1,5 Tales from the Crypt: Battlefield Triage
dressing. As an author, I'm merely acting as a broker and will provide this
information to whomever wants it. The fact is that rootlcit technology is pow¬
erful and potentially dangerous. Like any other tool of this sort, both sides of
the law take a peculiar (almost morbid) interest in it.
1.5 Tales from the Crypt: Battlefield Triage
When I enlisted as an IT foot soldier at San Francisco State University, it was
like being airlifted to a hot landing zone. Bullets were flying everywhere.
The university's network (a collection of subnets in a class B address range)
didn't have a firewall to speak of, not even a Network Address Translation
(NAT) device. Thousands of machines were just sitting out in the open with
public IP addresses. In so many words, we were free game for every script
kiddy and bot herder on the planet.
The col lege that hired me manages roughly 500 desktop machines and a rack
of servers. At the time, these computers were being held down by a lone
system administrator and a contingent of student assistants. To be honest,
faced with this kind of workload, the best that this guy could hope to do was
to focus on the visible problems and pray that the less conspicuous problems
didn't creep up and bite him in the backside. The caveat of this mindset is
that it tends to allow the smaller fires to grow into larger fires, until the fires
unite into one big firestorm. But, then again, who doesn't like a good train
wreck?
It was in this chaotic environment that I ended up on the receiving end of
attacks that used rootkit technology. A couple of weeks into the job, a co¬
worker and I found the remnants of an intrusion on our main file server. The
evidence was stashed in the System Volume Information directory. This is
one of those proprietary spots that Windows wants you blissfully to ignore.
According to Microsoft's online documentation, the System Volume Informa¬
tion folder is "a hidden system folder that the System Restore tool uses to
store its information and restore points."�'
The official documentation also states that "you might need to gain access
to this folder for troubleshooting purposes." Normally, only the operating
system has permissions to this folder, and many system administrators simply
dismiss it (making it the perfect place to stash hack tools).
51. Microsoft Corporation, How to gtim access to the System Volume Information folder, Knowl¬
edge Base Article 309531, May 7, 2007.
Parti I 27