[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20031223151645.GA589@wpni.com>
From: nathan.bates at wpni.com (Nathan Bates)
Subject: Removing ShKit Root Kit
Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 04:24:08PM -0600)
> OK, so how does the attacker get the ADS to run? If you open
> something.txt in notepad, it doesn't launch the ADS 'trouble.exe' as an
> executable file. It's ignored.
A quick google shows:
http://patriot.net/~carvdawg/docs/dark_side.html
If they're able to create the datastream in the first place, you'd think they'd be able to get it to run or
add it into the registry somewhere.. I'm not completely certain, but you shouldn't be able to see them in the
task list either.
> Remember, the machine was formatted and reinstalled from clean media.
> However that ADS was called is now long gone...
If you're restoring from backup you may very well restore ADSs as well. In the context of a fresh install and
rebuild, this would have no effect. Unless of course you don't prevent the very vulnerability that allowed
the attacker access in the first place.
Just my 2 cents,
Nathan
Powered by blists - more mailing lists