RE: rootkit behavior

Yes. The same as you can install applications and run executables from
any drive or media.

Most of the rootkits hijack system calls that ask what processes are
running or files are in a directory, and remove themselves from the
results. If it lived on the d: drive, it would just remove itself from
d:\<%path%>\ instead of c:\<%path%>\.

Reformatting c: wouldn't remove the code from the d: drive, but to be
persistent the rootkit has to start somehow, and reformatting c: would
remove whatever hooks it had in the startup sequence.

Of course if the code was re-executed from d: somehow you would be right
back where you started from, but after re-installing the OS the rootkit
should not execute on its own.

AB


-----Original Message-----
From: rainmann@xxxxxxxxxxxxx [mailto:rainmann@xxxxxxxxxxxxx]
Sent: Tuesday, July 25, 2006 11:11 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: rootkit behavior

Can a rootkit hide on a seperate physical disk from the operating
system? In other words, if WINNT is on c:\ can the rootkit live on
physically seperate data drives e:\ and f:\?


I have a client who wants his c:\ drive reformatted and reloaded to
insure that no rogue program remains. I haven't been able to give him a
definitive answer concerning his extensive data drives.


Also, does anyone know of any useful detection tools other than RootKit
Revealer and Blacklight? I saw the post the other day about Helios but
read that 1) it requires the .Net framework (ouch!) and 2) doesn't work
for Win2K.


Any advice here would be greatly appreciated.

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: How to find process behing TCP connection ?
    ... Just wanted to point out that under *NIX, if you get rooted, your copy of lsof will probably be trojaned to hide the attacker's rootkit and malicious activity. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)
  • RE: rootkit behavior
    ... Have you taken a look at the RootKit Revelations help forum? ... Can a rootkit hide on a seperate physical disk from the ... Norwich University ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ...
    (Security-Basics)
  • RE: rootkit behavior
    ... him a definitive answer concerning his extensive data drives. ... RootKit Revealer and Blacklight? ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)