> I wonder if there are really attackers out there installing bogus-rootkits > in order to protect the real ones. Has anybody on this list detected such > kind of "feints"? I have seen multiple rootkits on a single system, but was not entirely sure that the box hadn't been rooted twice by two different attackers/methods. I've also seen a combo "trojaned binary and LKM" rootkit (I couldn't tell if the trojans were red-herrings or training wheels for the LKM.) The Honeynet Project Forensic Challenge also had a single rootkit that *looked* like multiple rootkits, because it was cobbled together from several different rootkits (in fact some replaced programs were so old they didn't work with the system's kernel, and the SSH daemon was trojaned and the attacker using it didn't even know he was installing a pre-owned service!) The one thing you can say about a population as large as the attacker community is that no two attack(er)s are exactly the same. (Life would be boring if they were. ;) -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 10:39:30 PST