Re: Keen to test out root kits

• Previous message: JM: "Re: ghostly mail ports"
• Maybe in reply to: Patrick Fong: "Keen to test out root kits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 19 Feb 2004 20:25:22 -0000
To: security-basics@securityfocus.com

Mike,

>There are tools available for many of these kits to discover their
>presence on a system and even break passwords etc for the purpose of
>hijacking them from another cracker. A crackers dream is to get one of
>these kits installed on a system and you are proposing to do that for
>them. Even if you took the security steps provided by these kits you
>cannot secure yourself from attack.

I think that perhaps you're confusing terminology here a bit. Rootkits are generally used to hide the presence of the attacker on a system, and may not in and of themselves be (or provide) backdoors. I'm speaking largely (though not completely) from a Windows perspective, here. A _backdoor_ will generally open a port or even have some way of contacting the attacker to let him know that it's online (a la an IRCBot, etc). And yes, a rootkit can hide the presence of a backdoor.

>In short the answer is unless you are installing them on a test system
>which is isolated from any other network with no critical information,
>and you can wipe and reformat the system you would be mad to try.
>

If you know what you're doing, there is no need whatsoever to do any of this. I fully agree w/ your warning about production systems, but perhaps anyone foolish enough to do so deserves what happens.

On Windows systems, install InControl5, and run the first phase of a two-phase scan. Install your rootkit (Vanquish, AFX Rootkit 2003, HackerDefender, etc). Then reboot your (2K, XP) system into Safe Mode and run the second phase of InCtrl5. This will let you know what you need to remove.

AFX is easy. The DLL injection-type user mode rootkits are easy, for the most part...they only seem so b/c they're called "rootkits".

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_security-basics_040219
----------------------------------------------------------------------------

• Previous message: JM: "Re: ghostly mail ports"
• Maybe in reply to: Patrick Fong: "Keen to test out root kits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Preventing OS Detection ... Once you've gotten your network packets tweaked so ... If I go to http://uptime.netcraft.com and enter my website, ... Astaro Security Linux -- firewall with Spam/Virus Protection ... (Focus-Microsoft) Re: Keen to test out root kits ... I am keen to test out root kits on my lap-top. ... lap-top / home network? ... Astaro Security Linux -- firewall with Spam/Virus Protection ... (Security-Basics) RE: Counter detect Network Sniffer ... Subject: Counter detect Network Sniffer ... Astaro Security Linux -- firewall with Spam/Virus Protection ... Download 30-day evaluation at: ... (Focus-IDS) RE: Penetration Whitepapers ... For 'real life example' I would also recommand the following books: ... Test Your Network Security & Forensic Skills ... Stealing the Network: ... Astaro Security Linux -- firewall with Spam/Virus Protection ... (Pen-Test) RE: Keen to test out root kits ... What other stuff can I try with the rootkits? ... Astaro Security Linux -- firewall with Spam/Virus Protection ... Protect your network with the comprehensive security solution that ... (Security-Basics)