Re: how to fix rootkit?

To: debian-security@lists.debian.org
Cc: "Milan P. Stanic" <mps@arvanta.net>
Subject: Re: how to fix rootkit?
From: Russell Coker <russell@coker.com.au>
Date: Thu, 9 Feb 2012 23:19:45 +1100
Message-id: <201202092319.45519.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <20120209120714.GB5795@arvanta.net>
References: <CAM7p17PMimBO-Ouu4gRy7L7PXWdy=a2jRhYo6Wq-J0OKY0DGPw@mail.gmail.com> <CAM7p17MnTcWYTrsgok9vJkwo6ONWTOy9srDyAADCnO5iM5ceAw@mail.gmail.com> <20120209120714.GB5795@arvanta.net>

On Thu, 9 Feb 2012, "Milan P. Stanic" <mps@arvanta.net> wrote:
> On Wed, 2012-02-08 at 17:56, Fernando Mercês wrote:
> > I think you're talking about syscall interceptions and related stuff.
> > You're right, we can't trust, but it in this case we're talking about
> > a very specialized malware and I don't see any fast action to bypass
> > it. Maybe the conclusion is that we can't trust anything, so we can't
> > do anything, but something need to be done, right?
> > 
> > An option is load another kernel with kexec but we can't trust kexec.
> > What we do?
> 
> What about device which can be tapped to the CPU of running machine and
> then 'take over' CPU. Such device could then read RAM, block devices and
> peripherals to save data for post mortem analysis.

There are devices which use firewire to directly access system RAM.  It is 
also possible to design a PCI/PCIe card which does bus-mastering on external 
control to dump RAM contents.  I've seen a live demonstration of the use of 
firewire to directly access system RAM, a system was compromised by having 
some memory altered, dumping the RAM would be trivial by comparison.

It has also been demonstrated that if you chill RAM to a low temperature then 
you can extract it from the system with most of it's contents intact.

But these aren't things that you start thinking of after you have a 
compromised system, most desktop systems and servers don't have firewire and 
almost no systems have a PCI/PCIe card to dump RAM.  Using dry-ice or liquid 
nitrogen on RAM isn't something that you would do without some planning 
either.

> Although some secret agencies could already have something like that
> I'm not sure that it is commercially available or it will in the near
> future.

There are some people who would provide such things for the right money.

> If someone think that hardware manufacturer could design and put on the
> market computers with such option built in, I suspect that it will be
> suppressed by legislator.

No, it would be suppressed by the people who want to save every last cent on 
manufacture.  Anything that isn't the cheapest way of designing a system is 
going to be a really expensive optional extra.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to:

Follow-Ups:
- Re: how to fix rootkit?
  - From: "Milan P. Stanic" <mps@arvanta.net>
- Re: how to fix rootkit?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: how to fix rootkit?
  - From: Fernando Mercês <nandu88@gmail.com>
- Re: how to fix rootkit?
  - From: Fernando Mercês <nandu88@gmail.com>
- Re: how to fix rootkit?
  - From: "Milan P. Stanic" <mps@arvanta.net>

Prev by Date: Re: how to fix rootkit?
Next by Date: Re: how to fix rootkit?
Previous by thread: Re: how to fix rootkit?
Next by thread: Re: how to fix rootkit?
Index(es):
- Date
- Thread