Re: An alternative method to check LKM backdoor/rootkit

• Previous message: Microsoft: "Microsoft Security Bulletin MS02-019: Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309)"
• In reply to: Wang Jian: "An alternative method to check LKM backdoor/rootkit"
• Next in thread: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
• Reply: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wang Jian wrote:

>THE ALTERNATIVE METHOD
>
>Our alternative method uses the first style: to find the differences
>between the fake view and the real view.
>
>We read the raw disk and traverse the filesystem on disk, bypass the
>live filesystem, and create a real view of files on disk; then traverse
>the live filesystem to get the fake view. Compare the two view, we can
>find the differences. We will find the stealth files.
>
Be sure that this will be fixed in the next 'generation' of LRKM's.
Patching the device methods for disk special nodes is not a big deal -
why not to incorporate even your code into one of the nice LRKM's? You
probably found a weaknes of 'current' LRKM's but in general it is a bad
idea to check your machine while running a compromised kernel.

/ih

• Next message: Lysel Christian Emre: "RE: Raptor Firewall FTP Bounce vulnerability"
• Previous message: Microsoft: "Microsoft Security Bulletin MS02-019: Unchecked Buffer in Internet Explorer and Office for Mac Can Cause Code to Execute (Q321309)"
• In reply to: Wang Jian: "An alternative method to check LKM backdoor/rootkit"
• Next in thread: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
• Reply: Florian Weimer: "Re: An alternative method to check LKM backdoor/rootkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 17:38:57 PDT