Home page logo
/

basics logo Security Basics mailing list archives

RE: rootkit behavior
From: "Beauford, Jason" <jbeauford () EightInOnePet com>
Date: Thu, 27 Jul 2006 14:47:49 -0400

rainmann () sbcglobal net wrote:
Can a rootkit hide on a seperate physical disk from the operating
system? In other words, if WINNT is on c:\ can the rootkit live on
physically seperate data drives e:\ and f:\?  


I have a client who wants his c:\ drive reformatted and reloaded to
insure that no rogue program remains.  I haven't been able to give
him a definitive answer concerning his extensive data drives.  


Also, does anyone know of any useful detection tools other than
RootKit Revealer and Blacklight? I saw the post the other day about
Helios but read that 1) it requires the .Net framework (ouch!) and 2)
doesn't work for Win2K.   


Any advice here would be greatly appreciated.

A very simple (somewhat time consuming however) rootkit detection is by
using built in commands from within the OS in conjunction with a BartPE
boot disk built from a secure source; meaning that the box it is
configured from is verifiably free of any kind of infection or
contamination.

Check it out:  http://research.microsoft.com/rootkit/

JMB

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]