Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
From: Harlan Carvey (keydet89yahoo.com)
Date: Thu Sep 23 2004 - 20:09:26 CDT
> Some of them can (almost) hide from everything
> because of the way they integrate.
Not everything...check out my book.
> Even hashes
> won't work for program execution detection very
I'm not entirely clear on how a hash of a file
pertains to detecting the execution of a program...can
> Ok so you argue that to find it all you have to do
> is name a file "_root_
> ... Filename" and see if it disappears.
But that's *only* if you use Greg Hoglund's proof of
concept NT kernel-mode rootkit. If someone has the
ability to install such a thing, they already have
greater control of the box than you do.
> Of course there are some limitations here. Once a
> virus uses a specific make
> of it a signature that discovers the "keyphrase" of
> that make can be crafted
> for the AV.
Unless it's placed someplace on the system not viewed
by the A/V.
> Another option is morphic code that is self
> referencing. Both of those options take this well
> out of script kiddie land.
Dude, I have to say...you crack me up! Really! So
far, you've just been using incorrect terms in most
cases...but now you're using partially correct (ie,
it's not "morphic", it's "polymorphic")...though I
have no idea what you're referring to when you say
> You are right when you say that they cannot be
> "completely" invisible (that
> would make them useless) but in the Win world even
> one that makes Task
> manager, Regedit and filemanager / CLI useless
> creates significant
> troubleshooting problems for normal admins.
I'd agree with that, and include the fact that it can
be overcome with knowledge. I've outlined a good deal
of this knowledge in my book, "Windows Forensics and
> Add to
> the possibility of having
> to customize AV monitoring mechanisms away from the
> standard windows Dll's
> and you get some problems.
> The possible combinations invoke visions of scary
Viruses don't scare me. Worms and trojans do.
Full-Disclosure - We believe in it.