Re: [Full-Disclosure] Removing ShKit Root Kit

Brian Eckman had thus to say: (Mon, Dec 22, 2003 at 02:12:53PM -0600)

[...]

> For Windows, if it's a backdoor that is named something.txt, well,
> again, the attacker would have to find a way to rename that file and
> execute it with appropriate permissions. Again, I imagine that if they
> can do that, that they could find other ways of compromising your
> machine as well.

Not if it's an Alternative Data Stream; you could launch it without any audit trail. These are generally tied
to the main file, which could be anything (eg. something.txt:trouble.exe). These aren't detectable without
specifically looking. You can fairly easily execute an ADS without it showing in the task list and other
niceties. I'm not certain if common BU utilities actually save ADSs.

        Regards,
        Nathan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Mon Dec 22 16:15:49 2003