Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
Date: Thu Sep 23 2004 - 10:19:37 CDT
The thing that has me worried about this (at least enough to justify the
posts) is that this seems to be an avenue for growth in kits.
One of the things that has been protecting (perhaps that is too optimistic
of a word here) people from rootkits is that most of them don't work very
well or if so very pervasively. (admittedly there are exceptions to this)
Admin's may never find the actual kits but the kits (or their operators)
cause enough problems that he admin rebuilds the box to get rid of the
annoying unexplainable problems (OK only in a shop that is well kept, this
might not pertain in many IT departments)
If there is a new source of revenue I expect the quality and therefore the
danger from kits will greatly increase.
You are probably right in what you were saying about the need to get the
In addition to setting proper user rights (something that can be exceedingly
irritating to do in a Windows environment although I am sure they are
working on it [I don't want to get into a religious war here]) and
tightening system account settings admins need to start looking at tools
like Tripwire or other MD5 based monitoring mechanisms. There are a number
out there and they don't all cost a fortune.
For those who are hazy we are not talking about typical BO or NC type stuff
here (as useful as those tools might be to hackers [and geeky/slightly
independent admins]) This is stuff that either replaces Kernel components or
for some of the more advanced stuff sits between the kernel and the
hardware/bios. This means the OS can't even see what is happening let alone
the Admin or AV programs (Properly configured AV's could probably be made to
look for default settings but for alterable kits this wouldn't matter.
Obviously that makes it difficult to make it Hardware, OS/Patch or system
independent. It also tends to mean that the more comprehensive ones are not
that small (again a few notable exceptions). Still development funds can
make a lot happen.
To go a step further if the code gets small enough and public enough there
is a potential for some of it to end up in viruses. I would think this is
pretty difficult but ...
By the way good site.
Information Security Officer
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Harlan Carvey
Sent: Thursday, September 23, 2004 9:25 AM
Subject: RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from
all Adware removers and Anti-viruses
> Nothing new about rootkits. They aren't big news
> because they are old news.
> Although depressing this is defiantly possible.
Old news, yes...but to some, not everyone. Taking
users (home, corporate, academic, etc.) out of it,
sysadmins and LEOs are still way behind when it comes
to understanding rootkits. Certain privileges are
required for the installation of user-mode rootkits,
and in the absence of those privs, the rootkits have
been shown to *not* install. For some level of detail
about this, check out "Windows Forensics and Incident
Recovery" (http://www.windows-ir.com <http://www.windows-ir.com> ).
Full-Disclosure - We believe in it.
This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.
Full-Disclosure - We believe in it.