Microsoft Says Recovery from Malware Becoming Impossible
Ben Scott
dragonhawk at gmail.com
Wed Apr 19 16:16:02 EDT 2006
On 4/19/06, Tyson Sawyer <tyson at j3.org> wrote:
> Ben Scott wrote:
>> The problem is that if you've had a full system compromise
>> (whether you call your superuser "root", Administrator, or
>> SUPERVISOR), you can no longer trust the computer to check itself.
>> The attacker can subvert the system to lie to you about itself.
>
> How about boot disks that have been premade to check your system and
> identify suspect files? This way the compromised filesystem isn't
> checking itself although the computer is checking itself.
Sure. If you've taken the time to make an IDS database, and kept it
current, you can boot from trusted media and run an integrity check.
Tripwire is a famous tool for this, and it is available for nix and
doze. I've generally found that this kind of IDS is rarely used.
(Rarely != never.) It's very labor intensive and intrusive to
maintain an IDS like this, since you generally have to take the system
offline to run an IDS check before each update -- otherwise, how do
you know you haven't been subverted, or how do you know your updated
IDS DB isn't subverted?
Running something like "chkrootkit" (the nix world's equivalent to
doze anti-virus software) from a trusted boot *may* detect something,
but lack of detection of known trouble is not the same as positive
assurance of integrity.
It's a safe bet that the lusers who install the software the
Internet tells them too don't have a Tripwire IDS database ready.
(This, incidentally, is the real problem -- system operators have
neither the tools nor the training to protect their systems.)
-- Ben
More information about the gnhlug-discuss
mailing list