Home page logo

pen-test logo Penetration Testing mailing list archives

RE: root kit detection/penetration
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Thu, 15 Sep 2005 23:31:05 -0500

-----Original Message-----
From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com]

cdewitt () indepthsec com wrote:

What are the best practices for penetration testing the viability
of placing root kits on a client's external servers - vpn, web,

If you did not write it yourself _and_ are confident that its impact
in business critical systems is 0 don't do it. 

This is golden rule indeed.

And, while I'm asking - what are the best practices or
countermeasures for root kit placement?

Properly bastion hosts and severly limit the capabitilies of the users
the services exposed to the Internet as running at (i.e. defense in
depth, chroot jails, up-to-date patched systems, etc.) including
host-IDS with (in Windows) updated antivirus (which will carry rootkit
signatures too) or (in UNIX) rootkit detectors.

I just wanted to add some comments here. I'm not really sure if it is
considered a best practice, but it has been clear for some time that there
are much better controls that all anti-xxxxx ware. Security controls relying
on regular updates for detecting known malware or dangerous behavior are not
effective against new threats, particularly to specially developed (or
modified) malware to be used against specific targets.

Therefore, in my opinion, some host-IDS, chroot-jails and all controls
implementing some kind of "white list" are far more effective against these

I'm not saying that everyone should just throw away their antivirus.
Obviously, my mom will prefer to use an AV than trying to configure a
Personal Firewall that implements application execution white lists.
However, in the case of critical equipment of an organization big enough to
have its own security team, relying only on anti-xxxxs technology to counter
rootkits, Trojans and all custom made malware is definitely going to fail.

By the way, there is an article by Marcus Ranum called "The Six Dumbest
Ideas in Computer Security"
(http://www.ranum.com/security/computer_security/editorials/dumb/); it also
says something about this (ineffectiveness of blacklist security controls).

I don't fully support all the statements of Mr. Ranum. In fact, Pentesting
IS in the list :-). Pentesting is in some way "turd polishing" as he says,
but it was never meant to discover all possible vulnerabilities or to detect
problems at the most abstract levels of security architectures. Yet,
pentesting should be able to identify at least the most obvious exposures
caused by vulnerabilities (even the best designed system in terms of
security isn't free from vulnerabilities). 

Kind regards,

Omar Herrera


Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]