lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <C0574EE4-8509-4FF4-AB60-565D0A256E11@gmail.com>
Date: Thu, 12 Jul 2012 00:46:33 +0300
From: Alexandru Balan <jaymzu@...il.com>
To: phocean <0x90@...cean.net>
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: suspicion of rootkit

Tried checking it with an AV ? 
http://quickscan.bitdefender.com 

On Jul 12, 2012, at 12:06 AM, phocean wrote:

> The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore.
> One of the symptoms. 
> 
> I described the issues there:
> http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html
> http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html
> 
> You will see why some symptoms make me think about a rootkit.
> 
> You are right, it could be some Windows being messed up.
> But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system).
> So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads.
> At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups).
> 
> --- phocean
> 
> 
> Le 11 juil. 2012 à 22:51, Valdis.Kletnieks@...edu a écrit :
> 
>> On Wed, 11 Jul 2012 22:42:42 +0200, phocean said:
>>> I have a lab virtual machine that behaves as if it was owned by a
>>> rootkit: weird behavior with system certificates and keyboard driver.
>> 
>> Out of curiosity, why are you guessing it's a rootkit, rather than just another
>> case of Windows being messed up and needing fixing?
>> 
>> What release of Windows?  When did it start misbehaving?  Was that
>> anytime near Patch Tuesday?
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ