[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: g.thomas at nux-acid.org (Gino Thomas)
Subject: Removing ShKit Root Kit
Brian Eckman <eckman@....edu> wrote:
> Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
> considered relatively safe. If the attacker can later find a way to
> chmod it and then execute it with the privliges needed to make it
> harmful, then I imagine that they could find other ways of
> compromising your machine as well.
>
> For Windows, if it's a backdoor that is named something.txt, well,
> again, the attacker would have to find a way to rename that file and
> execute it with appropriate permissions. Again, I imagine that if they
> can do that, that they could find other ways of compromising your
> machine as well.
The backdoor could for example be a nasty makro trojan placed in a .doc
that would later (most likely) executed by an user and so do the dirty
work without remote interaction. Nothing to rename or execute. I agree
with Paul that data from a compromised system can't be trusted anymore,
regardless what it is, it has to be checked for integrity or wiped (at
least in a secure environment).
regards
-gt
--
Gino Thomas | mailto: g.thomas@...-acid.org | http://nux-acid.org
GPG: E6EA9145 | 4578 F871 893E 1FEC 31FC 5B5E 8A46 4CC8 E6EA 9145
Powered by blists - more mailing lists