Rootkit Hunter

Martin Marcher martin.marcher at openforce.com
Sat Dec 23 15:31:20 UTC 2006 

Hi,

Am 23.12.2006 um 16:10 schrieb Serg B.:

> Sounds like Jame Bond stuff to me. Do you have a link to an article  
> that
> talks about the above proof of concept code? Since you know...

nope sorry was a printed articel and I already threw away the  
magazine... :(

> However you would definitely know about it. Nothing stealthy there  
> unless
> you run one powerful mother of a machine! And even then you would  
> see that
> things are not quite as fast. You would notice a performance  
> decrease since
> you would be now running 2 OS's. One for the virus and one for the  
> guest.
> Reduced disk size - a noticeable chunk sine there is another OS  
> installed.
> On reboot a boot-up screen would show messages inconsistent to the  
> guest OS,
> etc. Like I said nothing stealthy, in MY opinion.

the stealthy thing as I understood it was that you are in fact not  
running to OS but with the virtualization technology the software  
could at runtime of the os switch the context in which the os is  
running.

I have no idea how large such a thing would be, but even if it was 20  
MB with todays HD sizes one would hardly recognize. And since it's a  
"small" programm that just hides a few processes from being found I  
don't think that you would notice any difference.

> So yeah I doubt that this proof of concept is anything more then a  
> marketing
> speak for VM tools and somebody trying to get security paper out  
> for self
> promotion.

I desperately hope so, if not that would mean a _lot_ of spam (which  
is the thing that imho pays off most at the moment). Consider you  
have a running windows/linux/whatever os box and someone has a root  
kit of that kind installed. no chance to detect it, new investements  
for anti malware software etc.

martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2474 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20061223/efe24336/attachment.bin>

More information about the ubuntu-users mailing list