lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon Nov 21 11:01:33 2005
From: eflorio at edmaster.it (Elia Florio)
Subject: unknown windows rootkit

It's a rootkit installed by Spyware.Apropos.C variant.
http://securityresponse.symantec.com/avcenter/venc/data/spyware.apropos.c.html

It comes from a big bundle installer (tipically 1,5 MB),
that installs the spyware itself and its rootkit components.
All the files (the downloader, the installer, the DLL) are
encrypted with a small poly-packer (every downloaded sample
looks different from each other).

The program installs itself inside %ProgramFiles% and %System% and generate
its names using standard legitimate names taken from existing programs.
(e.g. usb42prt.sys , volmndis.sys, amdrxdav.sys).

The SYS file (12 KB) is not HackDefender strain, because the rootkit
itself is protected with a VM layer: basically there is an instruction
controller that executes the program flow in a specific instruction order,
like a kind of virtual machine....in this way it's possible to generate SYS
driver that looks different each time, changing the block order of
instructions (if you compare rootkit file installed by different sample of
the spyware they are different). Inside the rookit there's a static string
"Core. by Zufyxe",

The rookit hooks "NdisAllocatePacket()" in KiServiceTable to
intercept network traffic and use one of the DLL for inline
hooking of registry/files APIs, hiding completely itself.
If you boot in safe mode the rookit does not work,
try to search for the spyware registry section

HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM NAME USED BY SPYWARE]

And you will find all the installed files on the system
(the SYS driver is configurable and it's programmed to start
some executables at boot).

EF

________________________________________________
Messaggio inviato da
Edizioni Master Webmail
http://mbox.edmaster.it

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ