| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FE76F08.6020902@umn.edu> From: eckman at umn.edu (Brian Eckman) Subject: Removing ShKit Root Kit Nathan Bates wrote: > Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 02:12:53PM -0600) > > [...] > > >>For Windows, if it's a backdoor that is named something.txt, well, >>again, the attacker would have to find a way to rename that file and >>execute it with appropriate permissions. Again, I imagine that if they >>can do that, that they could find other ways of compromising your >>machine as well. > > > Not if it's an Alternative Data Stream; you could launch it without any audit trail. These are generally tied > to the main file, which could be anything (eg. something.txt:trouble.exe). These aren't detectable without > specifically looking. You can fairly easily execute an ADS without it showing in the task list and other > niceties. I'm not certain if common BU utilities actually save ADSs. > OK, so how does the attacker get the ADS to run? If you open something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as an executable file. It's ignored. Remember, the machine was formatted and reinstalled from clean media. However that ADS was called is now long gone... Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't."
Powered by blists - more mailing lists