Thursday, November 13, 2008

Rootkit Detection For Free

During an engagement not long ago, the customer's IT staff had collected bits of the suspect network traffic, and then using the source IP address from the capture, located the system in question and ran "netstat -ano" on the system to prove that the traffic really did originate from that system. Task Manager and tasklist.exe also showed the process with the PID seen in the netstat output.

What does this have to do with rootkits? Well, for one...it proves that they didn't have one! I can't tell you the number of times someone's said to me, "I didn't see anything suspicious, so it must be a rootkit." Yeah, and if I turn my face toward the monitor and close my eyes, and don't see any unusual processes (or anything else for that matter), does that mean that there must be a rootkit on the system?

Well, all I can say is that the simplicity of that finding made it all the more awesome...

No comments: