87  5356 
Roger Wilco wrote: "kurt wismer" <ku***@sympatic o.ca> wrote in messageRoger Wilco wrote:
This "rootkit" is a misnomer (should just call it stealthing), but
what
you call a rootkit is no closer to the truth it seems to me. The
rootkit
was a kit you could use once you already had sufficient privileges -
to
replace commonly used utilities and such with versions modified to
help
stealth whatever other activities you had in mind.
i'm familiar with that line of reasoning, however it fails to
convince...
there are those who say rootkits are for maintaining root access,
those
who say rootkits are for gaining root access, and those (like the
anti-spyware coalition) who sit on the fence and say it's either
one...
from a functional definition standpoint, the 'maintain' camp are
lost...
hiding unspecified 'other activities' makes the definition context
sensitive (does it stop being a rootkit if the other activities cannot
possibly be hidden?)...
Nobody to the best of my knowledge has said that a "rootkit" is a
specific program or function. It is a thing without a formal definition.
then you weren't reading what you quoted as i just informed you that the
anti-spyware coalition have a *formal* definition for it... see
http://www.antispywarecoalition.org/...s/glossary.htm
It would indeed be difficult to nail it down if it is, as I say, a
collection of programs to be used by someone with newfound root access
to a UNIX machine. Just as "virus" has become synonymous with "malware"
in popular language, so has "rootkit" become synonymous with
"stealthwar e".
and just as i hand out a swift kick in the ass to people who propagate
the absurdity that virus and malware mean the same thing, i shall hand
out a swift kick in the butt to people who propagate the idea that
rootkit == stealthware....
Getting cpu access
and root privileges is not done with a kit, but with exploit code
aimed
at a vulnerability (*possibly by flawed software) either running
with
privilege or possibly leveraged from the lesser privilege via an
escalation vector (possibly more flawed software) to get root.
and that couldn't possibly be with a 'kit'...
Sure it could, I just don't think the kit we're talking about was for
obtaining root permissions. One could install a rootkit no matter how
the privilege level was attained.
or, one could get root to run/install it for one...
--
"they threw a rope around yer neck to watch you dance the jig of death
then left ya for the starvin' crows, hoverin' like hungry whores
one flew down plucked out yer eye, the other he had in his sights
ya snarled at him, said leave me be - i need the bugger so i can see"
"kurt wismer" <ku***@sympatic o.ca> wrote in message
news:Lz******** ***********@new s20.bellglobal. com... ugg... i hate catching a cold in the middle of a conversation... sorry
for the delay...
No problem, I'm not online every day anyway. Hope you're feeling better.
Roger Wilco wrote: "kurt wismer" <ku***@sympatic o.ca> wrote in messageRoger Wilco wrote: [snip]is where "kit" comes in imo.
forgive me, but isn't "root" sort of the more important part of the
compound word in question?
Not really, root could mean root directory as easily as root user. A
rootkit could be as simple as issuing the command cd\ in DOS .It
really is a stealth kit used when one has highest (or high enough)
privilege to install modified copies of utility programs.
hmmm... now that so much time has passed and things have had a chance
to settle in, do you see just how far astray you've gone here?
Not really, there are already other ways to describe privilege levels -
the word "root" is not really a good substitute for "most privileged"
since it already refers to many other things that can be viewed as a
"tree".
the 'root' in rootkit isn't necessarily about the root user? that's
funny...
I'm just saying that "root" is UNIX slang for the "most privileged"
user - but the word "root" is not suitable comp sci terminology as there
are many other uses.
The quoted material from Kurt's blog defining "rootkit"
seems...well ...wrong - but it wouldn't be the first time that
terminolog y changed through common misuse.
it may seem wrong to you but it makes perfect sense to me...
the functional behaviour of what i call rootkits explicitly involves
root/administrative privileges...
Having them - or getting them?
sophistry... getting them of course - having them is not a function,
it is a property...
Well.. I'll agree to disagree then. To me it is a collection to use once
you have sufficient privilege. The idea is to leverage your newly found
"root" privilege into further compromising the machine or network.
the functional behaviour of what you call rootkits doesn't... their
function is to hide objects/activity...
Not only that - but yes ... it would be a good thing to do.
It requires that the installer program runs with sufficient
privilege.
and that is a dependency...
You can't install a rootkit without already obtaining this privilege
level by some means.
as has been the case since time immemorial, the person who uses a
thing and the person who installs that thing need not be the same person...
the malware world is rife with examples of nefarious folk getting
unsuspecting victims to install their malware...
Just "getting root" does not imply a rootkit was
used -
never said it was... what i said was that getting root is what a
rootkit helps you do, not if you got root you necessarily used a rootkit to do
it...
Having root allows you to install a rootkit, Getting root is outside the
scope of what a rootkit does in the first instance, although having it
(root, and the rootkit) can lead to additional machines being rooted
(and rootkitted).
maintaining root access is an intent, not a function, and we all
knowhow good a definition that involves intent is in the field of
computerscience...
The UNIX "rootkit" to me is a collection of aptly named trojans
suitable for swapping out when one has sufficient privilege to do so - and
with whatever purpose the attacker has in mind (though usually to
preserve the attackers ability to maintain the machines compromised state -
stealth being a part of this).
the earliest use of the term rootkit in google's usenet archive can be
found here http://tinyurl.com/a7x62 - it's from 1994 and in it you
will find the context clearly points to rootkit being of the root gaining
variety
I didn't read it that way at all. He was referring disgustedly to the
"kit' aspect as a ready made decidedly not a "do-it-yourself"
combination of exploiter and rootkit - maybe implying the skill level of
his attacker was well beyond "script kiddie". The fact is that a skilled
cracker can make his own collection, to suit his target, and it is still
a rootkit.
What you describe (as rootkit) is more like what that poster describes
as "exploiter" software - specifically exploiter software that ends up
with your gaining root access.
(stealthing objects "the hard way"? sorry, that interpretation
just doesn't seem to work)... bonus points to anyone who noticed the
guy also correctly used the term cracker instead of hacker which most
people these days would have used...
:))
this phrack article from 1999 (http://www.phrack.org/phrack/55/P55-05)
clearly lays out the 'backdoor' aspect of rootkits...
[snip - thanks for the links]
another cert document from 1997
(http://www.cert.org/research/JHThesis/Chapter8.html) also makes
reference to the toolkit classification but breaks it into 2, tools
designed to exploit root access
Again, to me "exploit root access" in this context means exploiting
(leveraging) the fact of root access. You can't exploit root access in
the sense that you can exploit vulnerabilities in broken software. You
can exploit the broken software to attain root access - but this is an
exploiter not a rootkit. Here they meant (to me at least) that they are
designed to exploit (make use of) root access, not that they are
exploits (injection vector w/payload) to attain root access.
i think what it comes down to is this: in the olden days network
topology looked a lot different than it does now (or people looked at
it a lot differently)... now all most people see when they look at nodes
are end-points, not potential pathways to other nodes... the point of
the rootkit was to gain root; in "rootkit"'s (and possibly many
others) case it was to gain root on a system other than the one it was
installed on by taking advantage of the fact that users of other systems may
also use the compromised system, but in general the means by which that
could be accomplished were as numerous as the stars in the sky... most
attack techniques evolve stealth tactics to help evade detection and so hold
the window of opportunity open longer and increase the chance of
success... eventually those same stealth tactics became a means by
which one could systematically detect the presence of a rootkit... at that
point what it was to be a rootkit became blurred in the eyes of the
masses just as at one point many people wrongly believed that all
viruses had to 'insert' themselves into *.exe or *.com files...
To me, a rootkit could also be installed on a system with no attempts at
further compromise of other systems or machines. To me, it doesn't
matter was programs/functions were chosen for inclusion in the kit.
Obviously one would choose stealth in most cases - but it would not be
limited to, nor required to include, stealthing.
Installing a Windows filter driver to mask return information from
certain calls only resembles a rootkit on this one respect. Why do
they need to use a new term for stealth anyway? It reminds me of the
"Social Engineering" term being used for what used to be called a confidence
game (congame or just con - as "I conned him out of his hard earned
cash).
if they're going to classify something based purely on the fact that
it uses stealth technology then they need a term for that because stealth
alone has never been considered an attack technique before, it's
always been a refinement of other techniques...
True here too - the rootkit is not the attack. The rootkit comes after
the attack has resulted in root access.
"kurt wismer" <ku***@sympatic o.ca> wrote in message
news:FC******** ***********@new s20.bellglobal. com... Nobody to the best of my knowledge has said that a "rootkit" is a
specific program or function. It is a thing without a formal
definition.
then you weren't reading what you quoted as i just informed you that
the anti-spyware coalition have a *formal* definition for it... see
http://www.antispywarecoalition.org/...s/glossary.htm
I dislike definitions like that. The "gains or maintains administrator
level access" part makes both of us neither right nor wrong - and opens
the door for any exploit or combination of exploits that achieve root
access to be called rootkits. So now a DoS attack against a process
running with root privilege is a rootkit. Even if it has no staying
power. The injection vectors' "payload" code doesn't even have to
properly execute.
I suppose their definition is good enough for them though...did you read
some of their other definitions?
It would indeed be difficult to nail it down if it is, as I say, a
collection of programs to be used by someone with newfound root
access to a UNIX machine. Just as "virus" has become synonymous with
"malware" in popular language, so has "rootkit" become synonymous with
"stealthwar e".
and just as i hand out a swift kick in the ass to people who propagate
the absurdity that virus and malware mean the same thing, i shall hand
out a swift kick in the butt to people who propagate the idea that
rootkit == stealthware....
This I agree with - stealthware is only a part of what rootkits can
contain and it is not entirely necessary that they even contain this.
Getting cpu access
and root privileges is not done with a kit, but with exploit code
aimed
at a vulnerability (*possibly by flawed software) either running
with
privilege or possibly leveraged from the lesser privilege via an
escalation vector (possibly more flawed software) to get root.
and that couldn't possibly be with a 'kit'...
Sure it could, I just don't think the kit we're talking about was
for obtaining root permissions. One could install a rootkit no matter
how the privilege level was attained.
or, one could get root to run/install it for one...
Sure, by attaching an exploiter to the front, Or by having the exploit's
injection vector's payload code obtain and install it from elsewhere.
Roger Wilco wrote: "kurt wismer" <ku***@sympatic o.ca> wrote in messageRoger Wilco wrote:"kurt wismer" <ku***@sympatic o.ca> wrote in message
Roger Wilco wrote:[snip]
>is where "kit" comes in imo.
forgive me, but isn't "root" sort of the more important part of the
compound word in question?
Not really, root could mean root directory as easily as root user. A
rootkit could be as simple as issuing the command cd\ in DOS .It
really
is a stealth kit used when one has highest (or high enough)
privilege to
install modified copies of utility programs.
hmmm... now that so much time has passed and things have had a chance
to
settle in, do you see just how far astray you've gone here?
Not really, there are already other ways to describe privilege levels -
the word "root" is not really a good substitute for "most privileged"
since it already refers to many other things that can be viewed as a
"tree".
all words can be ambiguous in one context or another, however in the
context we're talking about root is most certainly not related to trees...
further, the "root" in rootkit never applies to the root directory on a
drive... these are all red-herrings...
the 'root' in rootkit isn't necessarily about the root user? that's
funny...
I'm just saying that "root" is UNIX slang for the "most privileged"
user - but the word "root" is not suitable comp sci terminology as there
are many other uses.
technical jargon != slang...
as for suitability, extra-contextual uses do not affect a term's
suitability for use in computer science... you don't see people
complaining about ambiguity of terms like port or packet or pipe, do you?
>The quoted material from Kurt's blog defining "rootkit"
>seems...we ll...wrong - but it wouldn't be the first time that
>terminolog y changed through common misuse.
it may seem wrong to you but it makes perfect sense to me...
the functional behaviour of what i call rootkits explicitly involves
root/administrative privileges...
Having them - or getting them?
sophistry.. . getting them of course - having them is not a function,
it
is a property...
Well.. I'll agree to disagree then. To me it is a collection to use once
you have sufficient privilege. The idea is to leverage your newly found
"root" privilege into further compromising the machine or network.
and here you've slipped up... if you have root on machine A you cannot
further compromise machine A, therefore you can only further compromise
the network - which you do by compromising other machines on the
network, by gaining root (or privileges that can be escalated to root)
on them...
therefore you're actually agreeing with me...
the functional behaviour of what you call rootkits doesn't... their
function is to hide objects/activity...
Not only that - but yes ... it would be a good thing to do.
you have made it quite clear that you think a rootkit in the unix sense
is a set of replacement binaries designed to hide your presence... if
that is so then the function of a rootkit in your terms is to hide things...
[snip]Just "getting root" does not imply a rootkit was
used -
never said it was... what i said was that getting root is what a
rootkit
helps you do, not if you got root you necessarily used a rootkit to do
it...
Having root allows you to install a rootkit, Getting root is outside the
scope of what a rootkit does in the first instance, although having it
(root, and the rootkit) can lead to additional machines being rooted
(and rootkitted).
i think you have that backwards... a rootkit is always about getting
root, but the first root you get on a network may not have been through
the use of a rootkit...
[snip]The UNIX "rootkit" to me is a collection of aptly named trojans
suitable
for swapping out when one has sufficient privilege to do so - and
with
whatever purpose the attacker has in mind (though usually to
preserve
the attackers ability to maintain the machines compromised state -
stealth being a part of this).
the earliest use of the term rootkit in google's usenet archive can be
found here http://tinyurl.com/a7x62 - it's from 1994 and in it you
will
find the context clearly points to rootkit being of the root gaining
variety
I didn't read it that way at all. He was referring disgustedly to the
"kit' aspect as a ready made decidedly not a "do-it-yourself"
combination of exploiter and rootkit - maybe implying the skill level of
his attacker was well beyond "script kiddie". The fact is that a skilled
cracker can make his own collection, to suit his target, and it is still
a rootkit.
i'm sorry but your analysis has missed the mark... the context is
clearly about penetration of the machine, not persistence on the
machine... his use of rootkit in that context implies that rootkits are
generally used in the penetration phase (although not in his specific
case)...
What you describe (as rootkit) is more like what that poster describes
as "exploiter" software - specifically exploiter software that ends up
with your gaining root access.
then i suggest you go back and re-read... those exploiters are what *he*
refers to when he says "steenking rootkit toolbox stuff"...
[snip]another cert document from 1997
(http://www.cert.org/research/JHThesis/Chapter8.html) also makes
reference to the toolkit classification but breaks it into 2, tools
designed to exploit root access
Again, to me "exploit root access" in this context means exploiting
(leveraging) the fact of root access.
that's all well and nice... but what it means to you is irrelevant as
they specify an example of what they meant and the example was the
toolkit known as "rootkit", whose properties and functions are well
documented...
You can't exploit root access in
the sense that you can exploit vulnerabilities in broken software. You
can exploit the broken software to attain root access - but this is an
exploiter not a rootkit. Here they meant (to me at least) that they are
designed to exploit (make use of) root access, not that they are
exploits (injection vector w/payload) to attain root access.
they meant tools like "rootkit".. . it was designed to sniff passwords so
as to allow you to gain root on machines other than the one it was
installed on...
i think what it comes down to is this: in the olden days network
topology looked a lot different than it does now (or people looked at
it
a lot differently)... now all most people see when they look at nodes
are end-points, not potential pathways to other nodes... the point of
the rootkit was to gain root; in "rootkit"'s (and possibly many
others)
case it was to gain root on a system other than the one it was
installed
on by taking advantage of the fact that users of other systems may
also
use the compromised system, but in general the means by which that
could
be accomplished were as numerous as the stars in the sky... most
attack
techniques evolve stealth tactics to help evade detection and so hold
the window of opportunity open longer and increase the chance of
success... eventually those same stealth tactics became a means by
which
one could systematically detect the presence of a rootkit... at that
point what it was to be a rootkit became blurred in the eyes of the
masses just as at one point many people wrongly believed that all
viruses had to 'insert' themselves into *.exe or *.com files...
To me, a rootkit could also be
can i be blunt (or perhaps just curt)?... don't you think we're past the
point in the discussion where you tell me what you *feel* a rootkit is?
installed on a system with no attempts at
further compromise of other systems or machines.
??? i'm sorry, am i reading this right? people compromise machines in
order to 'hang out' on them? that's pretty much what it amounts to if
you make no attempts to further compromise anything else...
To me, it doesn't
matter was programs/functions were chosen for inclusion in the kit.
Obviously one would choose stealth in most cases - but it would not be
limited to, nor required to include, stealthing.
then there is no reason to call them *root*kits... i'm sorry but where i
come from people (especially people who come up with new classifications
for things) do things for a reason...
[snip] if they're going to classify something based purely on the fact that
it
uses stealth technology then they need a term for that because stealth
alone has never been considered an attack technique before, it's
always
been a refinement of other techniques...
True here too - the rootkit is not the attack. The rootkit comes after
the attack has resulted in root access.
the rootkit is *part* of the attack... you're hiding your presence on a
system for a *reason*... either what you want is there for the taking
and you take it (in which case hiding your presence isn't necessary,
hiding your point of origin is), or you're waiting for something -
something like oh i don't know maybe passwords to other systems...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
Roger Wilco wrote: "kurt wismer" <ku***@sympatic o.ca> wrote in message
Nobody to the best of my knowledge has said that a "rootkit" is a
specific program or function. It is a thing without a formal
definition.then you weren't reading what you quoted as i just informed you that
the
anti-spyware coalition have a *formal* definition for it... see
http://www.antispywarecoalition.org/...s/glossary.htm
I dislike definitions like that.
i dislike fence-sitting as well...
The "gains or maintains administrator
level access" part makes both of us neither right nor wrong - and opens
the door for any exploit or combination of exploits that achieve root
access to be called rootkits. So now a DoS attack against a process
running with root privilege is a rootkit. Even if it has no staying
power. The injection vectors' "payload" code doesn't even have to
properly execute.
I suppose their definition is good enough for them though...did you read
some of their other definitions?
yes... most of the definitions aren't *too* bad, however their main idea
of using spyware as an umbrella term is rather idiotic...
[snip]>Getting cpu access
>and root privileges is not done with a kit, but with exploit code
>aimed
>at a vulnerability (*possibly by flawed software) either running
>with
>privileg e or possibly leveraged from the lesser privilege via an
>escalati on vector (possibly more flawed software) to get root.
and that couldn't possibly be with a 'kit'...
Sure it could, I just don't think the kit we're talking about was
for
obtaining root permissions. One could install a rootkit no matter
how
the privilege level was attained.
or, one could get root to run/install it for one...
Sure, by attaching an exploiter to the front, Or by having the exploit's
injection vector's payload code obtain and install it from elsewhere.
no, no, i mean the person who has root privileges... root is actually a
principal, a 'user' of the system...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
kurt wismer wrote: i dislike fence-sitting as well...
Do you hear it? It's the sound of a dead horse. :) This is truely a
lost cause Kurt. It's akin to playing with the trolls. If he feels a
rootkit is something that "hides" itself, leave him be. Ignorance
knows no bounds anyway, you should know this.
Regards,
Dustin Cook http://bughunter.atspace.org
Dustin Cook wrote: Ignorance
knows no bounds
Retard,
Dustin Cook
New sig? Very apt for you.
Dustin Cook wrote: kurt wismer wrote:
i dislike fence-sitting as well...
Do you hear it? It's the sound of a dead horse. :) This is truely a
lost cause Kurt. It's akin to playing with the trolls.
....says the guy who plays with the trolls... my killfile is now several
orders of magnitude larger than it was before thanks to you...
If he feels a
rootkit is something that "hides" itself, leave him be. Ignorance
knows no bounds anyway, you should know this.
even when the principals in a discussion make no headway, the gallery
can still be better off for knowing more than it did before...
--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
"kurt wismer" <ku***@sympatic o.ca> wrote in message
news:9e******** ***********@new s20.bellglobal. com... Roger Wilco wrote:
[snipped - getting too long]
Not really, there are already other ways to describe privilege
levels - the word "root" is not really a good substitute for "most
privileged" since it already refers to many other things that can be viewed as a
"tree".
all words can be ambiguous in one context or another, however in the
context we're talking about root is most certainly not related to
trees...
If you view privilege levels as one with most privilege and others with
different subsets of permissions (like inheritance in forking child
processes - a family tree) then you can see that we are indeed talking
about "most privileged" being the 'root' of a 'tree' structure. Much the
same as directory structures can be viewed as trees.
further, the "root" in rootkit never applies to the root directory on
a drive... these are all red-herrings...
Geesh - it applies to UNIX slang for most privileged user in a multiuser
environment. That doesn't mean it is a computer science-wide term any
more than "folder" from Windows slang becomes the replacement for
"directory" in describing a filesystem.
the 'root' in rootkit isn't necessarily about the root user? that's
funny...
I'm just saying that "root" is UNIX slang for the "most privileged"
user - but the word "root" is not suitable comp sci terminology as
there are many other uses.
technical jargon != slang...
In many cases it should, especially when there is already a technical
term to describe a thing and someone 'invents' a new term to describe
it.
as for suitability, extra-contextual uses do not affect a term's
suitability for use in computer science... you don't see people
complaining about ambiguity of terms like port or packet or pipe, do
you?
They're pretty much accepted terms no matter what OS you're talking
about aren't they? You talk about traversing directories even though
Microsoft might like to call it 'browsing folders'. Directory traversal
exploits don't suddenly become folder browsing exploits just because
Microsoft prefers other names for things.
[snip]
Well.. I'll agree to disagree then. To me it is a collection to use
once you have sufficient privilege. The idea is to leverage your newly
found "root" privilege into further compromising the machine or network.
and here you've slipped up... if you have root on machine A you cannot
further compromise machine A,
Not even by making it available for others to get the same privilege? If
I get physical access to a machine with root user logged on that is a
sort of compromise (security is compromised, but the machine itself is
unchanged). If I want back in, I would have to dress up like a courier
again and hope that the opportunity again presents itself. If while
there I make provisions for re-entry from a remote location the machine
is then compromised (changed).
therefore you can only further compromise
the network - which you do by compromising other machines on the
network, by gaining root (or privileges that can be escalated to root)
on them...
Having me logged on as root user (unauthorized) is a breach of security.
The machine is not compromised in the sense that it is still configured
exactly as it was before I got access. In this case the network is
compromised because physical access resrictions weren't properly
enforced.
therefore you're actually agreeing with me...
I agree to disagree.
>the functional behaviour of what you call rootkits doesn't...
their>function is to hide objects/activity...
Not only that - but yes ... it would be a good thing to do.
you have made it quite clear that you think a rootkit in the unix
sense is a set of replacement binaries designed to hide your presence...
No, that is only one intent. It could be a set of programs that cause
information to leak out (or trickle in). Hiding whatever programs and
processes you add to the system is so commonly done that "hiding" has
now become synonymous with "rootkit'.
if that is so then the function of a rootkit in your terms is to hide
things...
That is not at all what I am saying. Picture a kiddie with a t-shirt
that saya "Got root?". I'm sure you've seen such shirts. The rootkit's
function is to answer the unasked question "what do I do next".
Yes, the meaning of rootkit has evidently changed now to mean hiding
whatever it is you decided to do next.
Having root allows you to install a rootkit, Getting root is outside
the scope of what a rootkit does in the first instance, although having
it (root, and the rootkit) can lead to additional machines being rooted
(and rootkitted).
i think you have that backwards... a rootkit is always about getting
root, but the first root you get on a network may not have been
through the use of a rootkit...
From: http://www.sans.org/y2k/TFN_toolkit.htm
"The Attack
The hackers are using buffer overflow exploits on rpc.ttdbserverd ,
rpc.cmsd, sadmind, rpc.statd to gain root access to a machine. In some
cases, they use a variant of the /tmp/bob attack which is associated
with
the ffcore buffer overflow exploit. In any event, if they are successful
in gaining access, they ftp the toolkit into a directory on the machine
...."
Here you see that they mention the root access happening prior to the
FTPing of the "kit" - and also they mention earlier " I'd classify this
attack as a simple rootkit style attack with a DoS payload." so the
payload here isn't furthur rooting of more machines.
[snip]
found here http://tinyurl.com/a7x62 - it's from 1994 and in it you
will
find the context clearly points to rootkit being of the root gaining
variety
I didn't read it that way at all. He was referring disgustedly to
the "kit' aspect as a ready made decidedly not a "do-it-yourself"
combination of exploiter and rootkit - maybe implying the skill
level of his attacker was well beyond "script kiddie". The fact is that a
skilled cracker can make his own collection, to suit his target, and it is
still a rootkit.
i'm sorry but your analysis has missed the mark... the context is
clearly about penetration of the machine, not persistence on the
machine... his use of rootkit in that context implies that rootkits
are generally used in the penetration phase (although not in his specific
case)...
Not really, the context (concerning his use of the word) is a
disparaging remark - putting down users of kits of any kind because they
often are using the kit without nearly the skill level of one who writes
kits. His point is that his attacker is no script kiddy toolkit user but
instead is a skilled intruder. He "did it the hard way" refers to his
beleif that the intruder wrote his own exploits rather than using
available kits written by others.
What you describe (as rootkit) is more like what that poster
describes as "exploiter" software - specifically exploiter software that ends
up with your gaining root access.
then i suggest you go back and re-read... those exploiters are what
*he* refers to when he says "steenking rootkit toolbox stuff"...
Yes, but again his intention seems to be to belittle the kiddies who use
kits written by others, not to use the term in its most correct form.
[snip]another cert document from 1997
(http://www.cert.org/research/JHThesis/Chapter8.html) also makes
reference to the toolkit classification but breaks it into 2, tools
designed to exploit root access
Again, to me "exploit root access" in this context means exploiting
(leveraging) the fact of root access.
that's all well and nice... but what it means to you is irrelevant as
they specify an example of what they meant and the example was the
toolkit known as "rootkit", whose properties and functions are well
documented...
A "rootkit" and a program calling itself "rootkit" are not the same
thing. The program calling itself rootkit does also happen to be one,
but that program and "all" of its functions are not what defines a
rootkit.
Again in this document
https://tms.symantec.com/members/Ana...HV4Rootkit.pdf
the access (via exploit of a vulnerability) come prior to, and apart
from, the installation of the rootkit. The rootkit itself does not
contain the means to obtain root access.
You can't exploit root access in
the sense that you can exploit vulnerabilities in broken software.
You can exploit the broken software to attain root access - but this is
an exploiter not a rootkit. Here they meant (to me at least) that they
are designed to exploit (make use of) root access, not that they are
exploits (injection vector w/payload) to attain root access.
they meant tools like "rootkit".. . it was designed to sniff passwords
so as to allow you to gain root on machines other than the one it was
installed on...
But that was not the defining feature.
i think what it comes down to is this: in the olden days network
To me, a rootkit could also be
can i be blunt (or perhaps just curt)?... don't you think we're past
the point in the discussion where you tell me what you *feel* a rootkit
is?
Absolutely, since you won't listen. I'll agree to disagree and will not
discuss it further since no-one else in these groups seem interested.
"kurt wismer" <ku***@sympatic o.ca> wrote in message
news:eC******** ***********@new s20.bellglobal. com... Dustin Cook wrote: kurt wismer wrote:
i dislike fence-sitting as well...
Do you hear it? It's the sound of a dead horse. :) This is truely a
lost cause Kurt. It's akin to playing with the trolls.
...says the guy who plays with the trolls... my killfile is now
several orders of magnitude larger than it was before thanks to you...
:))
If he feels a
rootkit is something that "hides" itself, leave him be. Ignorance
knows no bounds anyway, you should know this.
Speaking of ignorance... yet you fail to realize that my view isn't at
all what you suggest it is.
Kurt is of the opinion that the word "root" in rootkit is there because
rootkits are designed to "get root" either on the current machine or on
subsequent machines. On the other hand my opinion is that the word is
there because that privilege level is required prior to attempting to
implement installation of the kit.
We both agree (I think) that the current usage (with regard to this
thread) is somewhat inappropriate because "stealthwar e" is only a part
of what a rootkit is. Kurt is a tenacious debater and very difficult to
persuade, and I will not continue to try.
even when the principals in a discussion make no headway, the gallery
can still be better off for knowing more than it did before...
Agreed!
Thanks for the discussion anyway. This thread has been closed and replies have been disabled. Please start a new discussion. |
