Re: [Full-disclosure] Microsoft GhostBuster Opinions

[Dave King <davefd@xxxxxxxxxxxxx>]

Valdis.Kletnieks@xxxxxx wrote:

> On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
>
>  
>
> >    Also, this is not just like tripwire.  If the kernel is compromised 
> > and reporting false data to tripwire then tripwire can run along merrily 
> > thinking every thing's great.  This is why booting to a trusted kernel 
> > is important for the process.  Exploiting Software by Hoglund and McGraw 
> > has a discussion on these types of rootkits.  Tripwire, however does 
> > great at detecting other sorts of intrusions.
> >    
>
> Actually, the "prior art" *is* tripwire.  If you run tripwire on the live
> system, then run it while booted from a CD, and they produce different
> results, you have a problem.
>
> And that's what they're doing by doing a 'dir /a /s' on the live system,
> then booting the Windows PE CD, and looking for differences....
>  
Ok, this is true.  I guess what I meant by what I said was running 
tripwire as a cron job daily or whatever on a system without booting  to 
a known good kernel could yeild incorrect results if the kernel has been 
compromised.  A similar result can be had using tripwire on the system 
then booting to a known good kernel and running it again.

Laters,
Dave King CISSP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/