Rootkit Hunter

Serg B. sergicles at gmail.com
Sat Dec 23 15:13:35 UTC 2006 

P.S.
Security is a process, not a destination. Hence rootkit detectors are a good
step but they shouldn't be the only step. For example you could install
tripwire or keep an up to date MD5 database of all (that mater) system files
on external media and compare against that once in a while... Also keep a
copy of netstat, ps, ls, cp, lsmod, etc on some sort of a removable media so
you can validate the system with trusted utilities...

On 24/12/06, Serg B. <sergicles at gmail.com> wrote:
>
> I know that as a proof of concept a root kit has been written for
> > linux and windows that uses the virtualization technology and thus
> > runs outside the context of the OS, so there's no chance to detect it
> > by any means if the OS is running (does a vmware guest know that it
> > is a vmware guest?). But I don't know of anything that has been
> > written for a useful thing.
>
>
> Sounds like Jame Bond stuff to me. Do you have a link to an article that
> talks about the above proof of concept code? Since you know...
>
> I heard that VMWare released or is about to release a tool that can image
> the currently running OS into a VMWare machine.
>
> I agree that detecting a virus that wraps an OS into a VM image and runs
> beneath it would be (maybe almost) impossible.
>
> However you would definitely know about it. Nothing stealthy there unless
> you run one powerful mother of a machine! And even then you would see that
> things are not quite as fast. You would notice a performance decrease since
> you would be now running 2 OS's. One for the virus and one for the guest.
> Reduced disk size - a noticeable chunk sine there is another OS installed.
> On reboot a boot-up screen would show messages inconsistent to the guest OS,
> etc. Like I said nothing stealthy, in MY opinion.
>
> So yeah I doubt that this proof of concept is anything more then a
> marketing speak for VM tools and somebody trying to get security paper out
> for self promotion.
>
> Uh why not, it is the flavor f the month after all.
>
>
>
>
>


-- 
Serg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20061224/7c934fcb/attachment.html>

More information about the ubuntu-users mailing list