-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
There's no paper out right now, although I am writing a generalized
overview to all the trojans in CANVAS today. Essentially the kernel
rootkit is very simple - it sits underneath the network layer polling
for trigger packets (UDP) which then can contain a command to tell it to
send a MOSDEF connection to a listening post. Also it can hide network
connections (ioctl-based command-set).
There's a lot more to do, of course, but the innovation in the CANVAS
trojan set is not in specialized hooking techniques or new feature sets,
but more in how the whole package integrates. You'll want to be able to
send messages over your internal RootkitBus via your HTTP-MOSDEF
callback, etc. As we integrate Immunity Debugger into CANVAS you'll see
lots of "specialized hook for X app" stuff come through. Trojans are
important and I've always felt that penetration testing kits leave them
a bit behind. We'll fix that. :>
You can always buy CANVAS Early Updates and test it for yourself. :>
Of course, it breaks the CANVAS license for AV vendors to write
signatures for CANVAS, so there won't be any "CANVAS Rootkit"
signatures, although we do get picked up by generic signatures for
things sometimes.
- -dave
|
| Is there a technical paper about your Kernel Rootkit available somewhere?
|
| joanna.
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIFe9otehAhL0gheoRArJqAJ0Rmpg83GFNYhxrGPGVabR3b4M8wQCfTP4q
5NfeNg69CFxJJeP0O4/NI0g=
=lvSZ
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Received on Apr 28 2008
Intro
