Jason Coombs wrote: > A well-designed stealth rootkit would be certain to interfere with hash > verification -- returning the expected hashes of compromised files so as to > further reduce the chance of detection. The fact that the attacker/rootkit > author can easily determine in advance what my authentic hashes are supposed > to be is a legitimate risk in spite of the proven cryptographic safety of > SHA-1, etc. Along this line, if the rootkit employs an LKM (Loadable Kernel Module) that intercepts and redirects system calls then hash verification techniques would be reduced in value as the binaries/files aren't compromised. -Ray ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 07:44:56 PST