F-Secure: Rootkit Pharming

["Fergie" <fergdawg () netzero net>]

Worth a look-see.

Via F-Secure.

[snip]

Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are 
in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of 
bizarre.

So, why doesn't Haxdoor just hook system calls in the kernel? A recent Secure Science paper has a good explanation for 
this. Haxdoor is used for phishing and pharming attacks against online banks.

[snip]

More:
http://www.f-secure.com/weblog/#00000821

- ferg

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.