RE: NKADM rootkit - Something new?

From: Levinson, Karl (Karl.Levinson_at_dhs.gov)
Date: 06/01/04

  • Next message: 'Ansgar -59cobalt- Wiechers': "Re: NKADM rootkit - Something new?" 
    To: 'Ansgar -59cobalt- Wiechers' <bugtraq@planetcobalt.net>, incidents@securityfocus.com
Date: Tue, 1 Jun 2004 11:16:23 -0400

    The question is, sufficient for what? Doing such a memory dump writes the
    entire contents of memory to the hard drive, thus altering a large portion
    of the hard disk image and possibly overwriting useful information. In some
    scenarios, this could possibly cause problems, e.g. if something important
    on the drive is overwritten, or if the hard drive needs to stand up as
    evidence in court.

    The question is probably academic. You cannot do this memory dump on demand
    unless you previously added the registry value AND rebooted, before the
    compromise took place.

    And as Harlan pointed out, if you did do this dump, you would have a lot of
    data to go through in the dump. You would have to be prepared with the
    knowledge, tools and time to go through that dump, or else making the dump
    will probably not help anyone. Examining a Windows memory dump is not
    trivial.

    -----Original Message-----
    From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net]
    Sent: Monday, May 31, 2004 5:09 PM
    To: incidents@securityfocus.com
    Subject: Re: NKADM rootkit - Something new?

    Microsoft has documented a way to create a memory dump on demand [1]. Could
    this be considered sufficient to preserve the system's state?

  • Next message: 'Ansgar -59cobalt- Wiechers': "Re: NKADM rootkit - Something new?"