|
Dailydave
mailing list archives
Re: Usenix w00t (ddz)
From: "John Dohrr" <sf003 () gmx net>
Date: Wed, 03 Oct 2007 14:54:47 +0200
I was checking out Dino's Usenix paper a couple days ago, and a few questions stuck in my head.
http://www.usenix.org/events/woot07/tech/full_papers/daizovi/daizovi_html/
Um, nothing new here. I recall seeing this kind of thing (ElGamal + DES + ptrace(2) games to prevent tracing) back in
the days of SunOS 4.1.3. Unfortunately, on a SPARC 2, _any_ kind of encryption introduces a CPU hit, so it was
relatively easy to tell that something was up. A sploit was used to transfer the encryption 'client' across (primary
payload), which was then used to conceal whatever (secondary) rootkit was installed[1].
From my experience with openssl, things change regularly enough to ensure that using the OS' crypto libraries is more
pain that it's worth. You might get away with just using the bigint routines, and rolling the rest yourself....
J.
[1] Interestingly enough, I know of at least one rootkit in the wild that uses a bastardised EKE/SPEKE protocol to
authenticate connections to the backdoor and prevent MITM attacks.
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
 By Date 
By Thread
Current thread:
- Usenix w00t (ddz) Dave Aitel (Oct 01)
- <Possible follow-ups>
- Re: Usenix w00t (ddz) John Dohrr (Oct 03)
| 
Intro
