Re: [Full-Disclosure] Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

From: GuidoZ (uberguidoz_at_gmail.com)
Date: 09/25/04

  • Next message: Steve Kudlak: "Re: [Full-Disclosure] Strange FTP log messages"
    To: Mike Barushok <mikehome@kcisp.net>
    Date: Sat, 25 Sep 2004 02:22:55 -0400
    
    

    Thanks for the interesting reading Mike. =) Good stuff there.

    --
    Peace. ~G
    On Sat, 25 Sep 2004 00:08:19 -0500 (CDT), Mike Barushok
    <mikehome@kcisp.net> wrote:
    > 
    > Back in the day, 1994 to be exact, there was a virus that with the
    > commonly available tools was quite difficult to eliminate, and
    > which was usually detected by effects rather than the presence
    > on disk, or in main memory.
    > 
    > One of the effects it had was to "delete or stops the execution
    > of programs called SCAN, CLEAN, NETSCAN, CPAV, MSAV, TNTAV".
    > Actually many other executables other than those were interfered
    > with also. Another effect was a system with a modem would start
    > answering on the seventh ring. And it deleted files named
    > 'CHKLIST.*' (defeating integrity checking, but noticeable).
    > 
    > Had it been truly polymorphic, less 'noisy', and
    > with several modern tricks, it could initially have been credibly
    > described as almost undetectible. Erasing the CMOS memory
    > could have seemed like a dead battery.
    > 
    > Checkout GOLDBUG, see:
    > http://www.f-secure.com/v-descs/goldbug.shtml
    > http://www.textfiles.com/virus/gold-bug.txt
    > http://vx.netlux.org/lib/static/vdat/retrovir.htm
    > 
    > For all intents and purposes anything you would expect the system
    > to do under certain circumstances, can be subverted such that the
    > expected result would be generated falsely. File scanning,
    > registry keys and values, process enumeration, could all be made
    > to appear to suceed in finding nothing out of the ordinary.
    > Windows regedit is well known to hide some of the key names
    > and their values. Disk areas other than the 'file system' can
    > hold data. Processes that are already always running (like
    > Kernel32 itself, could be the process that was modified to do
    > the dirty deeds. Generally, with any general purpose computer,
    > the ability to trust the results of any particular action
    > depend on fully knowing the complete state of the machine.
    > So, a machine in an unknown state cannot verify itself to be
    > in an 'expected' state.
    > 
    > Additionally, it is theoretically feasible to modify the
    > CPU's microcode to alter execution of already present software
    > as desired. This was mentioned as far back as twenty years ago
    > by someone who instead demonstrated a trojan that worked by
    > modifying the Unix login, when the login program was compiled,
    > and that detected a new version of the compiler being compiled
    > and replicated itself to the new compiler object code.
    > See: K. Thompson. Reflections of Trusting
    >      Trust, Communication of the ACM, Vol. 27, No. 8, Aug 1984,
    >      pp. 761-763. http://www.acm.org/classics/sep95
    > 
    > He stated "You can't trust code that you did not totally create
    > yourself. (Especially code from companies that employ people like
    > me). No amount of source-level verification or scrutiny will
    > protect you from using untrusted code. In demonstrating the
    > possibility of this kind of attack, I picked on the C compiler. I
    > could have picked on any program-handling program such as an
    > assembler, a loader, or even hardware microcode. As the level of
    > program gets lower, these bugs will be harder and harder to
    > detect. A well installed microcode bug will be almost impossible
    > to detect".
    > 
    > So, although I doubt that any company is really selling any
    > completely undetectible code, for the purposes being discussed
    > in this thread, there almost certainly is some very difficult to
    > detect software already being used for other purposes important
    > to certain three-letter-agencies.
    > 
    > On Thu, 23 Sep 2004, GuidoZ wrote:
    > 
    > > > It is quite possible to hide processes, reg keys and files, and is often
    > > > done by various malware.
    > >
    > > Aye. I didn't word my statements correctly. (Was tired... =P ) You are
    > > very much correct.
    > >
    > > I guess I was trying to speak along the lines of AV detection and
    > > forensics. I've yet to find a rootkit, spyware, or malware that is
    > > COMPLETLY hidden, in every aspect, from the user. There is always a
    > > way to find it. Granted, they can bypass the "usual means" (regedit,
    > > taskmanager, etc) in Windows, however there are specialized tools
    > > (process viewers for example) that show hidden processes. What I meant
    > > to express is they seem to claim being able to hide from everything.
    > > (Even if an AV solution detected the very program they use as an
    > > installer.) That, I doubt.
    > >
    > >
    > > To save someone else from saying this, I'll reply to my own comment. =)
    > >
    > > > I've yet to find a rootkit, spyware, or malware that is
    > > > COMPLETLY hidden, in every aspect, from the user.
    > >
    > > Well, DUH. How could you find it if it was COMPLETELY hidden? ;)
    > > Clarification: The user and a sysadmin that has a clue are two very
    > > different people.)
    > >
    > > --
    > > Peace. ~G
    > >
    > >
    > > On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt@systemlinux.net> wrote:
    > > > GuidoZ wrote:
    > > > > Interesting indeed. Although, I imagine this was a spam email, and I
    > > > > never believe (nor buy) anything from spam. I wondr how credible this
    > > > > really is. If there was such a way to do what they claim, don't you
    > > > > think it would have been big news?  >One would think you wouldn't first
    > > > > hear about it through spam.
    > > > >
    > > > It is quite possible to hide processes, reg keys and files, and is often
    > > > done by various malware.
    > > >
    > > > > Also - nice website they have. http://www.randexsoft.com Simply says:
    > > > >
    > > > > Access Forbidden -- Go away.
    > > > >
    > > > > I love a company who is customer friendly.
    > > > >
    > > > > --
    > > > > Peace. ~G
    > > > >
    > > > >
    > > > > On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image
    > > > > <xillwillx@yahoo.com> wrote:
    > > > >
    > > > >>I recieved this in my inbox today:
    > > > >>how long do you think this company will last?
    > > > >>
    > > > >>
    > > > >>>Date: Wed, 22 Sep 2004 19:02:44 -0400
    > > > >>>From: Jacques Tremblay <jacques.tremblay@gmail.com>
    > > > >>>To: xillwillx@yahoo.com
    > > > >>>Subject: Hide your adware from all Adware removers
    > > > >>>and Anti-viruses
    > > > >>>
    > > > >>>To: Business development manager
    > > > >>>
    > > > >>>Subject: Hide your adware from all Adware removers
    > > > >>>and  Anti-viruses
    > > > >>>
    > > > >>>
    > > > >>>
    > > > >>>Hi,
    > > > >>>       Adware removers are gaining in popularity and
    > > > >>>they cause a big
    > > > >>>revenue threat to adware based businesses, as we see
    > > > >>>our software
    > > > >>>installations get desinstalled after a period of
    > > > >>>time that is shorter
    > > > >>>and shorter, we see our revenues get smaller and
    > > > >>>smaller.
    > > > >>>
    > > > >>>       Why would an honest adware based business
    > > > >>>lose revenue just because
    > > > >>>some adware remover has identifyed it as being
    > > > >>>something to remove ?
    > > > >>>
    > > > >>>       We beleive we have the right to hide from
    > > > >>>these adware removers as
    > > > >>>long as we provide a way for the user to uninstall
    > > > >>>and that he agrees
    > > > >>>that the software will be uninstalled only with the
    > > > >>>provided
    > > > >>>uninstaller.
    > > > >>>
    > > > >>>       It is in that spirit that we created the
    > > > >>>solution to the problem :
    > > > >>>
    > > > >>>
    > > > >>>AdProtector 1.2
    > > > >>>
    > > > >>>
    > > > >>>       We have developed software capable of hiding
    > > > >>>your software from all
    > > > >>>adware removers and anti-viruses on a Windows
    > > > >>>NT/2000/2003/XP machine.
    > > > >>>
    > > > >>>       Basically we have filtered the windows kernel
    > > > >>>so that we could mofify
    > > > >>>the behavior of the system itself. So now we can
    > > > >>>hide anything we want
    > > > >>>from windows.
    > > > >>>
    > > > >>>                           It can :   - Hide Registry Keys
    > > > >>>                                      - Hide Files
    > > > >>>                                              - Hide Processes
    > > > >>>
    > > > >>>       By hiding these 3 key elements from windows,
    > > > >>>your application won't
    > > > >>>ever be detected by any adware removers.
    > > > >>>
    > > > >>>       Interesting ?
    > > > >>>
    > > > >>>       For more information or to resquest a Demo :
    > > > >>>  email :
    > > > >>>hexa@randexsoft.com
    > > > >>>
    > > > >>>Business is moving fast, keep ahead of the
    > > > >>>competition!
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Steve Kudlak: "Re: [Full-Disclosure] Strange FTP log messages"