I'm sorry for not completely answering your question. This is what I tried with Hacker Defense: Mapping Network Drive to a volume on the compromised machine - Cloaking bypassed Connecting to the remotely to the Registry on the compromised machine - Cloaking was still enabled Listing services remotely using psservice.exe from sysinternals - Cloacking bypassed Listing running processes remotely using pslist.exe from sysinternals - Cloaking was still enabled Trying to kill the "hidden" process remotely using pid gathered with renamed taskmgr - Successful Trying to kill the "hidden" process remotely using filename gathered with renamed taskmgr - Failed I think that the sucessful bypasses can be "fixed" by a newer version of the rootkit...It's just a matter of knowing whatelse to intercept (thank god for SoftIce) -----Original Message----- From: Harlan Carvey [mailto:keydet89at_private] Sent: Wednesday, May 07, 2003 11:04 AM To: forensicsat_private Rodrigo, Thanks for the response... > 2nd Question > From the ones I've played with (NTRootKit, Hacker > Defense) What I said > is true: a remote network connection won't be filtered by the rootkit > driver. I'm not doubting that it's true...I was asking regarding your testing infrastructure, for the purpose of reproducing your results. For example, did you try to do anything other than map a drive? Thanks, Harlan __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 08 2003 - 14:52:46 PDT