Thanks for the interesting reading Mike. =) Good stuff there.
--
Peace. ~G
On Sat, 25 Sep 2004 00:08:19 -0500 (CDT), Mike Barushok
<[EMAIL PROTECTED]> wrote:
>
> Back in the day, 1994 to be exact, there was a virus that with the
> commonly available tools was quite difficult to eliminate, and
>
Back in the day, 1994 to be exact, there was a virus that with the
commonly available tools was quite difficult to eliminate, and
which was usually detected by effects rather than the presence
on disk, or in main memory.
One of the effects it had was to "delete or stops the execution
of programs
Title: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
There
are several areas that programs can use to hide from AV without rootkits. ADS,
System Info Volume, Trash, etc.
The
scary part about rootkits becoming the norm in spyware is the
> Some of them can (almost) hide from everything
> because of the way they integrate.
Not everything...check out my book.
> Even hashes
> won't work for program execution detection very
> well.
I'm not entirely clear on how a hash of a file
pertains to detecting the execution of a program...c
world than the normal person, that is what I tell
> my non-computer friends anyways.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of GuidoZ
> Sent: Thursday, September 23, 2004 11:54 AM
> To: Matt
> Cc: Will Image; [EMAIL PR
I guess my comment further down was overlooked:
GuidoZ said:
> To save someone else from saying this, I'll reply to my own comment. =)
>
> > I've yet to find a rootkit, spyware, or malware that is
> > COMPLETLY hidden, in every aspect, from the user.
>
> Well, DUH. How could you find it if it was
Title: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all
Adware removers and Anti-viruses
Some
of them can (almost) hide from everything because of the way they integrate. Take
Alpha for example. You aren’t going to find it with any tools that a
standard system has. OK
> I realize that this is purely speculation on your
> part, but I'd be careful about saying things like
> this. The reason is that understanding "the kernel
> and flow chart of processes" isn't really the issue.
Yes, it was mostly speculation. The most common problem I run into on
a daily basis i
]
Subject: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware
from all Adware removers and Anti-viruses
> It is quite possible to hide processes, reg keys and files, and is
> often done by various malware.
Aye. I didn't word my statements correctly. (Was tired... =P ) You are
ve
> Windows is likely the most susceptible to such an
> attack due to the
> limited amount of people that fully understand the
> kernel and "flow
> chart" of processes. (Or those that don't put 2 and
> 2 together, like myself.)
I realize that this is purely speculation on your
part, but I'd be care
Spam or not, truth or not, the whole situation with adware is getting
out of hand.
I suspect the quickest way of dealing with the registry entries is to
use Unicode keys (unreadable by any outer ring processes).
Worrying that they are getting into the kernel, although I would be
very interested t
> It is quite possible to hide processes, reg keys and files, and is often
> done by various malware.
Aye. I didn't word my statements correctly. (Was tired... =P ) You are
very much correct.
I guess I was trying to speak along the lines of AV detection and
forensics. I've yet to find a rootkit,
I stand corrected. I hadn't thought about this...
> More specific to the Windows environment, what we're
> talking about is API hooking, and then more advanced
> stuff such as DKOM, or direct kernel object
> manipulation. This is where the linked listed used to
> maintain a list of processes is m
> The thing that has me worried about this (at least
> enough to justify the
> posts) is that this seems to be an avenue for growth
> in kits.
That's exactly what it is.
On a slightly tangential note, while many people I
know of in the security community bash Microsoft, I've
more often been
Title: RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all
Adware removers and Anti-viruses
Again
true,
The thing that has me worried about this
(at least enough to justify the posts) is that this seems to be an avenue for
growth in kits.
One of the things that
ames
Sent: Thursday, September 23, 2004 11:20 AM
To: 'Harlan Carvey'; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Rootkit For Spyware? Hide your adware from
all Adware removers and Anti-viruses
Again true,
The thing that has me worried about this (at least enough to justify the
posts
eally, but the more
people that get exposed to these facts, the better.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harlan
Carvey
Sent: Thursday, September 23, 2004 8:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Rootkit For Spyware? Hide y
> Nothing new about rootkits. They aren't big news
> because they are old news.
> Although depressing this is defiantly possible.
Old news, yes...but to some, not everyone. Taking
users (home, corporate, academic, etc.) out of it,
sysadmins and LEOs are still way behind when it comes
to understa
Title: Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all
Adware removers and Anti-viruses
Nothing
new about rootkits. They aren’t big news because they are old news.
Although depressing this is defiantly possible.
James Cupps
Information Security Officer
GuidoZ wrote:
Interesting indeed. Although, I imagine this was a spam email, and I
never believe (nor buy) anything from spam. I wondr how credible this
really is. If there was such a way to do what they claim, don't you
think it would have been big news? >One would think you wouldn't first
hear a
Interesting indeed. Although, I imagine this was a spam email, and I
never believe (nor buy) anything from spam. I wondr how credible this
really is. If there was such a way to do what they claim, don't you
think it would have been big news? One would think you wouldn't first
hear about it through
21 matches
Mail list logo