Wednesday, May 28, 2008

The sky isn't falling yet, but it will

I was talking to Nico Fischbach about the IOS rootkit during PH-Neutral 0x7d8 while drinking some beer... A few after that, he sent me an email with a summary about the rootkit stuff and all the noisy. The mail was sent to some mailing lists like Full Disclose and here is a link to it for those who didn't have the chance to read it.
The email is a good overview about the rootkit PoC and takes into consideration lot's of security measures to detect an attack vector like image binary modification... but what about using the same technique (find strings to find important functions) is applied on-the-fly or by a shellcode?
He mentions that TCL scripts can be easily detected in startup/running configuration but what if the functions that read the startup file and display running processes are manipulated?
I don't want to start enumerating counter measures to the detection measures because this is the same as the virii & AV race where one creates a new way to infect a machine and the other creates a new way to detect it and so on. Besides Nico is right that it is a 'noisy' to perform that kind of rootkit deployment but like said before, what if this is performed using a shellcode via a remote exploit?
Don't get me wrong, I really liked what Nico wrote but just want to say that there is always a way to enhance 'things' to bypass security, right?

Another important thing is to follow Cisco security guidelines... just in case because you never know if some inside user gets pissed off and installs it before leaving the company? :/

Tuesday, May 27, 2008

PH-Neutral 0x7d8 Soccer World Cup finals

Italian table soccer team (Igor - twiz) beats Argentinian team (shadown - topo) :(
Next year we'll have a rematch after some practice, of course... hahahaha
Here is a link to the YouTube video uploaded by a friend of mine (thanks Mario) in case you can't see the video bellow.

Friday, May 16, 2008

Rootkits on routers... uhm

Pretty noisy topic, right? Well, this is definitely not a new thing. Rootkits for IOS existed for quite a few years and that is what i told Sean when we talk about my presentation on EuSecWest among some other things.

Remember the news about stolen IOS source code? That definitely helped the bad guys cause reversing and entire IOS image was not necessary anymore... so what do you think the bad guys did with this source code? :P