Full Disclosure mailing list archives
RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 23 Sep 2004 18:09:26 -0700 (PDT)
Some of them can (almost) hide from everything because of the way they integrate.
Not everything...check out my book.
Even hashes won't work for program execution detection very well.
I'm not entirely clear on how a hash of a file pertains to detecting the execution of a program...can you explain?
Ok so you argue that to find it all you have to do is name a file "_root_ ... Filename" and see if it disappears.
But that's *only* if you use Greg Hoglund's proof of concept NT kernel-mode rootkit. If someone has the ability to install such a thing, they already have greater control of the box than you do.
Of course there are some limitations here. Once a virus uses a specific make of it a signature that discovers the "keyphrase" of that make can be crafted for the AV.
Unless it's placed someplace on the system not viewed by the A/V.
Another option is morphic code that is self referencing. Both of those options take this well out of script kiddie land.
Dude, I have to say...you crack me up! Really! So far, you've just been using incorrect terms in most cases...but now you're using partially correct (ie, it's not "morphic", it's "polymorphic")...though I have no idea what you're referring to when you say "self referencing".
You are right when you say that they cannot be "completely" invisible (that would make them useless) but in the Win world even one that makes Task manager, Regedit and filemanager / CLI useless creates significant troubleshooting problems for normal admins.
I'd agree with that, and include the fact that it can be overcome with knowledge. I've outlined a good deal of this knowledge in my book, "Windows Forensics and Incident Recovery".
Add to the possibility of having to customize AV monitoring mechanisms away from the standard windows Dll's and you get some problems.
???
The possible combinations invoke visions of scary viruses.
Viruses don't scare me. Worms and trojans do. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses James . Cupps (Sep 23)
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Harlan Carvey (Sep 23)
- <Possible follow-ups>
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses James . Cupps (Sep 23)
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Harlan Carvey (Sep 23)