NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2009-q3

Re: [Dailydave] Playing Ball

From: Matthew Wollenweber (mjwcyberwart.com)
Date: Thu Sep 10 2009 - 15:32:46 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave,

My subscription to canvas isn't current so I can't test this myself. But
from previous experience, one of the biggest problems with rootkits is AV
software. Many AV suites behave similarly to rootkits thus if you're trying
to manipulate the same kernel object or hook problems can quickly arise.

Since you indicated testing was a major component, is there a data sheet
listing Windows builds and AV bundles tested and the results? That would be
quite helpful as nothing is as embarrassing as bringing down an important
server because AV and a rootkit battled it out until the box fell over.

On Thu, Sep 10, 2009 at 1:56 PM, dave <daveimmunityinc.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CANVAS release announcement: http://www.immunityinc.com/news-latest.shtml
>
> You can't have a penetration testing toolkit without a Windows rootkit.
> To that end, this month Immunity released HCN, the next generation of
> CANVAS Windows Kernel rootkits.
>
> People always underestimate how hard it is to write a rootkit. On one
> hand, it's like engineering. Specialized engineering, but engineering
> nonetheless. You aren't hunting down tiny gold nuggets the way you are
> with vulnerability finding and exploit development.
>
> But the testing is nightmarish. Writing a rootkit is like being able to
> stick a knife in someone, but in a way they can still play basketball
> afterwards. That's an expensive thing to do, and it's not something you
> do and then ever really call done.
>
> But the HCN Rootkit works across any Windows you care about, minus 64
> bit for now. It can be set to call back to CANVAS, or simply used to
> hide another trojan of some kind.
>
> And in conclusion, commercially supported Windows rootkits are awesome.
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkqpPbsACgkQtehAhL0ghepi+wCff8gdryQAVq9U+T3X3/y4K48A
> 8CcAn30IKYWC7XftAb6idmuJTGsOApVa
> =E/MR
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

--
Matthew Wollenweber
mjwcyberwart.com
204-753-0281

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]