RE: Finding root-kits on Windows

From: Amarante, Rodrigo P. <RPAmarante(at)directvla.com>
Date: Wed May 07 2003 - 11:32:03 EDT

I'm sorry for not completely answering your question. This is what I tried with Hacker Defense:

Mapping Network Drive to a volume on the compromised machine - Cloaking bypassed
Connecting to the remotely to the Registry on the compromised machine - Cloaking was still enabled
Listing services remotely using psservice.exe from sysinternals - Cloacking bypassed
Listing running processes remotely using pslist.exe from sysinternals - Cloaking was still enabled
Trying to kill the "hidden" process remotely using pid gathered with renamed taskmgr - Successful
Trying to kill the "hidden" process remotely using filename gathered with renamed taskmgr - Failed

I think that the sucessful bypasses can be "fixed" by a newer version of the rootkit...It's just a matter of knowing whatelse to intercept (thank god for SoftIce)

-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com] Sent: Wednesday, May 07, 2003 11:04 AM
To: forensics@securityfocus.com

Rodrigo,

Thanks for the response...

> 2nd Question

I'm not doubting that it's true...I was asking regarding your testing infrastructure, for the purpose of reproducing your results. For example, did you try to do anything other than map a drive?

Thanks,

Harlan

---

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu May 8 18:05:13 2003