Re: Re[2]: computer with rootkit?

["Jamie Ivanov" <jamie.ivanov () gmail com>]

I never said they came alone, don't twist my words. I didn't feel like giving a whole history or breakdown on malicious 
software. 

My point on combofix, like the others, should not be trusted in a hot and infected system. I've seen combofix miss 
major infections. A great product yes. Nothing what I said was comprehensive so quit treating it as such.

As far as downtime, I'm well aware. Fixing a rootkit and analyzing the registry can be done in a half hour or less and 
a system can be returned to production status. Rebuilding a system can take hours from the image deployment or RIS to 
updates to policies to deployed software. I'm used to working in large corporate environments. I'm well aware of all of 
this.

I don't underestimate them, I admire them. Which is why I've spent my time on the other side of field and reverse 
engineer these infections. They are beautiful but once you understand how they work in an operating system, its simply 
no longer a big deal and rather easy to remove.
Jamie Ivanov / KC9LFD
m.608.399.4252
Blackberry: 32DD619E
http://www.linkedin.com/in/jamieivanov
-- -- -- -- -- -- -- -- -- -- -- --
This transmission (including any attachments) may contain confidential information, privileged material (including 
material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any 
use of this information by anyone other than the intended recipient is prohibited. If you have received this 
transmission in error, please immediately reply to the sender and delete this information from your system. Use, 
dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be 
unlawful.

Sent from my BlackBerry

-----Original Message-----
From: Adam Pal <pal_adam () gmx net>
Date: Thu, 29 Sep 2011 19:40:10 
To: Jamie Ivanov<jamie.ivanov () gmail com>
Reply-To: Adam Pal <pal_adam () gmx net>
Cc: Brian Rogalski<brogalski () bkrservices com>; <listbounce () securityfocus com>; security basics<security-basics () 
securityfocus com>
Subject: Re[2]: computer with rootkit?

Hello Jamie,

Your statement is not correct. Rootkits dont come alone, they use
worms, botnets, dorppers, polymorphic encryption basicaly all
available techniques.
Usual drivers and system files are being replaced, simple registry
entries as mentioned in the list are not longer in use, the malware
use much more sophisticated ways to conceal its presence.
Are you sure that combofix use no system calls/libraries?

Those who have suggested a reinstall have experience in working
environments and know that a system outage means to loose time which
means to loose money. To replace the system using a default image
(part of BCM/DRP) is a mater of minutes.

Please dont take me wrong, but those who underestimate a rootkit
infection should be ashamed.


kind regards,
Adam Pal

Thursday, September 29, 2011, 6:35:31 PM, you wrote:

<==============Original message text===============
JI> Clearly you don't have any experience with rootkits. If one were
JI> to get loaded from boot (bootkit) to initialize a driver or hook a
JI> driver, once the kernel SSDT gets modified your process list
JI> becomes inaccurate. You cannot perform *ANY* rootkit removal on an
JI> active system or your changes will be nullified by monitoring hooks.

JI> You need an offline environment like the Hirens boot CD to load
JI> portable envoronment. Not only wipe the mbr but check loaded
JI> drivers at each runlevel then check local user and global registry
JI> startup points. Also a system file check to verify/replace
JI> modified system files. Then, and only then, you can even run your
JI> malware finders such as combofix, malwarebytes antimalware, and spybot s&d.

JI> Repairing a rootkit infection is not that difficult. I've been
JI> reverse engineering them for years. Those who have suggested a reinstall should be ashamed.
JI> Jamie Ivanov / KC9LFD
JI> m.608.399.4252
JI> Blackberry: 32DD619E
JI> http://www.linkedin.com/in/jamieivanov
JI> -- -- -- -- -- -- -- -- -- -- -- --
JI> This transmission (including any attachments) may contain
JI> confidential information, privileged material (including material
JI> protected by the solicitor-client or other applicable privileges),
JI> or constitute non-public information. Any use of this information
JI> by anyone other than the intended recipient is prohibited. If you
JI> have received this transmission in error, please immediately reply
JI> to the sender and delete this information from your system. Use,
JI> dissemination, distribution, or reproduction of this transmission
JI> by unintended recipients is not authorized and may be unlawful.

JI> Sent from my BlackBerry

JI> -----Original Message-----
JI> From: Brian Rogalski <brogalski () bkrservices com>
JI> Sender: listbounce () securityfocus com
JI> Date: Thu, 29 Sep 2011 07:01:20 
JI> To: security basics<security-basics () securityfocus com>
JI> Subject: RE: computer with rootkit?

JI> There are a few things that you could try...

JI> Use tools like process hacker, what's running, capture bat and regshot ...
JI> Process explorer and process monitor can tell you what path and device
JI> files are being used. Also look at the

JI> (HKLM\currentversion\microsoft\windows\software\run) key in the registry
JI> ... most malicious program want to stay resident after a reboot... You can
JI> use a tool called autoruns at well.

JI> It looks like you may have a Kernel mode root kit. There is only so far
JI> that those tools will take you .. To complete your process you are going
JI> to have to dump the executable to a unaffected machine and perform more
JI> behavioral analysis follow by code and memory forensics.

JI> Hope that helps

JI> Brian

JI> ------------------------------------------------------------------------
JI> Securing Apache Web Server with thawte Digital Certificate
JI> In this guide we examine the importance of Apache-SSL and who
JI> needs an SSL certificate.  We look at how SSL works, how it
JI> benefits your company and how your customers can tell if a site is
JI> secure. You will find out how to test, purchase, install and use a
JI> thawte Digital Certificate on your Apache web server. Throughout,
JI> best practices for set-up are highlighted to help you ensure
JI> efficient ongoing management of your encryption keys and digital certificates.

JI> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
JI> ------------------------------------------------------------------------


<===========End of original message text===========