Full Disclosure mailing list archives
Re: unknown windows rootkit
From: "Elia Florio" <eflorio () edmaster it>
Date: Mon, 21 Nov 2005 12:11:13 +0200
It's a rootkit installed by Spyware.Apropos.C variant. http://securityresponse.symantec.com/avcenter/venc/data/spyware.apropos.c.html It comes from a big bundle installer (tipically 1,5 MB), that installs the spyware itself and its rootkit components. All the files (the downloader, the installer, the DLL) are encrypted with a small poly-packer (every downloaded sample looks different from each other). The program installs itself inside %ProgramFiles% and %System% and generate its names using standard legitimate names taken from existing programs. (e.g. usb42prt.sys , volmndis.sys, amdrxdav.sys). The SYS file (12 KB) is not HackDefender strain, because the rootkit itself is protected with a VM layer: basically there is an instruction controller that executes the program flow in a specific instruction order, like a kind of virtual machine....in this way it's possible to generate SYS driver that looks different each time, changing the block order of instructions (if you compare rootkit file installed by different sample of the spyware they are different). Inside the rookit there's a static string "Core. by Zufyxe", The rookit hooks "NdisAllocatePacket()" in KiServiceTable to intercept network traffic and use one of the DLL for inline hooking of registry/files APIs, hiding completely itself. If you boot in safe mode the rookit does not work, try to search for the spyware registry section HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME USED BY SPYWARE] And you will find all the installed files on the system (the SYS driver is configurable and it's programmed to start some executables at boot). EF ________________________________________________ Messaggio inviato da Edizioni Master Webmail http://mbox.edmaster.it _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- unknown windows rootkit sk / GroundZero (Nov 19)
- Re: unknown windows rootkit Andres Tarasco (Nov 19)
- Re: unknown windows rootkit Axel Pettinger (Nov 20)
- <Possible follow-ups>
- Re: unknown windows rootkit Elia Florio (Nov 21)
- Re: unknown windows rootkit Derek (Nov 21)
- Re: Re: unknown windows rootkit sk / GroundZero (Nov 21)