[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to fix rootkit?

On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote:
> I think you're talking about syscall interceptions and related stuff.
> You're right, we can't trust, but it in this case we're talking about
> a very specialized malware and I don't see any fast action to bypass
> it. Maybe the conclusion is that we can't trust anything, so we can't
> do anything, but something need to be done, right?
> 
> An option is load another kernel with kexec but we can't trust kexec.
> What we do?

What about device which can be tapped to the CPU of running machine and
then 'take over' CPU. Such device could then read RAM, block devices and
peripherals to save data for post mortem analysis.

Although some secret agencies could already have something like that
I'm not sure that it is commercially available or it will in the near
future.
If someone think that hardware manufacturer could design and put on the
market computers with such option built in, I suspect that it will be
suppressed by legislator.

> Sometimes we need to assume some risks otherwise we can't proceed. ;-)

That is. We live in risky world and we cannot achieve perfect security.
As in real world, computer security is trade off between usability and
risk.

> BR,
> 
> Fernando Mercês
> Linux Registered User #432779
> www.mentebinaria.com.br
> softwarelivre-rj.org
> @MenteBinaria
> ------------------------------------
> II Hack'n Rio - 23 e 24/11
>                  hacknrio.org
> ------------------------------------
> 
> 
> 
> On Wed, Feb 8, 2012 at 5:15 PM, Michael Stummvoll <michael@stummi.org> wrote:
> > Am 08.02.12 19:51, schrieb Jutta Zalud:
> >> Michael Stummvoll wrote:
> >>
> >>> And who says, that the new binarys don't work in "compromized
> >>> mode", e.g. with a LD_PRELOAD? ;)
> >>
> >>> you can't trust a compromized system, not even when you running
> >>> (or think you are running) own binaries. Who knows, what the
> >>> kernel does.
> >>
> >> What exactly do you mean by "system"?
> >
> > The Operating System.
> >
> > As I understand Fernando he suggested to run extern self-compiled
> > binaries withing the compromized OS to be sure, and what i want to say
> > is that you can't be sure in this case.
> >
> > Kind Regards,
> > Michael
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > Archive: 4F32C9D7.30009@stummi.org">http://lists.debian.org/4F32C9D7.30009@stummi.org
> >
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: CAM7p17MnTcWYTrsgok9vJkwo6ONWTOy9srDyAADCnO5iM5ceAw@mail.gmail.com">http://lists.debian.org/CAM7p17MnTcWYTrsgok9vJkwo6ONWTOy9srDyAADCnO5iM5ceAw@mail.gmail.com
> 

-- 
Kind regards,  Milan
--------------------------------------------------
Arvanta, IT Security        http://www.arvanta.net
Please do not send me e-mail containing HTML code or documents in
proprietary format (word, excel, pps and so on)
Reply to: