[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to fix rootkit?



On Wed, 2012-02-08 at 19:39, Michael Stummvoll wrote:
> Am 08.02.12 18:46, schrieb Fernando Mercês:
> > Reading memory after turning off? There are a easy way to it?
> > 
> > When I said "your own binaries", I mean "get fresh copies of
> > binaries and use in system with a USB stick or something like that.
> > Do not use the compromised system binaries". That's it. ;-)
> 
> And who says, that the new binarys don't work in "compromized mode",
> e.g. with a LD_PRELOAD? ;)

What about statically linked binaries on the external media (CD, DVD,
USB ...) which is write protected with 'execute in place' mode?
 
> you can't trust a compromized system, not even when you running (or
> think you are running) own binaries. Who knows, what the kernel does.

If the kernel is changed to circumvent external (or all) binaries then
the solution could be to use some tool (I can't remember right now if
that exists) which could 'take over' the complete system (even kernel)
and than do a snapshot or whatever is appropriate in that situation.

-- 
Kind regards,  Milan
--------------------------------------------------
Arvanta, IT Security        http://www.arvanta.net
Please do not send me e-mail containing HTML code or documents in
proprietary format (word, excel, pps and so on)


Reply to: