lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20040924010926.22747.qmail@web51505.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: Rootkit For Spyware? Hide your adware from  all Adware removers and Anti-viruses

> Some of them can (almost) hide from everything
> because of the way they integrate. 

Not everything...check out my book.

> Even hashes
> won't work for program execution detection very
> well. 

I'm not entirely clear on how a hash of a file
pertains to detecting the execution of a program...can
you explain?
 
> Ok so you argue that to find it all you have to do
> is name a file "_root_
> ... Filename" and see if it disappears. 

But that's *only* if you use Greg Hoglund's proof of
concept NT kernel-mode rootkit.  If someone has the
ability to install such a thing, they already have
greater control of the box than you do.

> Of course there are some limitations here. Once a
> virus uses a specific make
> of it a signature that discovers the "keyphrase" of
> that make can be crafted
> for the AV.

Unless it's placed someplace on the system not viewed
by the A/V.  

> Another option is morphic code that is self
> referencing. Both of those options take this well
> out of script kiddie land.

Dude, I have to say...you crack me up!  Really!  So
far, you've just been using incorrect terms in most
cases...but now you're using partially correct (ie,
it's not "morphic", it's "polymorphic")...though I
have no idea what you're referring to when you say
"self referencing".

> You are right when you say that they cannot be
> "completely" invisible (that
> would make them useless) but in the Win world even
> one that makes Task
> manager,  Regedit and filemanager / CLI useless
> creates significant
> troubleshooting problems for normal admins.

I'd agree with that, and include the fact that it can
be overcome with knowledge.  I've outlined a good deal
of this knowledge in my book, "Windows Forensics and
Incident Recovery".

> Add to
> the possibility of having
> to customize AV monitoring mechanisms away from the
> standard windows Dll's
> and you get some problems.

???

> The possible combinations invoke visions of scary
> viruses. 

Viruses don't scare me.  Worms and trojans do.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ