Re: how to fix rootkit?
On Thu, 9 Feb 2012, "Milan P. Stanic" <mps@arvanta.net> wrote:
> On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote:
> > I think you're talking about syscall interceptions and related stuff.
> > You're right, we can't trust, but it in this case we're talking about
> > a very specialized malware and I don't see any fast action to bypass
> > it. Maybe the conclusion is that we can't trust anything, so we can't
> > do anything, but something need to be done, right?
> >
> > An option is load another kernel with kexec but we can't trust kexec.
> > What we do?
>
> What about device which can be tapped to the CPU of running machine and
> then 'take over' CPU. Such device could then read RAM, block devices and
> peripherals to save data for post mortem analysis.
There are devices which use firewire to directly access system RAM. It is
also possible to design a PCI/PCIe card which does bus-mastering on external
control to dump RAM contents. I've seen a live demonstration of the use of
firewire to directly access system RAM, a system was compromised by having
some memory altered, dumping the RAM would be trivial by comparison.
It has also been demonstrated that if you chill RAM to a low temperature then
you can extract it from the system with most of it's contents intact.
But these aren't things that you start thinking of after you have a
compromised system, most desktop systems and servers don't have firewire and
almost no systems have a PCI/PCIe card to dump RAM. Using dry-ice or liquid
nitrogen on RAM isn't something that you would do without some planning
either.
> Although some secret agencies could already have something like that
> I'm not sure that it is commercially available or it will in the near
> future.
There are some people who would provide such things for the right money.
> If someone think that hardware manufacturer could design and put on the
> market computers with such option built in, I suspect that it will be
> suppressed by legislator.
No, it would be suppressed by the people who want to save every last cent on
manufacture. Anything that isn't the cheapest way of designing a system is
going to be a really expensive optional extra.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Reply to: