Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

From: GuidoZ (uberguidoz_at_gmail.com)
Date: 09/25/04

  • Next message: Steve Kudlak: "Re: [Full-Disclosure] Strange FTP log messages"
    To: Mike Barushok <mikehome@kcisp.net>
    Date: Sat, 25 Sep 2004 02:22:55 -0400
    
    

    Thanks for the interesting reading Mike. =) Good stuff there.

    --
    Peace. ~G
    On Sat, 25 Sep 2004 00:08:19 -0500 (CDT), Mike Barushok
    <mikehome@kcisp.net> wrote:
    > 
    > Back in the day, 1994 to be exact, there was a virus that with the
    > commonly available tools was quite difficult to eliminate, and
    > which was usually detected by effects rather than the presence
    > on disk, or in main memory.
    > 
    > One of the effects it had was to "delete or stops the execution
    > of programs called SCAN, CLEAN, NETSCAN, CPAV, MSAV, TNTAV".
    > Actually many other executables other than those were interfered
    > with also. Another effect was a system with a modem would start
    > answering on the seventh ring. And it deleted files named
    > 'CHKLIST.*' (defeating integrity checking, but noticeable).
    > 
    > Had it been truly polymorphic, less 'noisy', and
    > with several modern tricks, it could initially have been credibly
    > described as almost undetectible. Erasing the CMOS memory
    > could have seemed like a dead battery.
    > 
    > Checkout GOLDBUG, see:
    > http://www.f-secure.com/v-descs/goldbug.shtml
    > http://www.textfiles.com/virus/gold-bug.txt
    > http://vx.netlux.org/lib/static/vdat/retrovir.htm
    > 
    > For all intents and purposes anything you would expect the system
    > to do under certain circumstances, can be subverted such that the
    > expected result would be generated falsely. File scanning,
    > registry keys and values, process enumeration, could all be made
    > to appear to suceed in finding nothing out of the ordinary.
    > Windows regedit is well known to hide some of the key names
    > and their values. Disk areas other than the 'file system' can
    > hold data. Processes that are already always running (like
    > Kernel32 itself, could be the process that was modified to do
    > the dirty deeds. Generally, with any general purpose computer,
    > the ability to trust the results of any particular action
    > depend on fully knowing the complete state of the machine.
    > So, a machine in an unknown state cannot verify itself to be
    > in an 'expected' state.
    > 
    > Additionally, it is theoretically feasible to modify the
    > CPU's microcode to alter execution of already present software
    > as desired. This was mentioned as far back as twenty years ago
    > by someone who instead demonstrated a trojan that worked by
    > modifying the Unix login, when the login program was compiled,
    > and that detected a new version of the compiler being compiled
    > and replicated itself to the new compiler object code.
    > See: K. Thompson. Reflections of Trusting
    >      Trust, Communication of the ACM, Vol. 27, No. 8, Aug 1984,
    >      pp. 761-763. http://www.acm.org/classics/sep95
    > 
    > He stated "You can't trust code that you did not totally create
    > yourself. (Especially code from companies that employ people like
    > me). No amount of source-level verification or scrutiny will
    > protect you from using untrusted code. In demonstrating the
    > possibility of this kind of attack, I picked on the C compiler. I
    > could have picked on any program-handling program such as an
    > assembler, a loader, or even hardware microcode. As the level of
    > program gets lower, these bugs will be harder and harder to
    > detect. A well installed microcode bug will be almost impossible
    > to detect".
    > 
    > So, although I doubt that any company is really selling any
    > completely undetectible code, for the purposes being discussed
    > in this thread, there almost certainly is some very difficult to
    > detect software already being used for other purposes important
    > to certain three-letter-agencies.
    > 
    > On Thu, 23 Sep 2004, GuidoZ wrote:
    > 
    > > > It is quite possible to hide processes, reg keys and files, and is often
    > > > done by various malware.
    > >
    > > Aye. I didn't word my statements correctly. (Was tired... =P ) You are
    > > very much correct.
    > >
    > > I guess I was trying to speak along the lines of AV detection and
    > > forensics. I've yet to find a rootkit, spyware, or malware that is
    > > COMPLETLY hidden, in every aspect, from the user. There is always a
    > > way to find it. Granted, they can bypass the "usual means" (regedit,
    > > taskmanager, etc) in Windows, however there are specialized tools
    > > (process viewers for example) that show hidden processes. What I meant
    > > to express is they seem to claim being able to hide from everything.
    > > (Even if an AV solution detected the very program they use as an
    > > installer.) That, I doubt.
    > >
    > >
    > > To save someone else from saying this, I'll reply to my own comment. =)
    > >
    > > > I've yet to find a rootkit, spyware, or malware that is
    > > > COMPLETLY hidden, in every aspect, from the user.
    > >
    > > Well, DUH. How could you find it if it was COMPLETELY hidden? ;)
    > > Clarification: The user and a sysadmin that has a clue are two very
    > > different people.)
    > >
    > > --
    > > Peace. ~G
    > >
    > >
    > > On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt@systemlinux.net> wrote:
    > > > GuidoZ wrote:
    > > > > Interesting indeed. Although, I imagine this was a spam email, and I
    > > > > never believe (nor buy) anything from spam. I wondr how credible this
    > > > > really is. If there was such a way to do what they claim, don't you
    > > > > think it would have been big news?  >One would think you wouldn't first
    > > > > hear about it through spam.
    > > > >
    > > > It is quite possible to hide processes, reg keys and files, and is often
    > > > done by various malware.
    > > >
    > > > > Also - nice website they have. http://www.randexsoft.com Simply says:
    > > > >
    > > > > Access Forbidden -- Go away.
    > > > >
    > > > > I love a company who is customer friendly.
    > > > >
    > > > > --
    > > > > Peace. ~G
    > > > >
    > > > >
    > > > > On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image
    > > > > <xillwillx@yahoo.com> wrote:
    > > > >
    > > > >>I recieved this in my inbox today:
    > > > >>how long do you think this company will last?
    > > > >>
    > > > >>
    > > > >>>Date: Wed, 22 Sep 2004 19:02:44 -0400
    > > > >>>From: Jacques Tremblay <jacques.tremblay@gmail.com>
    > > > >>>To: xillwillx@yahoo.com
    > > > >>>Subject: Hide your adware from all Adware removers
    > > > >>>and Anti-viruses
    > > > >>>
    > > > >>>To: Business development manager
    > > > >>>
    > > > >>>Subject: Hide your adware from all Adware removers
    > > > >>>and  Anti-viruses
    > > > >>>
    > > > >>>
    > > > >>>
    > > > >>>Hi,
    > > > >>>       Adware removers are gaining in popularity and
    > > > >>>they cause a big
    > > > >>>revenue threat to adware based businesses, as we see
    > > > >>>our software
    > > > >>>installations get desinstalled after a period of
    > > > >>>time that is shorter
    > > > >>>and shorter, we see our revenues get smaller and
    > > > >>>smaller.
    > > > >>>
    > > > >>>       Why would an honest adware based business
    > > > >>>lose revenue just because
    > > > >>>some adware remover has identifyed it as being
    > > > >>>something to remove ?
    > > > >>>
    > > > >>>       We beleive we have the right to hide from
    > > > >>>these adware removers as
    > > > >>>long as we provide a way for the user to uninstall
    > > > >>>and that he agrees
    > > > >>>that the software will be uninstalled only with the
    > > > >>>provided
    > > > >>>uninstaller.
    > > > >>>
    > > > >>>       It is in that spirit that we created the
    > > > >>>solution to the problem :
    > > > >>>
    > > > >>>
    > > > >>>AdProtector 1.2
    > > > >>>
    > > > >>>
    > > > >>>       We have developed software capable of hiding
    > > > >>>your software from all
    > > > >>>adware removers and anti-viruses on a Windows
    > > > >>>NT/2000/2003/XP machine.
    > > > >>>
    > > > >>>       Basically we have filtered the windows kernel
    > > > >>>so that we could mofify
    > > > >>>the behavior of the system itself. So now we can
    > > > >>>hide anything we want
    > > > >>>from windows.
    > > > >>>
    > > > >>>                           It can :   - Hide Registry Keys
    > > > >>>                                      - Hide Files
    > > > >>>                                              - Hide Processes
    > > > >>>
    > > > >>>       By hiding these 3 key elements from windows,
    > > > >>>your application won't
    > > > >>>ever be detected by any adware removers.
    > > > >>>
    > > > >>>       Interesting ?
    > > > >>>
    > > > >>>       For more information or to resquest a Demo :
    > > > >>>  email :
    > > > >>>hexa@randexsoft.com
    > > > >>>
    > > > >>>Business is moving fast, keep ahead of the
    > > > >>>competition!
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Steve Kudlak: "Re: [Full-Disclosure] Strange FTP log messages"

    Relevant Pages

    • Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruse
      ... For all intents and purposes anything you would expect the system ... and replicated itself to the new compiler object code. ... > I guess I was trying to speak along the lines of AV detection and ... I've yet to find a rootkit, spyware, or malware that is ...
      (Full-Disclosure)
    • Re: Jaccuse
      ... link to the free compiler - free for all purposes, ... If your compiler is so bad you have to lie to get people to use it, ... and was taken to a download site immediately. ... To call Navia a liar is civil and possibly criminal libel, ...
      (comp.lang.c)
    • Re: Sizes of Integer Types
      ... Odd bit sized and non 2's complement machines could emulate them in ... For purposes of calculation they could. ... The compiler is entitled to produce optimized code that loads a 32 bit word ... and return it directly on little endian architectures or bswapped on big ...
      (comp.lang.c)
    • Re: VBA versus BASIC
      ... purposes. ... statistics, and calculations related to science, often for educational ... used spreadsheet is pretty expensive and is limited in many ways. ... application specific BASICs like VBA as opposed to a pure compiler? ...
      (comp.lang.basic.misc)