There
are several areas that programs can use to hide from AV without rootkits. ADS,
System Info Volume, Trash, etc.
The
scary part about rootkits becoming the norm in spyware is the advancement that
will take place.
Once
people start to pay for stuff, it gets better. Programmer will have a reason to
clean the code up and throw in the bells. Rootkits will advance because of the
money, just like botnets. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 23, 2004 2:51 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Some of them can (almost) hide from everything because of the way they integrate. Take Alpha for example. You aren’t going to find it with any tools that a standard system has. OK if you had Tripwire with the right settings installed that would catch the initial deploy but not afterward because it is hiding access mechanisms using another method. Even hashes won’t work for program execution detection very well.
Ok so you argue that to find it all you have to do is name a file “_root_ … Filename” and see if it disappears. That is true, but if you look at the source you will see that that is defined in the rk_ioman.c and rk_defence.c code. So you change that and remake. You can change it to whatever you want. Now you can’t find it that way. (Same trick for the calc.exe piece but different subs)
Of course there are some limitations here. Once a virus uses a specific make of it a signature that discovers the “keyphrase” of that make can be crafted for the AV. This is why I say it would be difficult to implement in a Virus. Basically you would have to build a complier (or at least the use of a generic one into it as well). Another option is morphic code that is self referencing. Both of those options take this well out of script kiddie land.
+ size + complexity + |small potential developer community| + |lack of existing code| + exploitation time => less successful virus risk
That is just one example, there are dozens of them out there publicly probably hundreds privately and the real point is that money will make them better (worse).
You are right when you say that they cannot be “completely” invisible (that would make them useless) but in the Win world even one that makes Task manager, Regedit and filemanager / CLI useless creates significant troubleshooting problems for normal admins. Add to the possibility of having to customize AV monitoring mechanisms away from the standard windows Dll’s and you get some problems.
The possible combinations invoke visions of scary viruses.
James
Cupps -----Original
Message-----
> It is quite possible to hide processes, reg keys
and files, and is often This message may contain information which is private, privileged or confidential and is intended solely for the use of the individual or entity named in the message. If you are not the intended recipient of this message, please notify the sender thereof and destroy / delete the message. Neither the sender nor Sappi Limited (including its subsidiaries and associated companies) shall incur any liability resulting directly or indirectly from accessing any of the attached files which may contain a virus or the like. |
Title: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
- [Full-Disclosure] Rootkit For Spyware? Hide your adware ... Will Image
- Re: [Full-Disclosure] Rootkit For Spyware? Hide you... GuidoZ
- Re: [Full-Disclosure] Rootkit For Spyware? Hide you... James Tucker
- [Full-Disclosure] Rootkit For Spyware? Hide your ad... [EMAIL PROTECTED]
- Todd Towles