Re: speaking of Network Magazine - Article on Innovative Roo…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMKevin Brown at <-
.MJeremy C. Reed at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Craig White
Date:  
To: plug-discuss
Subject: Re: speaking of Network Magazine - Article on Innovative Rootkits
On Mon, 2005-01-17 at 23:45 -0700, Kevin Brown wrote:
> > <http://www.networkmagazine.com/shared/article/showArticle.jhtml?
> > articleId=55301844&classroom=>
> >
> > html mail to keep line from wrapping - sorry
>
> Heh, and for those of use using a proper mail client, it still wrapped because
> all HTML was stripped from the message for display :)
>
> Better way to avoid line wrap in URLs... tinyurl.com :)
---
I know - but I'm lazy. I have to say that I'm disappointed that your
Mozilla wrapped that html.

Even worse was the other link I posted was a session id which of course
won't work for anyone anyway. Lazy and stupid I guess.
---
>
> > Interesting magazine - this month has a number of articles that I
> > thought were interesting but this one caught my attention. Suggests that
> > the day of the rootkit and 'poisoned' ls, ps etc. is/will be replaced
> > with kernel modules that at the kernel level, can evade detection by
> > typical security tools such as tripwire and at kernel level, can scrub
> > itself from processes showing in things like top and ps.
> >
> > Seems as though the stakes of security administration is rising above
> > and beyond the merely intelligent.
>
> Think I've seen a lot about kernel module level rootkits in the last few years.
> If it goes in as a module then there might be other ways to pick up on it that
> it can't evade. Either kernels with no module support or a variation on the
> rootkit module that is for security purposes to monitor what other modules get
> loaded up by the system :)
>
> It would be hidden, so even the rootkit wouldn't know it was there, heheh.
---
monolithic vs modular? seems as though that debate was settled before .1
kernel - I know that I'm always gonna opt for easy.

I'm not sure how far SELinux will go in detecting/preventing modular
rootkits. Shame on me but I haven't bothered investigating what it is
about at all yet (as I type this on a FC-3 system with SELinux installed
on it).

It does seem that tools such as chkrootkit and tripwire have outlived
their usefulness though.

Craig

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Software RAID on SATA drives]Re: speaking of Network Magazine - Article on Innovative Rootkits->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)