Thread: Malicious javascript obfustication
View Single Post
  #24 (permalink)  
Old 11-05-2006, 06:27 PM
erewhon
Guest
  
Posts: n/a
Default Re: Malicious javascript obfustication
It is possible to insert a piece of malicious code, subsequent to gaining
access via the initial exploit code, and that such code can hidden by a
rootkit, and can sit as a hidden process or as a time activated piece of
code, and wait till an internet connection is available to stream out cached
keystroke logs or any other local data via http to a remote server.

It would be virtually undetectable without running process mons, rootkit
mons, file mons, network mons 24x7 and ananylsing every single file touch,
reg touch and byte sent. Even then... it may check for the presence of such
tools and not acivate or send data when present.

The bottom line is this.

The machine had this vulnerabilty SINCE THE DAY YOU BUILT IT.

Exploit code was used to compromise this machine.

You have no idea how many times (above the single detected instance) this
vulnerable machine has been compromised using this, or any other
vulnerability both current known, or yet to be announced.

All code changes made since the machine was built are not known, since you
have not been monitoring every single byte of code change, and even then,
the code changes may have been hidden from such tools.

QED - a machine hosting vulnerable code, once compromised, remains
compromised even after the vulnerability is closed, and the known exploit
code removed.

I re-iterate:

1. Format
2. Rebuild the os
3. Patch to the latest
4. Ensure firewall policies lock access

This is the only way to clean such an exploit infection. Even this will not
prevent the next 0day exploit.

Do you have any idea how much exploitable code Microsoft have released
patches for since the initial release of their o/s. Think about it. This
exploitable code has been in existance, on every single machine with this
build, since day one.

The fact that someone has announced it to M$, and M$ release a patch, means
only that the hole is now closed. That window of opportunity for exploit has
exisited SINCE DAY ONE to the latest 'patch tuesday'.

Do you have any idea how long hackers are using malicious code to exploit
vulnerable M$ code, roaming undetected before such a hole becomes noticed or
announced, and then a fix is put in place? Thats YEARS of opportuntiy to
exploit such holes.

Your assertion that you 'know your machine' and are emphatic about its
current trustworthy state is both naive, untenable and illogical given the
above.






Reply With Quote