[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <04AD555F-CFF9-407F-9B85-3148E0F79EC6@phocean.net>
Date: Thu, 12 Jul 2012 15:57:37 +0200
From: phocean <0x90@...cean.net>
To: Mikhail A. Utin <mutin@...monwealthcare.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 89,
Issue 15 suspicion of rootkit (Alexandru Balan)
The only antivirus I have tried so far is Microsoft Security Essentials. And it finds nothing, which I certainly don't trust at all.
Especially because it shows a very unusual certificate alert during the setup.
I also scanned a few files that I chose (some dll and services) on VirusTotal with no results except some false positive. I also had a look on the disassembly of these files.
So, I don't know what it is, but if it is a rootkit it is not a trivial one and I am afraid it is smarter than me :)
--- phocean
Le 12 juil. 2012 à 15:33, Mikhail A. Utin a écrit :
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of full-disclosure-request@...ts.grok.org.uk
> Sent: Thursday, July 12, 2012 4:40 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: Full-Disclosure Digest, Vol 89, Issue 15
>
> Send Full-Disclosure mailing list submissions to
> full-disclosure@...ts.grok.org.uk
>
>
>
> I've had very similar case of downloading software and getting a malware. I wanted just to get it fixed, so wheither a virus, or worm, or rootkit I do not know.
> Symptoms were disabled Windows update and Windows networking. TCP in general worked.
> I found malicious files (just a few) using one of security tools running under Linux CD-bootable to check consistency of Windows files. First I tried three AV systems (F-Secure, Kaspersky and Symantec), but they were useless. Finally, from Linux I was able to find files having inconsistent attributes, as far as I remember - the size and modification date.
>
> Nothing of particular, but: AV systems identify less than 90% of malware (both forward and backward tests), when downloading freeware stuff a virtual machine is the best option, and if after just installing of freeware Windows screw up, it is obvious what is the reason for.
>
> Mikhail
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 12 Jul 2012 00:46:33 +0300
> From: Alexandru Balan <jaymzu@...il.com>
> Subject: Re: [Full-disclosure] suspicion of rootkit
> To: phocean <0x90@...cean.net>
> Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
> Message-ID: <C0574EE4-8509-4FF4-AB60-565D0A256E11@...il.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Tried checking it with an AV ?
> http://quickscan.bitdefender.com
>
> On Jul 12, 2012, at 12:06 AM, phocean wrote:
>
>> The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore.
>> One of the symptoms.
>>
>> I described the issues there:
>> http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html
>> http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html
>>
>> You will see why some symptoms make me think about a rootkit.
>>
>> You are right, it could be some Windows being messed up.
>> But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system).
>> So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads.
>> At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups).
>>
>> --- phocean
> CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
> and privileged information for the use of the designated recipients named above. If you are
> not the intended recipient, you are hereby notified that you have received this communication
> in error and that any review, disclosure, dissemination, distribution or copying of it or its
> contents is prohibited. If you have received this communication in error, please reply to the
> sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
> and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
> please visit our Internet web site at http://www.commonwealthcare.org.
>
Content of type "text/html" skipped
Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists