lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Jul 2012 23:06:25 +0200
From: phocean <0x90@...cean.net>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: suspicion of rootkit

The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore.
One of the symptoms. 

I described the issues there:
http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html
http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html

You will see why some symptoms make me think about a rootkit.

You are right, it could be some Windows being messed up.
But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system).
So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads.
At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups).

--- phocean


Le 11 juil. 2012 à 22:51, Valdis.Kletnieks@...edu a écrit :

> On Wed, 11 Jul 2012 22:42:42 +0200, phocean said:
>> I have a lab virtual machine that behaves as if it was owned by a
>> rootkit: weird behavior with system certificates and keyboard driver.
> 
> Out of curiosity, why are you guessing it's a rootkit, rather than just another
> case of Windows being messed up and needing fixing?
> 
> What release of Windows?  When did it start misbehaving?  Was that
> anytime near Patch Tuesday?


Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ