Re[2]: computer with rootkit?

[Adam Pal <pal_adam () gmx net>]

Hello Jamie,

Your statement is not correct. Rootkits dont come alone, they use
worms, botnets, dorppers, polymorphic encryption basicaly all
available techniques.
Usual drivers and system files are being replaced, simple registry
entries as mentioned in the list are not longer in use, the malware
use much more sophisticated ways to conceal its presence.
Are you sure that combofix use no system calls/libraries?

Those who have suggested a reinstall have experience in working
environments and know that a system outage means to loose time which
means to loose money. To replace the system using a default image
(part of BCM/DRP) is a mater of minutes.

Please dont take me wrong, but those who underestimate a rootkit
infection should be ashamed.


kind regards,
Adam Pal

Thursday, September 29, 2011, 6:35:31 PM, you wrote:

<==============Original message text===============
JI> Clearly you don't have any experience with rootkits. If one were
JI> to get loaded from boot (bootkit) to initialize a driver or hook a
JI> driver, once the kernel SSDT gets modified your process list
JI> becomes inaccurate. You cannot perform *ANY* rootkit removal on an
JI> active system or your changes will be nullified by monitoring hooks.

JI> You need an offline environment like the Hirens boot CD to load
JI> portable envoronment. Not only wipe the mbr but check loaded
JI> drivers at each runlevel then check local user and global registry
JI> startup points. Also a system file check to verify/replace
JI> modified system files. Then, and only then, you can even run your
JI> malware finders such as combofix, malwarebytes antimalware, and spybot s&d.

JI> Repairing a rootkit infection is not that difficult. I've been
JI> reverse engineering them for years. Those who have suggested a reinstall should be ashamed.
JI> Jamie Ivanov / KC9LFD
JI> m.608.399.4252
JI> Blackberry: 32DD619E
JI> http://www.linkedin.com/in/jamieivanov
JI> -- -- -- -- -- -- -- -- -- -- -- --
JI> This transmission (including any attachments) may contain
JI> confidential information, privileged material (including material
JI> protected by the solicitor-client or other applicable privileges),
JI> or constitute non-public information. Any use of this information
JI> by anyone other than the intended recipient is prohibited. If you
JI> have received this transmission in error, please immediately reply
JI> to the sender and delete this information from your system. Use,
JI> dissemination, distribution, or reproduction of this transmission
JI> by unintended recipients is not authorized and may be unlawful.

JI> Sent from my BlackBerry

JI> -----Original Message-----
JI> From: Brian Rogalski <brogalski () bkrservices com>
JI> Sender: listbounce () securityfocus com
JI> Date: Thu, 29 Sep 2011 07:01:20 
JI> To: security basics<security-basics () securityfocus com>
JI> Subject: RE: computer with rootkit?

JI> There are a few things that you could try...

JI> Use tools like process hacker, what's running, capture bat and regshot ...
JI> Process explorer and process monitor can tell you what path and device
JI> files are being used. Also look at the

JI> (HKLM\currentversion\microsoft\windows\software\run) key in the registry
JI> ... most malicious program want to stay resident after a reboot... You can
JI> use a tool called autoruns at well.

JI> It looks like you may have a Kernel mode root kit. There is only so far
JI> that those tools will take you .. To complete your process you are going
JI> to have to dump the executable to a unaffected machine and perform more
JI> behavioral analysis follow by code and memory forensics.

JI> Hope that helps

JI> Brian

JI> ------------------------------------------------------------------------
JI> Securing Apache Web Server with thawte Digital Certificate
JI> In this guide we examine the importance of Apache-SSL and who
JI> needs an SSL certificate.  We look at how SSL works, how it
JI> benefits your company and how your customers can tell if a site is
JI> secure. You will find out how to test, purchase, install and use a
JI> thawte Digital Certificate on your Apache web server. Throughout,
JI> best practices for set-up are highlighted to help you ensure
JI> efficient ongoing management of your encryption keys and digital certificates.

JI> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
JI> ------------------------------------------------------------------------


<===========End of original message text===========



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------