[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031222211514.GI591@wpni.com>
From: nbates at wpni.com (Nathan Bates)
Subject: Removing ShKit Root Kit
Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 02:12:53PM -0600)
[...]
> For Windows, if it's a backdoor that is named something.txt, well,
> again, the attacker would have to find a way to rename that file and
> execute it with appropriate permissions. Again, I imagine that if they
> can do that, that they could find other ways of compromising your
> machine as well.
Not if it's an Alternative Data Stream; you could launch it without any audit trail. These are generally tied
to the main file, which could be anything (eg. something.txt:trouble.exe). These aren't detectable without
specifically looking. You can fairly easily execute an ADS without it showing in the task list and other
niceties. I'm not certain if common BU utilities actually save ADSs.
Regards,
Nathan
Powered by blists - more mailing lists