| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4239D2E9.8050000@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: Microsoft GhostBuster Opionions
Valdis.Kletnieks@...edu wrote:
>On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
>
>
>
>> Also, this is not just like tripwire. If the kernel is compromised
>>and reporting false data to tripwire then tripwire can run along merrily
>>thinking every thing's great. This is why booting to a trusted kernel
>>is important for the process. Exploiting Software by Hoglund and McGraw
>>has a discussion on these types of rootkits. Tripwire, however does
>>great at detecting other sorts of intrusions.
>>
>>
>
>Actually, the "prior art" *is* tripwire. If you run tripwire on the live
>system, then run it while booted from a CD, and they produce different
>results, you have a problem.
>
>And that's what they're doing by doing a 'dir /a /s' on the live system,
>then booting the Windows PE CD, and looking for differences....
>
>
>
>
In fact, it's even more simple than that. Tripwire is far more complex
than a 'dir /a /s' and comparing the file differences.
A 'dir /a /s' is more comparible to a 'tree -afi' (I believe these are
the right command line switches - this was entered on memory) on Unix
systems with the tree binary installed. All you need to do is boot from
another media, rinse, repeat, and run a diff on the two files.
This would place the prior art even further back in time. And dare I
say that the output of tree would even be more useful than the dir
output, not to mention the fact that the tripwire check is just in
another league entirely. (Meaning far far far more useful output.)
-Barry
Powered by blists - more mailing lists