Full Disclosure mailing list archives

RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 23 Sep 2004 18:09:26 -0700 (PDT)

Some of them can (almost) hide from everything
because of the way they integrate.


Not everything...check out my book.

Even hashes
won't work for program execution detection very
well.


I'm not entirely clear on how a hash of a file
pertains to detecting the execution of a program...can
you explain?

Ok so you argue that to find it all you have to do
is name a file "_root_
... Filename" and see if it disappears.


But that's *only* if you use Greg Hoglund's proof of
concept NT kernel-mode rootkit.  If someone has the
ability to install such a thing, they already have
greater control of the box than you do.

Of course there are some limitations here. Once a
virus uses a specific make
of it a signature that discovers the "keyphrase" of
that make can be crafted
for the AV.


Unless it's placed someplace on the system not viewed
by the A/V.

Another option is morphic code that is self
referencing. Both of those options take this well
out of script kiddie land.


Dude, I have to say...you crack me up!  Really!  So
far, you've just been using incorrect terms in most
cases...but now you're using partially correct (ie,
it's not "morphic", it's "polymorphic")...though I
have no idea what you're referring to when you say
"self referencing".

You are right when you say that they cannot be
"completely" invisible (that
would make them useless) but in the Win world even
one that makes Task
manager,  Regedit and filemanager / CLI useless
creates significant
troubleshooting problems for normal admins.


I'd agree with that, and include the fact that it can
be overcome with knowledge.  I've outlined a good deal
of this knowledge in my book, "Windows Forensics and
Incident Recovery".

Add to
the possibility of having
to customize AV monitoring mechanisms away from the
standard windows Dll's
and you get some problems.

???

The possible combinations invoke visions of scary
viruses.


Viruses don't scare me.  Worms and trojans do.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses James . Cupps (Sep 23)
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Harlan Carvey (Sep 23)
- <Possible follow-ups>
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses James . Cupps (Sep 23)
  - RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Harlan Carvey (Sep 23)