I can verify that this practice is in place- Just last week I investigated a break-in with multiple instances of rootkits on a single linux system- the system was both rootkited with the 'adore' kernel module and with a more standard binary type rootkit. I can only draw a conclusion that the hacker was knowingly installing two different rootkits because I found one of the hidden directories where both the adore kit AND the binaries were located. What doesn't make sense in a case like this is what the hacker is trying to accomplish- I tend to think that most security minded folks would never discover a root kit and then 'clean up' without re-installing. It is my personal opinion that that is horribly bad practice. Dan Bruce Ediger wrote: > On Mon, 11 Mar 2002, Konrad Rieck wrote: > > > I wonder if there are really attackers out there installing bogus-rootkits > > in order to protect the real ones. Has anybody on this list detected such > > kind of "feints"? > > I posted to usenet last year with the same question, because one > of the machines I tend got rooted. > > In response, some guy claimed he found a rootkit that had at least > two layers: > > http://groups.google.com/groups?hl=en&selm=9h6gsa%2414r%241%40bob.news.rcn.net > > I'm not at all sure I believe this story: IRIX is pretty obscure, > and not very widely used. Why would anyone go to the effort of > doing a "feint" rootkit to mask a "real" rootkit for so few targets? > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 16:26:08 PST