tag:blogger.com,1999:blog-9518042.post115533986271562396..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Week in Review, plus someUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-1155592861293690402006-08-14T17:01:00.000-05:002006-08-14T17:01:00.000-05:00Interesting comment...and thank you. You bring up...Interesting comment...and thank you. You bring up a very important point, even tangentially.<BR/><BR/>Kevin is a responder, much like myself. I firmly believe that we are not seeing these, b/c our clients are not seeing them. Even folks who aren't clients are probably seeing something unusual that they can't explain, and because spending money on security has no discernable ROI, they reload the system from clean media and put the system right back into service.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1155590286133774372006-08-14T16:18:00.000-05:002006-08-14T16:18:00.000-05:00I was more impressed by this quote from the Mandia...I was more impressed by this quote from the Mandia interview: "'We're not seeing any kernel level rootkits [for Windows], but the user space stuff is working well enough that it doesn't matter,' he said." I recently found a kernel mode rootkit on my neighbor's 13-year old daughter's computer (albeit the Sony DRM rootkit). This shows the penetration of this technology into the market. There is certainly a lot of effort going into developing Windows kernel mode rootkits at the moment and it would be surprising not to find them on high value targets. Is it that the rootkits are not there? Or is Kevin just not *seeing* them? :-)<BR/><BR/>-Rossetoecioccolato.Anonymousnoreply@blogger.com