Microsoft GhostBuster Opionions

[Dave King <davefd () davewking com>]

   Several months ago I came upon a research project some people at 
Microsoft had been working on called Strider GhostBuster to help find 
rootkits.  The original paper can be found here 
http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775 
.  Basically what it comes down to is you flush the disks, then run "dir 
/a /s" and send the output to a file.  Next you type a bunch of junk in 
to whatever (this is to test if there's a key logger) and flush the 
disks once more.  Then you reboot the computer using a Windows PE CD 
with a known good kernel and run "dir /a /s" and send that output to a 
second file.  You then use WinDiff to compare the two files to see if 
there are any new files that magically appear in the second file, but 
weren't in the first file because the a rootkit was causing dir to 
report false information.  Also if by typing in all the keystrokes 
earlier, you can look at which files changed sizes and see if one might 
be because a keylogger is saving data to it.

   At the time I read the paper I remember doing a google search for 
the tool and couldn't come up with anything so I just kind of forgot 
about it.  I realize the idea isn't new, but the way they tied it all 
together and automated it was pretty nifty.  I also realize this won't 
find every kind of rootkit, but could be a good part of a toolkit 
designed to find rootkits.

   Recently in his monthly CryptoGram Bruce Scheier asked Microsoft to 
release this tool, and if they wouldn't for it to be developed as an 
open source project.  I thought for a second and realized this tool 
would be very easy to put together as prescribed in the paper.  Using 
Sync.exe from Sysinternals to flush the disk and BartPE to make a 
bootable cd it should be very easy to do with a small vbs script or C 
program.

   So now some questions, would anyone else find this tool useful?  
What improvements could make this more useful?  Some that I've already 
thought about were to give the option of also doing an MD5 or SHA hash 
on the files (although this would make it take way longer to run), and 
possibly to run some type of public key encryption on the hash to make 
sure the rootkit's not messing with it.

   Also, this is not just like tripwire.  If the kernel is compromised 
and reporting false data to tripwire then tripwire can run along merrily 
thinking every thing's great.  This is why booting to a trusted kernel 
is important for the process.  Exploiting Software by Hoglund and McGraw 
has a discussion on these types of rootkits.  Tripwire, however does 
great at detecting other sorts of intrusions.

   Lastly, it would be simple to make a similar tool with Knoppix and 
Linux as well.  Let me know your thoughts about this.

Laters,
Dave King CISSP
http://www.thesecure.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/