On Mon, 11 Mar 2002, Konrad Rieck wrote: > I wonder if there are really attackers out there installing bogus-rootkits > in order to protect the real ones. Has anybody on this list detected such > kind of "feints"? I posted to usenet last year with the same question, because one of the machines I tend got rooted. In response, some guy claimed he found a rootkit that had at least two layers: http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net I'm not at all sure I believe this story: IRIX is pretty obscure, and not very widely used. Why would anyone go to the effort of doing a "feint" rootkit to mask a "real" rootkit for so few targets? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 08:25:41 PST