87  5356 
On Tue, 8 Nov 2005 17:24:45 -0500, "Roger Wilco"
<ye****@yourser vice.invalid> wrote: This "rootkit" is a misnomer (should just call it stealthing), but what
you call a rootkit is no closer to the truth it seems to me. The rootkit
was a kit you could use once you already had sufficient privileges
That's my reading of it too. If the old unix version of a rootkit kept
hold of root rather than gaining access to it for the first time then
there's little difference between that and this.
Jim.
James Egan wrote: On Tue, 8 Nov 2005 17:24:45 -0500, "Roger Wilco"
<ye****@yourser vice.invalid> wrote:
This "rootkit" is a misnomer (should just call it stealthing), but what
you call a rootkit is no closer to the truth it seems to me. The rootkit
was a kit you could use once you already had sufficient privileges
That's my reading of it too. If the old unix version of a rootkit kept
hold of root rather than gaining access to it for the first time then
there's little difference between that and this.
So were all in agreement then. It's nothing more then stealthing
technology. Just a new buzzword for it, apparently.
Sometimes, the more it changes, the more it really stays the same.
Regards,
Dustin Cook http://bughunter.atspace.org
"James Egan" <je***@jegan.co m> wrote in message
news:f2******** *************** *********@4ax.c om... On Tue, 8 Nov 2005 17:24:45 -0500, "Roger Wilco"
<ye****@yourser vice.invalid> wrote:
This "rootkit" is a misnomer (should just call it stealthing), but
whatyou call a rootkit is no closer to the truth it seems to me. The
rootkitwas a kit you could use once you already had sufficient privileges
That's my reading of it too. If the old unix version of a rootkit kept
hold of root rather than gaining access to it for the first time then
there's little difference between that and this.
If a rootkit was to gain access to root, then a dictionary attack
against a weak password would be a rootkit - as would an injection
vector through some broken ring zero process. Any collection of software
used once root was attained (whether for stealthing or some other thing)
is where "kit" comes in imo.
The quoted material from Kurt's blog defining "rootkit"
seems...well... wrong - but it wouldn't be the first time that
terminology changed through common misuse. Here, instead of a kit of
replacement programs, they install a filter driver to filter information
returned by the OS which was requested by such programs - in effect
lying to the requesting utility. Not exactly a "kit" but the end result
is similar.
Still, they could have called it stealthing instead of rootkit - they
probably used the term rootkit because it sounded more ominous. :))
Roger Wilco wrote: Still, they could have called it stealthing instead of rootkit - they
probably used the term rootkit because it sounded more ominous. :))
"they install a filter driver to filter information
returned by the OS which was requested by such programs - in effect
lying to the requesting utility. Not exactly a "kit" but the end result
is similar. "
It's glorified stealth. Being done with a driver instead of a program
that can be terminated normally.
Roger Wilco wrote: "kurt wismer" <ku***@sympatic o.ca> wrote in message
news:Od******** ************@ne ws20.bellglobal .com...
Dustin Cook wrote:
[snip]
Art, refresh my memory if you don't mind. Didn't we used to call
applicatio ns that hid their presence, stealth? When did this rootkit
terminolog y replace that?
http://anti-virus-rants.blogspot.com...r-windows.html
it seems like you and i may be on the same page...
This "rootkit" is a misnomer (should just call it stealthing), but what
you call a rootkit is no closer to the truth it seems to me. The rootkit
was a kit you could use once you already had sufficient privileges - to
replace commonly used utilities and such with versions modified to help
stealth whatever other activities you had in mind.
i'm familiar with that line of reasoning, however it fails to convince...
there are those who say rootkits are for maintaining root access, those
who say rootkits are for gaining root access, and those (like the
anti-spyware coalition) who sit on the fence and say it's either one...
from a functional definition standpoint, the 'maintain' camp are lost...
hiding unspecified 'other activities' makes the definition context
sensitive (does it stop being a rootkit if the other activities cannot
possibly be hidden?)...
Getting cpu access
and root privileges is not done with a kit, but with exploit code aimed
at a vulnerability (*possibly by flawed software) either running with
privilege or possibly leveraged from the lesser privilege via an
escalation vector (possibly more flawed software) to get root.
and that couldn't possibly be with a 'kit'...
further, gaining root is not always done by exploiting a vulnerability
unless you widen the scope of 'vulnerability' to include users - at
which point even your rootkit would be exploiting a vulnerability.. .
--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"
Roger Wilco wrote:
[snip] If a rootkit was to gain access to root, then a dictionary attack
against a weak password would be a rootkit - as would an injection
vector through some broken ring zero process.
or a keylogger, or a password stealing trojan, or . . .
Any collection of software
used once root was attained (whether for stealthing or some other thing)
is where "kit" comes in imo.
forgive me, but isn't "root" sort of the more important part of the
compound word in question?
The quoted material from Kurt's blog defining "rootkit"
seems...well... wrong - but it wouldn't be the first time that
terminology changed through common misuse.
it may seem wrong to you but it makes perfect sense to me...
the functional behaviour of what i call rootkits explicitly involves
root/administrative privileges...
the functional behaviour of what you call rootkits doesn't... their
function is to hide objects/activity...
maintaining root access is an intent, not a function, and we all know
how good a definition that involves intent is in the field of computer
science...
--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"
On Thu, 10 Nov 2005, kurt wismer wrote: Roger Wilco wrote:
[snip] If a rootkit was to gain access to root, then a dictionary attack
against a weak password would be a rootkit - as would an injection
vector through some broken ring zero process.
or a keylogger, or a password stealing trojan, or . . .
Any collection of software
used once root was attained (whether for stealthing or some other thing)
is where "kit" comes in imo.
forgive me, but isn't "root" sort of the more important part of the
compound word in question?
The quoted material from Kurt's blog defining "rootkit"
seems...well... wrong - but it wouldn't be the first time that
terminology changed through common misuse.
it may seem wrong to you but it makes perfect sense to me...
the functional behaviour of what i call rootkits explicitly involves
root/administrative privileges...
the functional behaviour of what you call rootkits doesn't... their
function is to hide objects/activity...
maintaining root access is an intent, not a function, and we all know
how good a definition that involves intent is in the field of computer
science...
All of this speculation on why this is called a "rootkit" and nobody
has mentioned the possibility that an Australian came up with that
name. Everybody knows what "root" means in Aussie slang, don't they?
<rot13> Vg'f pnyyrq n "ebbgxvg" orpnhfr bapr gur fbsgjner trgf vafgnyyrq
lbhe CP vf shpxrq. </rot13>
Links to some pages I have found with relevant information (and one
completely unrelated link that might give some people a laugh): http://www.chebucto.ns.ca/~af380/Sony_bookmarks.html
(may contain duplicates, links to stuff visited by the 404 Fairy, and
sodium proprionate to retard spoilage).
On another note, it's interesting to note that Sony's site had a "Service
Pack update" for their DRM software (that allegedly disables the "stealth"
feature of their software) on their site on the 5th of this month,
Update031105.zi p, that was 3645406 bytes in size. This morning I went to
the same site and their new "update", Update071105.zi p has been reduced to
only 1396754 bytes. It's funny how something that complicated can be
reduced to 38% of its original size in a week -- unless Sony has started
backpedalling and removing some of the more malicious or privacy invading
components from the distribution in an attempt to avoid prosecution.
--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
"> Is there anything Spamazon DOESN'T sell?
Clues. The market's too small to justify the effort."
-- Stuart Lamble in the scary devil monastery, Fri, 13 May 2005
"kurt wismer" <ku***@sympatic o.ca> wrote in message
news:HV******** ************@ne ws20.bellglobal .com... Roger Wilco wrote:
[snip] If a rootkit was to gain access to root, then a dictionary attack
against a weak password would be a rootkit - as would an injection
vector through some broken ring zero process.
or a keylogger, or a password stealing trojan, or . . .
Any collection of software
used once root was attained (whether for stealthing or some other
thing) is where "kit" comes in imo.
forgive me, but isn't "root" sort of the more important part of the
compound word in question?
Not really, root could mean root directory as easily as root user. A
rootkit could be as simple as issuing the command cd\ in DOS .It really
is a stealth kit used when one has highest (or high enough) privilege to
install modified copies of utility programs.
The quoted material from Kurt's blog defining "rootkit"
seems...well... wrong - but it wouldn't be the first time that
terminology changed through common misuse.
it may seem wrong to you but it makes perfect sense to me...
the functional behaviour of what i call rootkits explicitly involves
root/administrative privileges...
Having them - or getting them?
the functional behaviour of what you call rootkits doesn't... their
function is to hide objects/activity...
It requires that the installer program runs with sufficient privilege.
You can't install a rootkit without already obtaining this privilege
level by some means. Just "getting root" does not imply a rootkit was
used - it could have just been a guessed password or physical access to
a machine already loggied in with such privilege.
maintaining root access is an intent, not a function, and we all know
how good a definition that involves intent is in the field of computer
science...
The UNIX "rootkit" to me is a collection of aptly named trojans suitable
for swapping out when one has sufficient privilege to do so - and with
whatever purpose the attacker has in mind (though usually to preserve
the attackers ability to maintain the machines compromised state -
stealth being a part of this).
Installing a Windows filter driver to mask return information from
certain calls only resembles a rootkit on this one respect. Why do they
need to use a new term for stealth anyway? It reminds me of the "Social
Engineering" term being used for what used to be called a confidence
game (congame or just con - as "I conned him out of his hard earned
cash).
"kurt wismer" <ku***@sympatic o.ca> wrote in message
news:0z******** ************@ne ws20.bellglobal .com... Roger Wilco wrote:
This "rootkit" is a misnomer (should just call it stealthing), but
what you call a rootkit is no closer to the truth it seems to me. The
rootkit was a kit you could use once you already had sufficient privileges -
to replace commonly used utilities and such with versions modified to
help stealth whatever other activities you had in mind.
i'm familiar with that line of reasoning, however it fails to
convince...
there are those who say rootkits are for maintaining root access,
those who say rootkits are for gaining root access, and those (like the
anti-spyware coalition) who sit on the fence and say it's either
one...
from a functional definition standpoint, the 'maintain' camp are
lost... hiding unspecified 'other activities' makes the definition context
sensitive (does it stop being a rootkit if the other activities cannot
possibly be hidden?)...
Nobody to the best of my knowledge has said that a "rootkit" is a
specific program or function. It is a thing without a formal definition.
It would indeed be difficult to nail it down if it is, as I say, a
collection of programs to be used by someone with newfound root access
to a UNIX machine. Just as "virus" has become synonymous with "malware"
in popular language, so has "rootkit" become synonymous with
"stealthwar e".
Getting cpu access
and root privileges is not done with a kit, but with exploit code
aimed at a vulnerability (*possibly by flawed software) either running
with privilege or possibly leveraged from the lesser privilege via an
escalation vector (possibly more flawed software) to get root.
and that couldn't possibly be with a 'kit'...
Sure it could, I just don't think the kit we're talking about was for
obtaining root permissions. One could install a rootkit no matter how
the privilege level was attained.
further, gaining root is not always done by exploiting a vulnerability
unless you widen the scope of 'vulnerability' to include users - at
which point even your rootkit would be exploiting a vulnerability.. .
Yes, I was referring to vulnerable security not just broken software or
bad configuration settings when I posted "* Could also be just poorly
configured security". I include thigs such as acces to an already logged
on privileged user machine due to their leaving the console unattended.
An invisible janitor or courier with a disk could install a rootkit - it
is not about how it got there, it is about the fact that it IS there.
ugg... i hate catching a cold in the middle of a conversation... sorry
for the delay...
Roger Wilco wrote: "kurt wismer" <ku***@sympatic o.ca> wrote in messageRoger Wilco wrote:
[snip]is where "kit" comes in imo.
forgive me, but isn't "root" sort of the more important part of the
compound word in question?
Not really, root could mean root directory as easily as root user. A
rootkit could be as simple as issuing the command cd\ in DOS .It really
is a stealth kit used when one has highest (or high enough) privilege to
install modified copies of utility programs.
hmmm... now that so much time has passed and things have had a chance to
settle in, do you see just how far astray you've gone here?
the 'root' in rootkit isn't necessarily about the root user? that's funny...
The quoted material from Kurt's blog defining "rootkit"
seems...well ...wrong - but it wouldn't be the first time that
terminolog y changed through common misuse.
it may seem wrong to you but it makes perfect sense to me...
the functional behaviour of what i call rootkits explicitly involves
root/administrative privileges...
Having them - or getting them?
sophistry... getting them of course - having them is not a function, it
is a property...
the functional behaviour of what you call rootkits doesn't... their
function is to hide objects/activity...
It requires that the installer program runs with sufficient privilege.
and that is a dependency...
You can't install a rootkit without already obtaining this privilege
level by some means.
as has been the case since time immemorial, the person who uses a thing
and the person who installs that thing need not be the same person...
the malware world is rife with examples of nefarious folk getting
unsuspecting victims to install their malware...
Just "getting root" does not imply a rootkit was
used -
never said it was... what i said was that getting root is what a rootkit
helps you do, not if you got root you necessarily used a rootkit to do it...
maintaining root access is an intent, not a function, and we all know
how good a definition that involves intent is in the field of computer
science...
The UNIX "rootkit" to me is a collection of aptly named trojans suitable
for swapping out when one has sufficient privilege to do so - and with
whatever purpose the attacker has in mind (though usually to preserve
the attackers ability to maintain the machines compromised state -
stealth being a part of this).
the earliest use of the term rootkit in google's usenet archive can be
found here http://tinyurl.com/a7x62 - it's from 1994 and in it you will
find the context clearly points to rootkit being of the root gaining
variety (stealthing objects "the hard way"? sorry, that interpretation
just doesn't seem to work)... bonus points to anyone who noticed the guy
also correctly used the term cracker instead of hacker which most people
these days would have used...
this phrack article from 1999 (http://www.phrack.org/phrack/55/P55-05)
clearly lays out the 'backdoor' aspect of rootkits...
this academic slide show from 2004 (http://tinyurl.com/but5e) describes
a particular rootkit (Lrk4) behaving in such a way as to redirect
/bin/login to the rootkit's login - the obvious implication being that
login information would be gathered...
this cert taxonomy document also from 1999
(http://www.cert.org/research/taxonomy_988667.pdf) contains an entry for
something they call a toolkit which they describe as "a software package
that contains scripts, programs, or autonomous agents that exploit
vulnerabilities ", and they list as an example a well known toolkit that
went by the name "rootkit".. .
another cert document from 1997
(http://www.cert.org/research/JHThesis/Chapter8.html) also makes
reference to the toolkit classification but breaks it into 2, tools
designed to exploit root access (such as the aforementioned "rootkit")
and scanners (such as the tool known as SATAN)...
finally, in this academic research paper from 1996
(http://tinyurl.com/ti5a) the toolkit known as "rootkit" is described as
something one installs *after* one gains root to a system (which i'm
sure you'll like) in order to sniff the network for credentials to use
on other systems...
i think what it comes down to is this: in the olden days network
topology looked a lot different than it does now (or people looked at it
a lot differently)... now all most people see when they look at nodes
are end-points, not potential pathways to other nodes... the point of
the rootkit was to gain root; in "rootkit"'s (and possibly many others)
case it was to gain root on a system other than the one it was installed
on by taking advantage of the fact that users of other systems may also
use the compromised system, but in general the means by which that could
be accomplished were as numerous as the stars in the sky... most attack
techniques evolve stealth tactics to help evade detection and so hold
the window of opportunity open longer and increase the chance of
success... eventually those same stealth tactics became a means by which
one could systematically detect the presence of a rootkit... at that
point what it was to be a rootkit became blurred in the eyes of the
masses just as at one point many people wrongly believed that all
viruses had to 'insert' themselves into *.exe or *.com files...
Installing a Windows filter driver to mask return information from
certain calls only resembles a rootkit on this one respect. Why do they
need to use a new term for stealth anyway? It reminds me of the "Social
Engineering" term being used for what used to be called a confidence
game (congame or just con - as "I conned him out of his hard earned
cash).
if they're going to classify something based purely on the fact that it
uses stealth technology then they need a term for that because stealth
alone has never been considered an attack technique before, it's always
been a refinement of other techniques...
--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see" This thread has been closed and replies have been disabled. Please start a new discussion. |
