Security Basics mailing list archives
Re: Re[2]: computer with rootkit?
From: "Jamie Ivanov" <jamie.ivanov () gmail com>
Date: Thu, 29 Sep 2011 17:47:59 +0000
I never said they came alone, don't twist my words. I didn't feel like giving a whole history or breakdown on malicious software. My point on combofix, like the others, should not be trusted in a hot and infected system. I've seen combofix miss major infections. A great product yes. Nothing what I said was comprehensive so quit treating it as such. As far as downtime, I'm well aware. Fixing a rootkit and analyzing the registry can be done in a half hour or less and a system can be returned to production status. Rebuilding a system can take hours from the image deployment or RIS to updates to policies to deployed software. I'm used to working in large corporate environments. I'm well aware of all of this. I don't underestimate them, I admire them. Which is why I've spent my time on the other side of field and reverse engineer these infections. They are beautiful but once you understand how they work in an operating system, its simply no longer a big deal and rather easy to remove. Jamie Ivanov / KC9LFD m.608.399.4252 Blackberry: 32DD619E http://www.linkedin.com/in/jamieivanov -- -- -- -- -- -- -- -- -- -- -- -- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. Sent from my BlackBerry -----Original Message----- From: Adam Pal <pal_adam () gmx net> Date: Thu, 29 Sep 2011 19:40:10 To: Jamie Ivanov<jamie.ivanov () gmail com> Reply-To: Adam Pal <pal_adam () gmx net> Cc: Brian Rogalski<brogalski () bkrservices com>; <listbounce () securityfocus com>; security basics<security-basics () securityfocus com> Subject: Re[2]: computer with rootkit? Hello Jamie, Your statement is not correct. Rootkits dont come alone, they use worms, botnets, dorppers, polymorphic encryption basicaly all available techniques. Usual drivers and system files are being replaced, simple registry entries as mentioned in the list are not longer in use, the malware use much more sophisticated ways to conceal its presence. Are you sure that combofix use no system calls/libraries? Those who have suggested a reinstall have experience in working environments and know that a system outage means to loose time which means to loose money. To replace the system using a default image (part of BCM/DRP) is a mater of minutes. Please dont take me wrong, but those who underestimate a rootkit infection should be ashamed. kind regards, Adam Pal Thursday, September 29, 2011, 6:35:31 PM, you wrote: <==============Original message text=============== JI> Clearly you don't have any experience with rootkits. If one were JI> to get loaded from boot (bootkit) to initialize a driver or hook a JI> driver, once the kernel SSDT gets modified your process list JI> becomes inaccurate. You cannot perform *ANY* rootkit removal on an JI> active system or your changes will be nullified by monitoring hooks. JI> You need an offline environment like the Hirens boot CD to load JI> portable envoronment. Not only wipe the mbr but check loaded JI> drivers at each runlevel then check local user and global registry JI> startup points. Also a system file check to verify/replace JI> modified system files. Then, and only then, you can even run your JI> malware finders such as combofix, malwarebytes antimalware, and spybot s&d. JI> Repairing a rootkit infection is not that difficult. I've been JI> reverse engineering them for years. Those who have suggested a reinstall should be ashamed. JI> Jamie Ivanov / KC9LFD JI> m.608.399.4252 JI> Blackberry: 32DD619E JI> http://www.linkedin.com/in/jamieivanov JI> -- -- -- -- -- -- -- -- -- -- -- -- JI> This transmission (including any attachments) may contain JI> confidential information, privileged material (including material JI> protected by the solicitor-client or other applicable privileges), JI> or constitute non-public information. Any use of this information JI> by anyone other than the intended recipient is prohibited. If you JI> have received this transmission in error, please immediately reply JI> to the sender and delete this information from your system. Use, JI> dissemination, distribution, or reproduction of this transmission JI> by unintended recipients is not authorized and may be unlawful. JI> Sent from my BlackBerry JI> -----Original Message----- JI> From: Brian Rogalski <brogalski () bkrservices com> JI> Sender: listbounce () securityfocus com JI> Date: Thu, 29 Sep 2011 07:01:20 JI> To: security basics<security-basics () securityfocus com> JI> Subject: RE: computer with rootkit? JI> There are a few things that you could try... JI> Use tools like process hacker, what's running, capture bat and regshot ... JI> Process explorer and process monitor can tell you what path and device JI> files are being used. Also look at the JI> (HKLM\currentversion\microsoft\windows\software\run) key in the registry JI> ... most malicious program want to stay resident after a reboot... You can JI> use a tool called autoruns at well. JI> It looks like you may have a Kernel mode root kit. There is only so far JI> that those tools will take you .. To complete your process you are going JI> to have to dump the executable to a unaffected machine and perform more JI> behavioral analysis follow by code and memory forensics. JI> Hope that helps JI> Brian JI> ------------------------------------------------------------------------ JI> Securing Apache Web Server with thawte Digital Certificate JI> In this guide we examine the importance of Apache-SSL and who JI> needs an SSL certificate. We look at how SSL works, how it JI> benefits your company and how your customers can tell if a site is JI> secure. You will find out how to test, purchase, install and use a JI> thawte Digital Certificate on your Apache web server. Throughout, JI> best practices for set-up are highlighted to help you ensure JI> efficient ongoing management of your encryption keys and digital certificates. JI> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 JI> ------------------------------------------------------------------------ <===========End of original message text===========
Current thread:
- RE: computer with rootkit?, (continued)
- RE: computer with rootkit? Quigley, Joe (Sep 28)
- Re: computer with rootkit? admin lewis (Sep 28)
- Re: computer with rootkit? Matias Katz (Sep 28)
- Re: computer with rootkit? admin lewis (Sep 28)
- Re: computer with rootkit? Predrag Petrovic (Sep 28)
- Re: computer with rootkit? Francois Yang (Sep 28)
- RE: computer with rootkit? Steven Marco (Modern Compliance Solutions) (Sep 29)
- Re: computer with rootkit? Francois Yang (Sep 28)
- Re: computer with rootkit? Jamie Ivanov (Sep 28)
- RE: computer with rootkit? Brian Rogalski (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- Re[2]: computer with rootkit? Adam Pal (Sep 29)
- Re: Re[2]: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Dan Lynch (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Joe DeMarco (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Dan Lynch (Sep 30)
- Re: computer with rootkit? Security (Sep 30)
- Re: computer with rootkit? Jeff Stebelton (Sep 30)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Quigley, Joe (Sep 28)
- Re: computer with rootkit? Ansgar Wiechers (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- Re: computer with rootkit? Ansgar Wiechers (Sep 29)