RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

[James.Cupps () sappi com]

Some of them can (almost) hide from everything because of the way they
integrate. Take Alpha for example. You aren't going to find it with any
tools that a standard system has. OK if you had Tripwire with the right
settings installed that would catch the initial deploy but not afterward
because it is hiding access mechanisms using another method. Even hashes
won't work for program execution detection very well. 

 

Ok so you argue that to find it all you have to do is name a file "_root_
... Filename" and see if it disappears. That is true, but if you look at the
source you will see that that is defined in the rk_ioman.c and rk_defence.c
code. So you change that and remake. You can change it to whatever you want.
Now you can't find it that way. (Same trick for the calc.exe piece but
different subs) 

 

Of course there are some limitations here. Once a virus uses a specific make
of it a signature that discovers the "keyphrase" of that make can be crafted
for the AV. This is why I say it would be difficult to implement in a Virus.
Basically you would have to build a complier (or at least the use of a
generic one into it as well). Another option is morphic code that is self
referencing. Both of those options take this well out of script kiddie land.


 

+ size + complexity + |small potential developer community| + |lack of
existing code| + exploitation time => less successful virus risk

 

That is just one example, there are dozens of them out there publicly
probably hundreds privately and the real point is that money will make them
better (worse). 

 

You are right when you say that they cannot be "completely" invisible (that
would make them useless) but in the Win world even one that makes Task
manager,  Regedit and filemanager / CLI useless creates significant
troubleshooting problems for normal admins. Add to the possibility of having
to customize AV monitoring mechanisms away from the standard windows Dll's
and you get some problems.

 

The possible combinations invoke visions of scary viruses. 

 

James Cupps
Information Security Officer



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of GuidoZ
Sent: Thursday, September 23, 2004 12:54 PM
To: Matt
Cc: Will Image; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Rootkit For Spyware? Hide your adware from
all Adware removers and Anti-viruses

 

> It is quite possible to hide processes, reg keys and files, and is often
> done by various malware.

Aye. I didn't word my statements correctly. (Was tired... =P ) You are
very much correct.

I guess I was trying to speak along the lines of AV detection and
forensics. I've yet to find a rootkit, spyware, or malware that is
COMPLETLY hidden, in every aspect, from the user. There is always a
way to find it. Granted, they can bypass the "usual means" (regedit,
taskmanager, etc) in Windows, however there are specialized tools
(process viewers for example) that show hidden processes. What I meant
to express is they seem to claim being able to hide from everything.
(Even if an AV solution detected the very program they use as an
installer.) That, I doubt.


To save someone else from saying this, I'll reply to my own comment. =)

> I've yet to find a rootkit, spyware, or malware that is
> COMPLETLY hidden, in every aspect, from the user.

Well, DUH. How could you find it if it was COMPLETELY hidden? ;)
Clarification: The user and a sysadmin that has a clue are two very
different people.)

--
Peace. ~G


On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt () systemlinux net> wrote:
> GuidoZ wrote:
> > Interesting indeed. Although, I imagine this was a spam email, and I
> > never believe (nor buy) anything from spam. I wondr how credible this
> > really is. If there was such a way to do what they claim, don't you
> > think it would have been big news?  >One would think you wouldn't first
> > hear about it through spam.
> It is quite possible to hide processes, reg keys and files, and is often
> done by various malware.
>
> > Also - nice website they have. http://www.randexsoft.com
<http://www.randexsoft.com>  Simply says:
> > Access Forbidden -- Go away.
> >
> > I love a company who is customer friendly.
> >
> > --
> > Peace. ~G
> >
> >
> > On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image
> > <xillwillx () yahoo com> wrote:
> >
> > > I recieved this in my inbox today:
> > > how long do you think this company will last?
> > >
> > >
> > > > Date: Wed, 22 Sep 2004 19:02:44 -0400
> > > > From: Jacques Tremblay <jacques.tremblay () gmail com>
> > > > To: xillwillx () yahoo com
> > > > Subject: Hide your adware from all Adware removers
> > > > and Anti-viruses
> > > >
> > > > To: Business development manager
> > > >
> > > > Subject: Hide your adware from all Adware removers
> > > > and  Anti-viruses
> > > >
> > > >
> > > >
> > > > Hi,
> > > >       Adware removers are gaining in popularity and
> > > > they cause a big
> > > > revenue threat to adware based businesses, as we see
> > > > our software
> > > > installations get desinstalled after a period of
> > > > time that is shorter
> > > > and shorter, we see our revenues get smaller and
> > > > smaller.
> > > >
> > > >       Why would an honest adware based business
> > > > lose revenue just because
> > > > some adware remover has identifyed it as being
> > > > something to remove ?
> > > >
> > > >       We beleive we have the right to hide from
> > > > these adware removers as
> > > > long as we provide a way for the user to uninstall
> > > > and that he agrees
> > > > that the software will be uninstalled only with the
> > > > provided
> > > > uninstaller.
> > > >
> > > >       It is in that spirit that we created the
> > > > solution to the problem :
> > > >
> > > >
> > > > AdProtector 1.2
> > > >
> > > >
> > > >       We have developed software capable of hiding
> > > > your software from all
> > > > adware removers and anti-viruses on a Windows
> > > > NT/2000/2003/XP machine.
> > > >
> > > >       Basically we have filtered the windows kernel
> > > > so that we could mofify
> > > > the behavior of the system itself. So now we can
> > > > hide anything we want
> > > > from windows.
> > > >
> > > >                           It can :   - Hide Registry Keys
> > > >                                      - Hide Files
> > > >                                              - Hide Processes
> > > >
> > > >       By hiding these 3 key elements from windows,
> > > > your application won't
> > > > ever be detected by any adware removers.
> > > >
> > > >       Interesting ?
> > > >
> > > >       For more information or to resquest a Demo :
> > > >  email :
> > > > hexa () randexsoft com
> > > >
> > > > Business is moving fast, keep ahead of the
> > > > competition!
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
<http://lists.netsys.com/full-disclosure-charter.html> 
> >



--
Peace. ~G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
<http://lists.netsys.com/full-disclosure-charter.html> 

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.