lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: mikehome at kcisp.net (Mike Barushok)
Subject: Rootkit For Spyware? Hide your adware from
 all Adware removers and Anti-viruses

Back in the day, 1994 to be exact, there was a virus that with the
commonly available tools was quite difficult to eliminate, and
which was usually detected by effects rather than the presence
on disk, or in main memory. 

One of the effects it had was to "delete or stops the execution
of programs called SCAN, CLEAN, NETSCAN, CPAV, MSAV, TNTAV".
Actually many other executables other than those were interfered
with also. Another effect was a system with a modem would start
answering on the seventh ring. And it deleted files named
'CHKLIST.*' (defeating integrity checking, but noticeable).

Had it been truly polymorphic, less 'noisy', and
with several modern tricks, it could initially have been credibly
described as almost undetectible. Erasing the CMOS memory
could have seemed like a dead battery. 

Checkout GOLDBUG, see:
http://www.f-secure.com/v-descs/goldbug.shtml
http://www.textfiles.com/virus/gold-bug.txt
http://vx.netlux.org/lib/static/vdat/retrovir.htm

For all intents and purposes anything you would expect the system
to do under certain circumstances, can be subverted such that the
expected result would be generated falsely. File scanning,
registry keys and values, process enumeration, could all be made
to appear to suceed in finding nothing out of the ordinary.
Windows regedit is well known to hide some of the key names
and their values. Disk areas other than the 'file system' can
hold data. Processes that are already always running (like
Kernel32 itself, could be the process that was modified to do
the dirty deeds. Generally, with any general purpose computer,
the ability to trust the results of any particular action
depend on fully knowing the complete state of the machine.
So, a machine in an unknown state cannot verify itself to be
in an 'expected' state.

Additionally, it is theoretically feasible to modify the
CPU's microcode to alter execution of already present software
as desired. This was mentioned as far back as twenty years ago
by someone who instead demonstrated a trojan that worked by
modifying the Unix login, when the login program was compiled,
and that detected a new version of the compiler being compiled
and replicated itself to the new compiler object code. 
See: K. Thompson. Reflections of Trusting
     Trust, Communication of the ACM, Vol. 27, No. 8, Aug 1984,
     pp. 761-763. http://www.acm.org/classics/sep95

He stated "You can't trust code that you did not totally create
yourself. (Especially code from companies that employ people like
me). No amount of source-level verification or scrutiny will
protect you from using untrusted code. In demonstrating the
possibility of this kind of attack, I picked on the C compiler. I
could have picked on any program-handling program such as an
assembler, a loader, or even hardware microcode. As the level of
program gets lower, these bugs will be harder and harder to
detect. A well installed microcode bug will be almost impossible
to detect".

So, although I doubt that any company is really selling any
completely undetectible code, for the purposes being discussed
in this thread, there almost certainly is some very difficult to
detect software already being used for other purposes important
to certain three-letter-agencies.

On Thu, 23 Sep 2004, GuidoZ wrote:

> > It is quite possible to hide processes, reg keys and files, and is often
> > done by various malware.
> 
> Aye. I didn't word my statements correctly. (Was tired... =P ) You are
> very much correct.
> 
> I guess I was trying to speak along the lines of AV detection and
> forensics. I've yet to find a rootkit, spyware, or malware that is
> COMPLETLY hidden, in every aspect, from the user. There is always a
> way to find it. Granted, they can bypass the "usual means" (regedit,
> taskmanager, etc) in Windows, however there are specialized tools
> (process viewers for example) that show hidden processes. What I meant
> to express is they seem to claim being able to hide from everything.
> (Even if an AV solution detected the very program they use as an
> installer.) That, I doubt.
> 
> 
> To save someone else from saying this, I'll reply to my own comment. =)
> 
> > I've yet to find a rootkit, spyware, or malware that is
> > COMPLETLY hidden, in every aspect, from the user.
> 
> Well, DUH. How could you find it if it was COMPLETELY hidden? ;)
> Clarification: The user and a sysadmin that has a clue are two very
> different people.)
> 
> --
> Peace. ~G
> 
> 
> On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt@...temlinux.net> wrote:
> > GuidoZ wrote:
> > > Interesting indeed. Although, I imagine this was a spam email, and I
> > > never believe (nor buy) anything from spam. I wondr how credible this
> > > really is. If there was such a way to do what they claim, don't you
> > > think it would have been big news?  >One would think you wouldn't first
> > > hear about it through spam.
> > > 
> > It is quite possible to hide processes, reg keys and files, and is often
> > done by various malware.
> > 
> > > Also - nice website they have. http://www.randexsoft.com Simply says:
> > >
> > > Access Forbidden -- Go away.
> > >
> > > I love a company who is customer friendly.
> > >
> > > --
> > > Peace. ~G
> > >
> > >
> > > On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image
> > > <xillwillx@...oo.com> wrote:
> > >
> > >>I recieved this in my inbox today:
> > >>how long do you think this company will last?
> > >>
> > >>
> > >>>Date: Wed, 22 Sep 2004 19:02:44 -0400
> > >>>From: Jacques Tremblay <jacques.tremblay@...il.com>
> > >>>To: xillwillx@...oo.com
> > >>>Subject: Hide your adware from all Adware removers
> > >>>and Anti-viruses
> > >>>
> > >>>To: Business development manager
> > >>>
> > >>>Subject: Hide your adware from all Adware removers
> > >>>and  Anti-viruses
> > >>>
> > >>>
> > >>>
> > >>>Hi,
> > >>>       Adware removers are gaining in popularity and
> > >>>they cause a big
> > >>>revenue threat to adware based businesses, as we see
> > >>>our software
> > >>>installations get desinstalled after a period of
> > >>>time that is shorter
> > >>>and shorter, we see our revenues get smaller and
> > >>>smaller.
> > >>>
> > >>>       Why would an honest adware based business
> > >>>lose revenue just because
> > >>>some adware remover has identifyed it as being
> > >>>something to remove ?
> > >>>
> > >>>       We beleive we have the right to hide from
> > >>>these adware removers as
> > >>>long as we provide a way for the user to uninstall
> > >>>and that he agrees
> > >>>that the software will be uninstalled only with the
> > >>>provided
> > >>>uninstaller.
> > >>>
> > >>>       It is in that spirit that we created the
> > >>>solution to the problem :
> > >>>
> > >>>
> > >>>AdProtector 1.2
> > >>>
> > >>>
> > >>>       We have developed software capable of hiding
> > >>>your software from all
> > >>>adware removers and anti-viruses on a Windows
> > >>>NT/2000/2003/XP machine.
> > >>>
> > >>>       Basically we have filtered the windows kernel
> > >>>so that we could mofify
> > >>>the behavior of the system itself. So now we can
> > >>>hide anything we want
> > >>>from windows.
> > >>>
> > >>>                           It can :   - Hide Registry Keys
> > >>>                                      - Hide Files
> > >>>                                              - Hide Processes
> > >>>
> > >>>       By hiding these 3 key elements from windows,
> > >>>your application won't
> > >>>ever be detected by any adware removers.
> > >>>
> > >>>       Interesting ?
> > >>>
> > >>>       For more information or to resquest a Demo :
> > >>>  email :
> > >>>hexa@...dexsoft.com
> > >>>
> > >>>Business is moving fast, keep ahead of the
> > >>>competition!
> > >
> > > 
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> > >
> > 
> 
> 
> 
> -- 
> Peace. ~G
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ