On Thu, 17 Mar 2005 11:28:55 MST, Dave King said: > Also, this is not just like tripwire. If the kernel is compromised > and reporting false data to tripwire then tripwire can run along merrily > thinking every thing's great. This is why booting to a trusted kernel > is important for the process. Exploiting Software by Hoglund and McGraw > has a discussion on these types of rootkits. Tripwire, however does > great at detecting other sorts of intrusions.
Actually, the "prior art" *is* tripwire. If you run tripwire on the live system, then run it while booted from a CD, and they produce different results, you have a problem. And that's what they're doing by doing a 'dir /a /s' on the live system, then booting the Windows PE CD, and looking for differences....
pgplpzYI42WQI.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
