Re: nouser - rootkit ?

From: Bill_Royds@pch.gc.ca
Date: 03/12/02


From: Bill_Royds@pch.gc.ca
To: "Bruce Ediger" <eballen1@qwest.net>
Date: Tue, 12 Mar 2002 12:10:02 -0500

From monitoring router logs, I have found that sometimes a machine is
rooted more than once.
The first kiddie roots the machine, installs a rootkit, but doesn't fix
the vulnerability.
A subsequent cracker roots it again, installing a different rootkit.
It is not a feint, just the fact the rooting a box doesn't necessarily fix
the vulnerability.
Oh yes, it was an IRIX box rooted with telnet vulnerability.

Bill Royds
Acting System Administrator,
Canadian Heritage Information Network
(819) 994-1200 X 239

"Bruce Ediger" <eballen1@qwest.net>
03/11/02 10:26 PM

 
        To: incidents@securityfocus.com
        cc: "Konrad Rieck" <kr@roqe.org>
        Subject: Re: nouser - rootkit ?

On Mon, 11 Mar 2002, Konrad Rieck wrote:

> I wonder if there are really attackers out there installing
bogus-rootkits
> in order to protect the real ones. Has anybody on this list detected
such
> kind of "feints"?

I posted to usenet last year with the same question, because one
of the machines I tend got rooted.

In response, some guy claimed he found a rootkit that had at least
two layers:

http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net

I'm not at all sure I believe this story: IRIX is pretty obscure,
and not very widely used. Why would anyone go to the effort of
doing a "feint" rootkit to mask a "real" rootkit for so few targets?

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: RST.B .... can anyone shed some light?
    ... rootkit that included a copy of RST.B, installing the latter as a ... As always with rootkits and other post-attack tools, ... hardening the system against similar attacks ...
    (comp.os.linux.security)
  • Re: Sony CD installs kernel extensions on Macs
    ... > don't know until someone figures out what those kernel extensions do; ... > Reading recent reports of a Sony rootkit, ... >, and then promptly exits. ... I'm not a big fan of anyone installing kernel extensions ...
    (rec.music.classical.recordings)
  • Re: Best antivirus
    ... I've not been able to discover any problems resulting from installing ... of undetectable rootkit is pretty far fetched, ... the sony rootkit was able to be abused by malware... ... there is a potential problem with the toolbar option. ...
    (alt.comp.anti-virus)
  • Re: Sony CD installs kernel extensions on Macs
    ... > This is apparently not as bad as the Sony's 'rootkit' case, ... > don't know until someone figures out what those kernel extensions do; ... It's installing a piece of software called MediaMax. ... known exactly what the program does, but it reports back to SunnComm ...
    (rec.music.classical.recordings)