Orange County Security SIG

Notes and comments of a Special Interest Group on computer security.

June 19, 2006

 

Rootkits, Pathlock, and Winpatrol

Orange County Security SIG SecSig June 2006 This month we looked at rootkits, a way to physically secure a machine, a brief look at WinPatrol, and other tools that can be used to figure-out what a program is actually doing on a computer. After defining the term ROOTKIT for members who were not aware of that nomenclature, we went into the saga that Sony's DRM caused. We looked at Mark Russinovich's BLOG to see what he said about it. He explains how he found the infection in tremendous detail. If you want to know what goes on in Windows his web site and BLOG are excellent resources. Someone asked how to physically turn a network connection on/off without having to detach the chord. The product that Steve Gibson recommended to us years ago was mentioned-- PATHLOCK. The version I bought had a physical button on top but other products had an inactivity timer.But it's web site is down any references I can find are from 2001 and 2002. So who knows what happened to the company. The topic switched to backdoor BIOS passwords. A box can be secured by setting the BIOS so it can't be altered without a password. It is possible to turn the CD-ROM boot on and boot another Operating System so someone will have access to all your data while bypassing any security protections in place for Windows. Or a virus might hide in the BIOS if it can write to it. The problem is that people forget their password and resetting the password is a major pain. To reset the password you have to take apart the whole computer and jump through a bunch of loops the vendor wants you to. Or you could just pull the battery off of the motherboard and wait about 30 seconds. Another option is for the BIOS vendors to put a backdoor password in the BIOS. We looked at instructions on the Internet on how to use that backdoor to break into a machine with an ADI BIOS. A real boon to hackers. The free version of WINPATROL has been a very nice addition to my own computer in the last month. Not only does it give me easy access to a list of startup programs, IE helpers, and other tasks that I find needed in a Windows environment. It also has warned me of scripts that I run. So far it they were all legit scripts that I intensionally ran but I assume it would also catch scripts that are not legit. Having another layer of protection makes me a little more at ease. While I don't like the delay between checks (when WinPatrol is on patrol), another member didn't like the resources it uses. He used the commercial version for Win98 so there might be some difference.

Web sites:

System Internals
WinPatrol
Pathlock (it doesn't seem to be working now)
Comments: Post a Comment



<< Home

Experience the computer club and all it's SIG group that meet at Chapman university, California on the 1st Sunday of every month.

SECSIG meets in the Science building 203 at 11:15 am.

By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.

The RSS feed address is http://ocsecsig.blogspot.com/atom.xml

Dave Keays, SIG leader

This page is powered by Blogger. Isn't yours?