Re: No Defense Against Windows Rootkits?

From: Imhotep (Imhotep_at_nospam.net)
Date: 09/29/05


Date: Wed, 28 Sep 2005 21:27:02 -0400

speeder wrote:

> On 28 Sep 2005 23:25:59 GMT, "nemo_outis" <abc@xyz.com> wrote:
>
>>PPS The only complete protection (passing over hardware tampering such as
>>compromised BIOSs) is something like hash-checking essential files after
>>booting from a known-good CD.
>
> Something like Tripwire? What would be the equivalent for Windows?

The problem that exists is this. An application is generally requesting
(using) a kernel API in some way-shape-or-from. In other words the
application is not looking directly at the file directly on the disk. So,
if a rootkit is installed, and you are running a security app like Tripwire
on the same infected machine, then it really is useless (your asking the
rootkit if the system is infected). That is why the other posted said
"...booting from known-good cd".

Im