| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b7bc1b1f040924232272bc7cd0@mail.gmail.com> From: uberguidoz at gmail.com (GuidoZ) Subject: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Thanks for the interesting reading Mike. =) Good stuff there. -- Peace. ~G On Sat, 25 Sep 2004 00:08:19 -0500 (CDT), Mike Barushok <mikehome@...sp.net> wrote: > > Back in the day, 1994 to be exact, there was a virus that with the > commonly available tools was quite difficult to eliminate, and > which was usually detected by effects rather than the presence > on disk, or in main memory. > > One of the effects it had was to "delete or stops the execution > of programs called SCAN, CLEAN, NETSCAN, CPAV, MSAV, TNTAV". > Actually many other executables other than those were interfered > with also. Another effect was a system with a modem would start > answering on the seventh ring. And it deleted files named > 'CHKLIST.*' (defeating integrity checking, but noticeable). > > Had it been truly polymorphic, less 'noisy', and > with several modern tricks, it could initially have been credibly > described as almost undetectible. Erasing the CMOS memory > could have seemed like a dead battery. > > Checkout GOLDBUG, see: > http://www.f-secure.com/v-descs/goldbug.shtml > http://www.textfiles.com/virus/gold-bug.txt > http://vx.netlux.org/lib/static/vdat/retrovir.htm > > For all intents and purposes anything you would expect the system > to do under certain circumstances, can be subverted such that the > expected result would be generated falsely. File scanning, > registry keys and values, process enumeration, could all be made > to appear to suceed in finding nothing out of the ordinary. > Windows regedit is well known to hide some of the key names > and their values. Disk areas other than the 'file system' can > hold data. Processes that are already always running (like > Kernel32 itself, could be the process that was modified to do > the dirty deeds. Generally, with any general purpose computer, > the ability to trust the results of any particular action > depend on fully knowing the complete state of the machine. > So, a machine in an unknown state cannot verify itself to be > in an 'expected' state. > > Additionally, it is theoretically feasible to modify the > CPU's microcode to alter execution of already present software > as desired. This was mentioned as far back as twenty years ago > by someone who instead demonstrated a trojan that worked by > modifying the Unix login, when the login program was compiled, > and that detected a new version of the compiler being compiled > and replicated itself to the new compiler object code. > See: K. Thompson. Reflections of Trusting > Trust, Communication of the ACM, Vol. 27, No. 8, Aug 1984, > pp. 761-763. http://www.acm.org/classics/sep95 > > He stated "You can't trust code that you did not totally create > yourself. (Especially code from companies that employ people like > me). No amount of source-level verification or scrutiny will > protect you from using untrusted code. In demonstrating the > possibility of this kind of attack, I picked on the C compiler. I > could have picked on any program-handling program such as an > assembler, a loader, or even hardware microcode. As the level of > program gets lower, these bugs will be harder and harder to > detect. A well installed microcode bug will be almost impossible > to detect". > > So, although I doubt that any company is really selling any > completely undetectible code, for the purposes being discussed > in this thread, there almost certainly is some very difficult to > detect software already being used for other purposes important > to certain three-letter-agencies. > > On Thu, 23 Sep 2004, GuidoZ wrote: > > > > It is quite possible to hide processes, reg keys and files, and is often > > > done by various malware. > > > > Aye. I didn't word my statements correctly. (Was tired... =P ) You are > > very much correct. > > > > I guess I was trying to speak along the lines of AV detection and > > forensics. I've yet to find a rootkit, spyware, or malware that is > > COMPLETLY hidden, in every aspect, from the user. There is always a > > way to find it. Granted, they can bypass the "usual means" (regedit, > > taskmanager, etc) in Windows, however there are specialized tools > > (process viewers for example) that show hidden processes. What I meant > > to express is they seem to claim being able to hide from everything. > > (Even if an AV solution detected the very program they use as an > > installer.) That, I doubt. > > > > > > To save someone else from saying this, I'll reply to my own comment. =) > > > > > I've yet to find a rootkit, spyware, or malware that is > > > COMPLETLY hidden, in every aspect, from the user. > > > > Well, DUH. How could you find it if it was COMPLETELY hidden? ;) > > Clarification: The user and a sysadmin that has a clue are two very > > different people.) > > > > -- > > Peace. ~G > > > > > > On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt@...temlinux.net> wrote: > > > GuidoZ wrote: > > > > Interesting indeed. Although, I imagine this was a spam email, and I > > > > never believe (nor buy) anything from spam. I wondr how credible this > > > > really is. If there was such a way to do what they claim, don't you > > > > think it would have been big news? >One would think you wouldn't first > > > > hear about it through spam. > > > > > > > It is quite possible to hide processes, reg keys and files, and is often > > > done by various malware. > > > > > > > Also - nice website they have. http://www.randexsoft.com Simply says: > > > > > > > > Access Forbidden -- Go away. > > > > > > > > I love a company who is customer friendly. > > > > > > > > -- > > > > Peace. ~G > > > > > > > > > > > > On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image > > > > <xillwillx@...oo.com> wrote: > > > > > > > >>I recieved this in my inbox today: > > > >>how long do you think this company will last? > > > >> > > > >> > > > >>>Date: Wed, 22 Sep 2004 19:02:44 -0400 > > > >>>From: Jacques Tremblay <jacques.tremblay@...il.com> > > > >>>To: xillwillx@...oo.com > > > >>>Subject: Hide your adware from all Adware removers > > > >>>and Anti-viruses > > > >>> > > > >>>To: Business development manager > > > >>> > > > >>>Subject: Hide your adware from all Adware removers > > > >>>and Anti-viruses > > > >>> > > > >>> > > > >>> > > > >>>Hi, > > > >>> Adware removers are gaining in popularity and > > > >>>they cause a big > > > >>>revenue threat to adware based businesses, as we see > > > >>>our software > > > >>>installations get desinstalled after a period of > > > >>>time that is shorter > > > >>>and shorter, we see our revenues get smaller and > > > >>>smaller. > > > >>> > > > >>> Why would an honest adware based business > > > >>>lose revenue just because > > > >>>some adware remover has identifyed it as being > > > >>>something to remove ? > > > >>> > > > >>> We beleive we have the right to hide from > > > >>>these adware removers as > > > >>>long as we provide a way for the user to uninstall > > > >>>and that he agrees > > > >>>that the software will be uninstalled only with the > > > >>>provided > > > >>>uninstaller. > > > >>> > > > >>> It is in that spirit that we created the > > > >>>solution to the problem : > > > >>> > > > >>> > > > >>>AdProtector 1.2 > > > >>> > > > >>> > > > >>> We have developed software capable of hiding > > > >>>your software from all > > > >>>adware removers and anti-viruses on a Windows > > > >>>NT/2000/2003/XP machine. > > > >>> > > > >>> Basically we have filtered the windows kernel > > > >>>so that we could mofify > > > >>>the behavior of the system itself. So now we can > > > >>>hide anything we want > > > >>>from windows. > > > >>> > > > >>> It can : - Hide Registry Keys > > > >>> - Hide Files > > > >>> - Hide Processes > > > >>> > > > >>> By hiding these 3 key elements from windows, > > > >>>your application won't > > > >>>ever be detected by any adware removers. > > > >>> > > > >>> Interesting ? > > > >>> > > > >>> For more information or to resquest a Demo : > > > >>> email : > > > >>>hexa@...dexsoft.com > > > >>> > > > >>>Business is moving fast, keep ahead of the > > > >>>competition!
Powered by blists - more mailing lists