
... Rootkits in general, ... password known to the attacker. ... Kernel mode rootkits are nastier still. ... evade detection easily since any program running on top of a corrupted ...
(comp.security.ssh)
Re: Anyone know this rootkit (rootkits?)
... There's a collection of scripts that checks for various rootkits at: ... sometimes when using an exploited login program, ... and it may have been missed by the attacker. ...
(Incidents)
Re: Damn, yet another nastyware
... Rootkits hide themselves from Windows-based programs and from ... These may include "backdoors" to help the attacker subsequently ... All sorts of other tools useful for abuse can be hidden using ... > the compromised system communicates with such as sniffers and keyloggers. ...
(misc.news.internet.discuss)
Damn, yet another nastyware
... Rootkits hide themselves from Windows-based programs and from Windows ... A rootkit is often used to hide utilities used to abuse a compromised ... These may include "backdoors" to help the attacker subsequently ... the compromised system communicates with such as sniffers and keyloggers. ...
(misc.news.internet.discuss)