Can a rootkit hide ...
 
Notifications
Clear all

Can a rootkit hide data when c$ viewed as a remote share?

6 Posts
3 Users
0 Reactions
382 Views
(@bdmeyer)
Eminent Member
Joined: 16 years ago
Posts: 36
Topic starter  

A colleague and myself are reviewing a Suse based timeline generating kit, that generates something similar to a super timeline except it can be used on a live OS from the LiveCD via a mounted share. My thoughts were, What if we notify an agency that we just saw a snort alert on an IP in their location. The techs for that agency could fire up this LiveCD, connect to the machines c$ share and generate the timeline while running other tools that allow sending suspect files to virustotal etc, while this timeline tool is being run. What I was wondering is, though a properly functioning rootkit will hide itself from from ring3 tools running on the compromised OS, will the rootkit still be hiding it's files when accessed via cifs shares from a linux machine across the network?

In case my explanation isn't clear, which I think it isn't, here would be the steps

Snort detects a possible drive by.
We notify agency.
Agency tech fires up laptop with the Sue based volatile data collection tool.
Tech connects the Suse laptop to the suspect machine c$ share and starts looking for suspicious data.
Steps this tool uses for finding suspicious data are running various linux based antivirus tools.
Running a supertimeline tool that parses registry, eventlogs, mac dates.

question
Does the rootkit prevent the antimalware tools from seeing the infected files during a scan, or during mac date collection of all files on the machine.

If rootkits running at ring 0 hide stuff from apps running at ring 3, what rings is the share performed from, and would it be able to hide the files from being seen on a network share.


   
Quote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

The answer is, it depends…on the implementation of the rootkit.

In one of my previous books, I described how user-mode rootkits could be easily detected via differential analysis of the system using local vs remote data collection.

My recommendation would be to give it a shot and see what you find.


   
ReplyQuote
(@bdmeyer)
Eminent Member
Joined: 16 years ago
Posts: 36
Topic starter  

Ok. Since this will hopefully be an ongoing event I'll read up on it. Which Book, I have Windows Forensics and Incident Recovery, the new Green Book, and I thought I had another older book, but it's at home…
Let me know which one, and I'll get to it this weekend.


   
ReplyQuote
(@spawn)
Eminent Member
Joined: 17 years ago
Posts: 34
 

Rootkits Subverting the Windows Kernel
Publisher Addison Wesley; 1 edition (22 July 2005)
Language English
ISBN-10 0321294319
ISBN-13 978-0321294319


   
ReplyQuote
(@bdmeyer)
Eminent Member
Joined: 16 years ago
Posts: 36
Topic starter  

Thanks We have that book in our library also. I appreciate the info.

–Bruce


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Which Book, I have Windows Forensics and Incident Recovery, the new Green Book, and I thought I had another older book, but it's at home…
Let me know which one, and I'll get to it this weekend.

I'd start by cracking each one open, starting with the first one…seriously.


   
ReplyQuote
Share: