Forgot your password?
typodupeerror
Worms

http's Journal: Is this a brand new rootkit? 2

Journal by http
Brief rundown:
Drive has its partition table written 'backwards', as (and this is from memory)
partition start end size
hda2: 247 17309 80448
hda1: ..1 ..246 1998
the bios boots from hda1 (in windows) but goes to GREAT lengths to conceal that partition from every tool in windows, and give the impression that you've booted from hda2 and that's the only thing that's on the hard drive. It included, as near as I can tell, an irc client, a webserver and an ftp drop box that hides quite well from task manager. But nothing hides from a trusted GNU/Linux installation CD! Managed to tarball the contents of the secret partition for later study, but after I and my bestfriend Windows tech lost four days fucking with it, she finally said, "Nuke it from orbit, it's the only way to be sure."
She also came up with an interesting theory or two. The machine was bought (by her mother) as a demo model, and may have been a refurbished return. The original purchaser installed the root kit and returned it, to use the next unsuspecting granny's bandwidth to serve up kiddie porn. Alternately, a Staples tech or sales agent had installed it for the same reason. Yes, that truly unethical, but I mean, for $8.00 an hour, can you blame them much?

Any thoughts on this, or knowledge?
This discussion has been archived. No new comments can be posted.

Is this a brand new rootkit?

Comments Filter:
  • Hope you saved an image of the partition in question, just in case *ahem* you ever have to return anything to the store in question and need some "leverage".
    • D'oh! Well, just a copy of all the files appearing on the NTFS file system, which appeared to be the right size for the partition. Mouse is emailing me the tarball later tonight.

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...