RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

["Todd Towles" <toddtowles () brookshires com>]

There are several areas that programs can use to hide from AV without
rootkits. ADS, System Info Volume, Trash, etc.
The scary part about rootkits becoming the norm in spyware is the
advancement that will take place. 
 
Once people start to pay for stuff, it gets better. Programmer will have
a reason to clean the code up and throw in the bells. Rootkits will
advance because of the money, just like botnets.

________________________________

From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
James.Cupps () sappi com
Sent: Thursday, September 23, 2004 2:51 PM
To: uberguidoz () gmail com; matt () systemlinux net
Cc: xillwillx () yahoo com; full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Rootkit For Spyware? Hide your adware
from all Adware removers and Anti-viruses



Some of them can (almost) hide from everything because of the way they
integrate. Take Alpha for example. You aren't going to find it with any
tools that a standard system has. OK if you had Tripwire with the right
settings installed that would catch the initial deploy but not afterward
because it is hiding access mechanisms using another method. Even hashes
won't work for program execution detection very well. 

 

Ok so you argue that to find it all you have to do is name a file
"_root_ ... Filename" and see if it disappears. That is true, but if you
look at the source you will see that that is defined in the rk_ioman.c
and rk_defence.c code. So you change that and remake. You can change it
to whatever you want. Now you can't find it that way. (Same trick for
the calc.exe piece but different subs) 

 

Of course there are some limitations here. Once a virus uses a specific
make of it a signature that discovers the "keyphrase" of that make can
be crafted for the AV. This is why I say it would be difficult to
implement in a Virus. Basically you would have to build a complier (or
at least the use of a generic one into it as well). Another option is
morphic code that is self referencing. Both of those options take this
well out of script kiddie land. 

 

+ size + complexity + |small potential developer community| + |lack of
existing code| + exploitation time => less successful virus risk

 

That is just one example, there are dozens of them out there publicly
probably hundreds privately and the real point is that money will make
them better (worse). 

 

You are right when you say that they cannot be "completely" invisible
(that would make them useless) but in the Win world even one that makes
Task manager,  Regedit and filemanager / CLI useless creates significant
troubleshooting problems for normal admins. Add to the possibility of
having to customize AV monitoring mechanisms away from the standard
windows Dll's and you get some problems.

 

The possible combinations invoke visions of scary viruses. 

 

James Cupps
Information Security Officer



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of GuidoZ
Sent: Thursday, September 23, 2004 12:54 PM
To: Matt
Cc: Will Image; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Rootkit For Spyware? Hide your adware
from all Adware removers and Anti-viruses

 

> It is quite possible to hide processes, reg keys and files, and is
often
> done by various malware.

Aye. I didn't word my statements correctly. (Was tired... =P ) You are
very much correct.

I guess I was trying to speak along the lines of AV detection and
forensics. I've yet to find a rootkit, spyware, or malware that is
COMPLETLY hidden, in every aspect, from the user. There is always a
way to find it. Granted, they can bypass the "usual means" (regedit,
taskmanager, etc) in Windows, however there are specialized tools
(process viewers for example) that show hidden processes. What I meant
to express is they seem to claim being able to hide from everything.
(Even if an AV solution detected the very program they use as an
installer.) That, I doubt.


To save someone else from saying this, I'll reply to my own comment. =)

> I've yet to find a rootkit, spyware, or malware that is
> COMPLETLY hidden, in every aspect, from the user.

Well, DUH. How could you find it if it was COMPLETELY hidden? ;)
Clarification: The user and a sysadmin that has a clue are two very
different people.)

--
Peace. ~G


On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt () systemlinux net> wrote:
> GuidoZ wrote:
> > Interesting indeed. Although, I imagine this was a spam email, and I
> > never believe (nor buy) anything from spam. I wondr how credible
this
> > really is. If there was such a way to do what they claim, don't you
> > think it would have been big news?  >One would think you wouldn't
first
> > hear about it through spam.
> It is quite possible to hide processes, reg keys and files, and is
often
> done by various malware.
>
> > Also - nice website they have. http://www.randexsoft.com Simply
says:
> > Access Forbidden -- Go away.
> >
> > I love a company who is customer friendly.
> >
> > --
> > Peace. ~G
> >
> >
> > On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image
> > <xillwillx () yahoo com> wrote:
> >
> > > I recieved this in my inbox today:
> > > how long do you think this company will last?
> > >
> > >
> > > > Date: Wed, 22 Sep 2004 19:02:44 -0400
> > > > From: Jacques Tremblay <jacques.tremblay () gmail com>
> > > > To: xillwillx () yahoo com
> > > > Subject: Hide your adware from all Adware removers
> > > > and Anti-viruses
> > > >
> > > > To: Business development manager
> > > >
> > > > Subject: Hide your adware from all Adware removers
> > > > and  Anti-viruses
> > > >
> > > >
> > > >
> > > > Hi,
> > > >       Adware removers are gaining in popularity and
> > > > they cause a big
> > > > revenue threat to adware based businesses, as we see
> > > > our software
> > > > installations get desinstalled after a period of
> > > > time that is shorter
> > > > and shorter, we see our revenues get smaller and
> > > > smaller.
> > > >
> > > >       Why would an honest adware based business
> > > > lose revenue just because
> > > > some adware remover has identifyed it as being
> > > > something to remove ?
> > > >
> > > >       We beleive we have the right to hide from
> > > > these adware removers as
> > > > long as we provide a way for the user to uninstall
> > > > and that he agrees
> > > > that the software will be uninstalled only with the
> > > > provided
> > > > uninstaller.
> > > >
> > > >       It is in that spirit that we created the
> > > > solution to the problem :
> > > >
> > > >
> > > > AdProtector 1.2
> > > >
> > > >
> > > >       We have developed software capable of hiding
> > > > your software from all
> > > > adware removers and anti-viruses on a Windows
> > > > NT/2000/2003/XP machine.
> > > >
> > > >       Basically we have filtered the windows kernel
> > > > so that we could mofify
> > > > the behavior of the system itself. So now we can
> > > > hide anything we want
> > > > from windows.
> > > >
> > > >                           It can :   - Hide Registry Keys
> > > >                                      - Hide Files
> > > >                                              - Hide Processes
> > > >
> > > >       By hiding these 3 key elements from windows,
> > > > your application won't
> > > > ever be detected by any adware removers.
> > > >
> > > >       Interesting ?
> > > >
> > > >       For more information or to resquest a Demo :
> > > >  email :
> > > > hexa () randexsoft com
> > > >
> > > > Business is moving fast, keep ahead of the
> > > > competition!
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html



--
Peace. ~G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or
entity named in the message. If you are not the intended recipient of
this message, please notify the sender thereof and destroy / delete the
message. Neither the sender nor Sappi Limited (including its
subsidiaries and associated companies) shall incur any liability
resulting directly or indirectly from accessing any of the attached
files which may contain a virus or the like.