[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <b7bc1b1f040924232272bc7cd0@mail.gmail.com>
From: uberguidoz at gmail.com (GuidoZ)
Subject: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
Thanks for the interesting reading Mike. =) Good stuff there.
--
Peace. ~G
On Sat, 25 Sep 2004 00:08:19 -0500 (CDT), Mike Barushok
<mikehome@...sp.net> wrote:
>
> Back in the day, 1994 to be exact, there was a virus that with the
> commonly available tools was quite difficult to eliminate, and
> which was usually detected by effects rather than the presence
> on disk, or in main memory.
>
> One of the effects it had was to "delete or stops the execution
> of programs called SCAN, CLEAN, NETSCAN, CPAV, MSAV, TNTAV".
> Actually many other executables other than those were interfered
> with also. Another effect was a system with a modem would start
> answering on the seventh ring. And it deleted files named
> 'CHKLIST.*' (defeating integrity checking, but noticeable).
>
> Had it been truly polymorphic, less 'noisy', and
> with several modern tricks, it could initially have been credibly
> described as almost undetectible. Erasing the CMOS memory
> could have seemed like a dead battery.
>
> Checkout GOLDBUG, see:
> http://www.f-secure.com/v-descs/goldbug.shtml
> http://www.textfiles.com/virus/gold-bug.txt
> http://vx.netlux.org/lib/static/vdat/retrovir.htm
>
> For all intents and purposes anything you would expect the system
> to do under certain circumstances, can be subverted such that the
> expected result would be generated falsely. File scanning,
> registry keys and values, process enumeration, could all be made
> to appear to suceed in finding nothing out of the ordinary.
> Windows regedit is well known to hide some of the key names
> and their values. Disk areas other than the 'file system' can
> hold data. Processes that are already always running (like
> Kernel32 itself, could be the process that was modified to do
> the dirty deeds. Generally, with any general purpose computer,
> the ability to trust the results of any particular action
> depend on fully knowing the complete state of the machine.
> So, a machine in an unknown state cannot verify itself to be
> in an 'expected' state.
>
> Additionally, it is theoretically feasible to modify the
> CPU's microcode to alter execution of already present software
> as desired. This was mentioned as far back as twenty years ago
> by someone who instead demonstrated a trojan that worked by
> modifying the Unix login, when the login program was compiled,
> and that detected a new version of the compiler being compiled
> and replicated itself to the new compiler object code.
> See: K. Thompson. Reflections of Trusting
> Trust, Communication of the ACM, Vol. 27, No. 8, Aug 1984,
> pp. 761-763. http://www.acm.org/classics/sep95
>
> He stated "You can't trust code that you did not totally create
> yourself. (Especially code from companies that employ people like
> me). No amount of source-level verification or scrutiny will
> protect you from using untrusted code. In demonstrating the
> possibility of this kind of attack, I picked on the C compiler. I
> could have picked on any program-handling program such as an
> assembler, a loader, or even hardware microcode. As the level of
> program gets lower, these bugs will be harder and harder to
> detect. A well installed microcode bug will be almost impossible
> to detect".
>
> So, although I doubt that any company is really selling any
> completely undetectible code, for the purposes being discussed
> in this thread, there almost certainly is some very difficult to
> detect software already being used for other purposes important
> to certain three-letter-agencies.
>
> On Thu, 23 Sep 2004, GuidoZ wrote:
>
> > > It is quite possible to hide processes, reg keys and files, and is often
> > > done by various malware.
> >
> > Aye. I didn't word my statements correctly. (Was tired... =P ) You are
> > very much correct.
> >
> > I guess I was trying to speak along the lines of AV detection and
> > forensics. I've yet to find a rootkit, spyware, or malware that is
> > COMPLETLY hidden, in every aspect, from the user. There is always a
> > way to find it. Granted, they can bypass the "usual means" (regedit,
> > taskmanager, etc) in Windows, however there are specialized tools
> > (process viewers for example) that show hidden processes. What I meant
> > to express is they seem to claim being able to hide from everything.
> > (Even if an AV solution detected the very program they use as an
> > installer.) That, I doubt.
> >
> >
> > To save someone else from saying this, I'll reply to my own comment. =)
> >
> > > I've yet to find a rootkit, spyware, or malware that is
> > > COMPLETLY hidden, in every aspect, from the user.
> >
> > Well, DUH. How could you find it if it was COMPLETELY hidden? ;)
> > Clarification: The user and a sysadmin that has a clue are two very
> > different people.)
> >
> > --
> > Peace. ~G
> >
> >
> > On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt@...temlinux.net> wrote:
> > > GuidoZ wrote:
> > > > Interesting indeed. Although, I imagine this was a spam email, and I
> > > > never believe (nor buy) anything from spam. I wondr how credible this
> > > > really is. If there was such a way to do what they claim, don't you
> > > > think it would have been big news? >One would think you wouldn't first
> > > > hear about it through spam.
> > > >
> > > It is quite possible to hide processes, reg keys and files, and is often
> > > done by various malware.
> > >
> > > > Also - nice website they have. http://www.randexsoft.com Simply says:
> > > >
> > > > Access Forbidden -- Go away.
> > > >
> > > > I love a company who is customer friendly.
> > > >
> > > > --
> > > > Peace. ~G
> > > >
> > > >
> > > > On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image
> > > > <xillwillx@...oo.com> wrote:
> > > >
> > > >>I recieved this in my inbox today:
> > > >>how long do you think this company will last?
> > > >>
> > > >>
> > > >>>Date: Wed, 22 Sep 2004 19:02:44 -0400
> > > >>>From: Jacques Tremblay <jacques.tremblay@...il.com>
> > > >>>To: xillwillx@...oo.com
> > > >>>Subject: Hide your adware from all Adware removers
> > > >>>and Anti-viruses
> > > >>>
> > > >>>To: Business development manager
> > > >>>
> > > >>>Subject: Hide your adware from all Adware removers
> > > >>>and Anti-viruses
> > > >>>
> > > >>>
> > > >>>
> > > >>>Hi,
> > > >>> Adware removers are gaining in popularity and
> > > >>>they cause a big
> > > >>>revenue threat to adware based businesses, as we see
> > > >>>our software
> > > >>>installations get desinstalled after a period of
> > > >>>time that is shorter
> > > >>>and shorter, we see our revenues get smaller and
> > > >>>smaller.
> > > >>>
> > > >>> Why would an honest adware based business
> > > >>>lose revenue just because
> > > >>>some adware remover has identifyed it as being
> > > >>>something to remove ?
> > > >>>
> > > >>> We beleive we have the right to hide from
> > > >>>these adware removers as
> > > >>>long as we provide a way for the user to uninstall
> > > >>>and that he agrees
> > > >>>that the software will be uninstalled only with the
> > > >>>provided
> > > >>>uninstaller.
> > > >>>
> > > >>> It is in that spirit that we created the
> > > >>>solution to the problem :
> > > >>>
> > > >>>
> > > >>>AdProtector 1.2
> > > >>>
> > > >>>
> > > >>> We have developed software capable of hiding
> > > >>>your software from all
> > > >>>adware removers and anti-viruses on a Windows
> > > >>>NT/2000/2003/XP machine.
> > > >>>
> > > >>> Basically we have filtered the windows kernel
> > > >>>so that we could mofify
> > > >>>the behavior of the system itself. So now we can
> > > >>>hide anything we want
> > > >>>from windows.
> > > >>>
> > > >>> It can : - Hide Registry Keys
> > > >>> - Hide Files
> > > >>> - Hide Processes
> > > >>>
> > > >>> By hiding these 3 key elements from windows,
> > > >>>your application won't
> > > >>>ever be detected by any adware removers.
> > > >>>
> > > >>> Interesting ?
> > > >>>
> > > >>> For more information or to resquest a Demo :
> > > >>> email :
> > > >>>hexa@...dexsoft.com
> > > >>>
> > > >>>Business is moving fast, keep ahead of the
> > > >>>competition!
Powered by blists - more mailing lists