Full Disclosure mailing list archives
RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
From: James.Cupps () sappi com
Date: Thu, 23 Sep 2004 15:51:10 -0400
Some of them can (almost) hide from everything because of the way they integrate. Take Alpha for example. You aren't going to find it with any tools that a standard system has. OK if you had Tripwire with the right settings installed that would catch the initial deploy but not afterward because it is hiding access mechanisms using another method. Even hashes won't work for program execution detection very well. Ok so you argue that to find it all you have to do is name a file "_root_ ... Filename" and see if it disappears. That is true, but if you look at the source you will see that that is defined in the rk_ioman.c and rk_defence.c code. So you change that and remake. You can change it to whatever you want. Now you can't find it that way. (Same trick for the calc.exe piece but different subs) Of course there are some limitations here. Once a virus uses a specific make of it a signature that discovers the "keyphrase" of that make can be crafted for the AV. This is why I say it would be difficult to implement in a Virus. Basically you would have to build a complier (or at least the use of a generic one into it as well). Another option is morphic code that is self referencing. Both of those options take this well out of script kiddie land. + size + complexity + |small potential developer community| + |lack of existing code| + exploitation time => less successful virus risk That is just one example, there are dozens of them out there publicly probably hundreds privately and the real point is that money will make them better (worse). You are right when you say that they cannot be "completely" invisible (that would make them useless) but in the Win world even one that makes Task manager, Regedit and filemanager / CLI useless creates significant troubleshooting problems for normal admins. Add to the possibility of having to customize AV monitoring mechanisms away from the standard windows Dll's and you get some problems. The possible combinations invoke visions of scary viruses. James Cupps Information Security Officer -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of GuidoZ Sent: Thursday, September 23, 2004 12:54 PM To: Matt Cc: Will Image; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
It is quite possible to hide processes, reg keys and files, and is often done by various malware.
Aye. I didn't word my statements correctly. (Was tired... =P ) You are very much correct. I guess I was trying to speak along the lines of AV detection and forensics. I've yet to find a rootkit, spyware, or malware that is COMPLETLY hidden, in every aspect, from the user. There is always a way to find it. Granted, they can bypass the "usual means" (regedit, taskmanager, etc) in Windows, however there are specialized tools (process viewers for example) that show hidden processes. What I meant to express is they seem to claim being able to hide from everything. (Even if an AV solution detected the very program they use as an installer.) That, I doubt. To save someone else from saying this, I'll reply to my own comment. =)
I've yet to find a rootkit, spyware, or malware that is COMPLETLY hidden, in every aspect, from the user.
Well, DUH. How could you find it if it was COMPLETELY hidden? ;) Clarification: The user and a sysadmin that has a clue are two very different people.) -- Peace. ~G On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt () systemlinux net> wrote:
GuidoZ wrote:Interesting indeed. Although, I imagine this was a spam email, and I never believe (nor buy) anything from spam. I wondr how credible this really is. If there was such a way to do what they claim, don't you think it would have been big news? >One would think you wouldn't first hear about it through spam.It is quite possible to hide processes, reg keys and files, and is often done by various malware.Also - nice website they have. http://www.randexsoft.com
<http://www.randexsoft.com> Simply says:
Access Forbidden -- Go away. I love a company who is customer friendly. -- Peace. ~G On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image <xillwillx () yahoo com> wrote:I recieved this in my inbox today: how long do you think this company will last?Date: Wed, 22 Sep 2004 19:02:44 -0400 From: Jacques Tremblay <jacques.tremblay () gmail com> To: xillwillx () yahoo com Subject: Hide your adware from all Adware removers and Anti-viruses To: Business development manager Subject: Hide your adware from all Adware removers and Anti-viruses Hi, Adware removers are gaining in popularity and they cause a big revenue threat to adware based businesses, as we see our software installations get desinstalled after a period of time that is shorter and shorter, we see our revenues get smaller and smaller. Why would an honest adware based business lose revenue just because some adware remover has identifyed it as being something to remove ? We beleive we have the right to hide from these adware removers as long as we provide a way for the user to uninstall and that he agrees that the software will be uninstalled only with the provided uninstaller. It is in that spirit that we created the solution to the problem : AdProtector 1.2 We have developed software capable of hiding your software from all adware removers and anti-viruses on a Windows NT/2000/2003/XP machine. Basically we have filtered the windows kernel so that we could mofify the behavior of the system itself. So now we can hide anything we want from windows. It can : - Hide Registry Keys - Hide Files - Hide Processes By hiding these 3 key elements from windows, your application won't ever be detected by any adware removers. Interesting ? For more information or to resquest a Demo : email : hexa () randexsoft com Business is moving fast, keep ahead of the competition!_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
<http://lists.netsys.com/full-disclosure-charter.html>
-- Peace. ~G _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html <http://lists.netsys.com/full-disclosure-charter.html> This message may contain information which is private, privileged or confidential and is intended solely for the use of the individual or entity named in the message. If you are not the intended recipient of this message, please notify the sender thereof and destroy / delete the message. Neither the sender nor Sappi Limited (including its subsidiaries and associated companies) shall incur any liability resulting directly or indirectly from accessing any of the attached files which may contain a virus or the like.
Current thread:
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses James . Cupps (Sep 23)
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Harlan Carvey (Sep 23)
- <Possible follow-ups>
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses James . Cupps (Sep 23)
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Harlan Carvey (Sep 23)