Re: how to fix rootkit?

To: debian-security@lists.debian.org
Subject: Re: how to fix rootkit?
From: Fernando Mercês <nandu88@gmail.com>
Date: Wed, 8 Feb 2012 17:56:13 -0200
Message-id: <CAM7p17MnTcWYTrsgok9vJkwo6ONWTOy9srDyAADCnO5iM5ceAw@mail.gmail.com>
In-reply-to: <4F32C9D7.30009@stummi.org>
References: <4F3237FA.1050206@lab127.karelia.ru> <20120208125104.GA18436@thangorodrim.de> <CAM7p17PMimBO-Ouu4gRy7L7PXWdy=a2jRhYo6Wq-J0OKY0DGPw@mail.gmail.com> <4F328178.40209@ulg.ac.be> <4F328961.4040006@advan-ce.hu> <CAM7p17Nv7iF9voVWVOocTq78dLn9S9O_61VgBfzWQNaDoSvaxw@mail.gmail.com> <4F32A8E5.1060806@stummi.org> <CAM7p17MyvsWKTd-CH0SDoDCCU5VxqLXW_cPSC=_JkhqUn3+Kzg@mail.gmail.com> <4F32C157.5090206@stummi.org> <1633362636.20120208195126@netzwerklabor.at> <4F32C9D7.30009@stummi.org>

Michael,

I think you're talking about syscall interceptions and related stuff.
You're right, we can't trust, but it in this case we're talking about
a very specialized malware and I don't see any fast action to bypass
it. Maybe the conclusion is that we can't trust anything, so we can't
do anything, but something need to be done, right?

An option is load another kernel with kexec but we can't trust kexec.
What we do?

Sometimes we need to assume some risks otherwise we can't proceed. ;-)

BR,

Fernando Mercês
Linux Registered User #432779
www.mentebinaria.com.br
softwarelivre-rj.org
@MenteBinaria
------------------------------------
II Hack'n Rio - 23 e 24/11
                 hacknrio.org
------------------------------------



On Wed, Feb 8, 2012 at 5:15 PM, Michael Stummvoll <michael@stummi.org> wrote:
> Am 08.02.12 19:51, schrieb Jutta Zalud:
>> Michael Stummvoll wrote:
>>
>>> And who says, that the new binarys don't work in "compromized
>>> mode", e.g. with a LD_PRELOAD? ;)
>>
>>> you can't trust a compromized system, not even when you running
>>> (or think you are running) own binaries. Who knows, what the
>>> kernel does.
>>
>> What exactly do you mean by "system"?
>
> The Operating System.
>
> As I understand Fernando he suggested to run extern self-compiled
> binaries withing the compromized OS to be sure, and what i want to say
> is that you can't be sure in this case.
>
> Kind Regards,
> Michael
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 4F32C9D7.30009@stummi.org">http://lists.debian.org/4F32C9D7.30009@stummi.org
>

Reply to:

Follow-Ups:
- Re: how to fix rootkit?
  - From: "Milan P. Stanic" <mps@arvanta.net>

References:
- how to fix rootkit?
  - From: "volk@lab127.karelia.ru" <volk@lab127.karelia.ru>
- Re: how to fix rootkit?
  - From: Alexander Schreiber <als@thangorodrim.de>
- Re: how to fix rootkit?
  - From: Fernando Mercês <nandu88@gmail.com>
- Re: how to fix rootkit?
  - From: Leonor Palmeira <mlpalmeira@ulg.ac.be>
- Re: how to fix rootkit?
  - From: Repasi Tibor <repasi.tibor@advan-ce.hu>
- Re: how to fix rootkit?
  - From: Fernando Mercês <nandu88@gmail.com>
- Re: how to fix rootkit?
  - From: Michael Stummvoll <michael@stummi.org>
- Re: how to fix rootkit?
  - From: Fernando Mercês <nandu88@gmail.com>
- Re: how to fix rootkit?
  - From: Michael Stummvoll <michael@stummi.org>
- Re: how to fix rootkit?
  - From: Jutta Zalud <ju@netzwerklabor.at>
- Re: how to fix rootkit?
  - From: Michael Stummvoll <michael@stummi.org>

Prev by Date: Re: how to fix rootkit?
Next by Date: Re: how to fix rootkit?
Previous by thread: Re: how to fix rootkit?
Next by thread: Re: how to fix rootkit?
Index(es):
- Date
- Thread