lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 12 Jul 2012 15:57:37 +0200
From: phocean <0x90@...cean.net>
To: Mikhail A. Utin <mutin@...monwealthcare.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 89,
	Issue 15 suspicion of rootkit (Alexandru Balan)

The only antivirus I have tried so far is Microsoft Security Essentials. And it finds nothing, which I certainly don't trust at all.
Especially because it shows a very unusual certificate alert during the setup.
I also scanned a few files that I chose (some dll and services) on VirusTotal with no results except some false positive. I also had a look on the disassembly of these files.
So, I don't know what it is, but if it is a rootkit it is not a trivial one and I am afraid it is smarter than me :)

--- phocean


Le 12 juil. 2012 à 15:33, Mikhail A. Utin a écrit :

> 
> 
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of full-disclosure-request@...ts.grok.org.uk
> Sent: Thursday, July 12, 2012 4:40 AM
> To: full-disclosure@...ts.grok.org.uk
> Subject: Full-Disclosure Digest, Vol 89, Issue 15
> 
> Send Full-Disclosure mailing list submissions to
> 	full-disclosure@...ts.grok.org.uk
> 
> 
> 
> I've had very similar case of downloading software and getting a malware. I wanted just to get it fixed, so wheither a virus, or worm, or rootkit I do not know.
> Symptoms were disabled Windows update and Windows networking. TCP in general worked.
> I found malicious files (just a few) using one of security tools running under Linux CD-bootable to check consistency of Windows files. First I tried three AV systems (F-Secure, Kaspersky and Symantec), but they were useless. Finally, from Linux I was able to find files having inconsistent attributes, as far as I remember - the size and modification date.
> 
> Nothing of particular, but: AV systems identify less than 90% of malware (both forward and backward tests), when downloading freeware  stuff a virtual machine is the best option, and if after just installing of freeware Windows screw up, it is obvious what is the reason for.
> 
> Mikhail
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 12 Jul 2012 00:46:33 +0300
> From: Alexandru Balan <jaymzu@...il.com>
> Subject: Re: [Full-disclosure] suspicion of rootkit
> To: phocean <0x90@...cean.net>
> Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
> Message-ID: <C0574EE4-8509-4FF4-AB60-565D0A256E11@...il.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Tried checking it with an AV ? 
> http://quickscan.bitdefender.com 
> 
> On Jul 12, 2012, at 12:06 AM, phocean wrote:
> 
>> The machine is Windows XP SP3 quite up-to-date, but not fully. Except that Windows Update is not working anymore.
>> One of the symptoms. 
>> 
>> I described the issues there:
>> http://www.phocean.net/2012/06/30/rootkit-in-my-lab.html
>> http://www.phocean.net/2012/07/11/rootkit-in-my-lab-part-ii.html
>> 
>> You will see why some symptoms make me think about a rootkit.
>> 
>> You are right, it could be some Windows being messed up.
>> But it actually happened on a pretty fresh install: I finished setting XP and tens of analysis tools (I aimed this box to be my fresh reversing system).
>> So even if possible, it sounds strange that a machine gets corrupted so quickly. And of course, I suspect some of these tools, got from multiple downloads.
>> At last, I could analyse them one by one of course, but there are many so it would be painful (and I am not sure that I kept all setups).
>> 
>> --- phocean
> CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
> and privileged information for the use of the designated recipients named above. If you are 
> not the intended recipient, you are hereby notified that you have received this communication 
> in error and that any review, disclosure, dissemination, distribution or copying of it or its 
> contents is prohibited. If you have received this communication in error, please reply to the 
> sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
> and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
> please visit our Internet web site at http://www.commonwealthcare.org.
> 


Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ