RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

[Todd Towles]

Title: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

There are several areas that programs can use to hide from AV without rootkits. ADS, System Info Volume, Trash, etc. The scary part about rootkits becoming the norm in spyware is the advancement that will take place.   Once people start to pay for stuff, it gets better. Programmer will have a reason to clean the code up and throw in the bells. Rootkits will advance because of the money, just like botnets. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 23, 2004 2:51 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Some of them can (almost) hide from everything because of the way they integrate. Take Alpha for example. You aren’t going to find it with any tools that a standard system has. OK if you had Tripwire with the right settings installed that would catch the initial deploy but not afterward because it is hiding access mechanisms using another method. Even hashes won’t work for program execution detection very well.   Ok so you argue that to find it all you have to do is name a file “_root_ … Filename” and see if it disappears. That is true, but if you look at the source you will see that that is defined in the rk_ioman.c and rk_defence.c code. So you change that and remake. You can change it to whatever you want. Now you can’t find it that way. (Same trick for the calc.exe piece but different subs)   Of course there are some limitations here. Once a virus uses a specific make of it a signature that discovers the “keyphrase” of that make can be crafted for the AV. This is why I say it would be difficult to implement in a Virus. Basically you would have to build a complier (or at least the use of a generic one into it as well). Another option is morphic code that is self referencing. Both of those options take this well out of script kiddie land.   + size + complexity + |small potential developer community| + |lack of existing code| + exploitation time => less successful virus risk   That is just one example, there are dozens of them out there publicly probably hundreds privately and the real point is that money will make them better (worse).   You are right when you say that they cannot be “completely” invisible (that would make them useless) but in the Win world even one that makes Task manager,  Regedit and filemanager / CLI useless creates significant troubleshooting problems for normal admins. Add to the possibility of having to customize AV monitoring mechanisms away from the standard windows Dll’s and you get some problems.   The possible combinations invoke visions of scary viruses.   James Cupps Information Security Officer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of GuidoZ Sent: Thursday, September 23, 2004 12:54 PM To: Matt Cc: Will Image; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses   > It is quite possible to hide processes, reg keys and files, and is often > done by various malware. Aye. I didn't word my statements correctly. (Was tired... =P ) You are very much correct. I guess I was trying to speak along the lines of AV detection and forensics. I've yet to find a rootkit, spyware, or malware that is COMPLETLY hidden, in every aspect, from the user. There is always a way to find it. Granted, they can bypass the "usual means" (regedit, taskmanager, etc) in Windows, however there are specialized tools (process viewers for example) that show hidden processes. What I meant to express is they seem to claim being able to hide from everything. (Even if an AV solution detected the very program they use as an installer.) That, I doubt. To save someone else from saying this, I'll reply to my own comment. =) > I've yet to find a rootkit, spyware, or malware that is > COMPLETLY hidden, in every aspect, from the user. Well, DUH. How could you find it if it was COMPLETELY hidden? ;) Clarification: The user and a sysadmin that has a clue are two very different people.) -- Peace. ~G On Thu, 23 Sep 2004 14:38:34 +1000, Matt <[EMAIL PROTECTED]> wrote: > GuidoZ wrote: > > Interesting indeed. Although, I imagine this was a spam email, and I > > never believe (nor buy) anything from spam. I wondr how credible this > > really is. If there was such a way to do what they claim, don't you > > think it would have been big news?  >One would think you wouldn't first > > hear about it through spam. > > > It is quite possible to hide processes, reg keys and files, and is often > done by various malware. > > > Also - nice website they have. http://www.randexsoft.com Simply says: > > > > Access Forbidden -- Go away. > > > > I love a company who is customer friendly. > > > > -- > > Peace. ~G > > > > > > On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image > > <[EMAIL PROTECTED]> wrote: > > > >>I recieved this in my inbox today: > >>how long do you think this company will last? > >> > >> > >>>Date: Wed, 22 Sep 2004 19:02:44 -0400 > >>>From: Jacques Tremblay <[EMAIL PROTECTED]> > >>>To: [EMAIL PROTECTED] > >>>Subject: Hide your adware from all Adware removers > >>>and Anti-viruses > >>> > >>>To: Business development manager > >>> > >>>Subject: Hide your adware from all Adware removers > >>>and  Anti-viruses > >>> > >>> > >>> > >>>Hi, > >>>       Adware removers are gaining in popularity and > >>>they cause a big > >>>revenue threat to adware based businesses, as we see > >>>our software > >>>installations get desinstalled after a period of > >>>time that is shorter > >>>and shorter, we see our revenues get smaller and > >>>smaller. > >>> > >>>       Why would an honest adware based business > >>>lose revenue just because > >>>some adware remover has identifyed it as being > >>>something to remove ? > >>> > >>>       We beleive we have the right to hide from > >>>these adware removers as > >>>long as we provide a way for the user to uninstall > >>>and that he agrees > >>>that the software will be uninstalled only with the > >>>provided > >>>uninstaller. > >>> > >>>       It is in that spirit that we created the > >>>solution to the problem : > >>> > >>> > >>>AdProtector 1.2 > >>> > >>> > >>>       We have developed software capable of hiding > >>>your software from all > >>>adware removers and anti-viruses on a Windows > >>>NT/2000/2003/XP machine. > >>> > >>>       Basically we have filtered the windows kernel > >>>so that we could mofify > >>>the behavior of the system itself. So now we can > >>>hide anything we want > >>>from windows. > >>> > >>>                           It can :   - Hide Registry Keys > >>>                                      - Hide Files > >>>                                              - Hide Processes > >>> > >>>       By hiding these 3 key elements from windows, > >>>your application won't > >>>ever be detected by any adware removers. > >>> > >>>       Interesting ? > >>> > >>>       For more information or to resquest a Demo : > >>>  email : > >>>[EMAIL PROTECTED] > >>> > >>>Business is moving fast, keep ahead of the > >>>competition! > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > -- Peace. ~G _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html This message may contain information which is private, privileged or confidential and is intended solely for the use of the individual or entity named in the message. If you are not the intended recipient of this message, please notify the sender thereof and destroy / delete the message. Neither the sender nor Sappi Limited (including its subsidiaries and associated companies) shall incur any liability resulting directly or indirectly from accessing any of the attached files which may contain a virus or the like.