[Full-disclosure] suspicion of rootkit

From: phocean <0x90@xxxxxxxxxxx>
Date: Wed, 11 Jul 2012 22:42:42 +0200

Hi list,

I am having a strange issue.
I have a lab virtual machine that behaves as if it was owned by a rootkit: weird behavior with system certificates and keyboard driver.
I first thought that with this knowledge it would be easy to spot the culprit: find some malicious driver or some kernel hook. But I failed...

The problem is I have tried both live and RAM analysis (Volatility) and found absolutely nothing unusual.

I am not an expert of Windows internals, so I am probably missing something.
Could you please give me some hint or point me to some resource? (I have the book Windows Internals, but still I don't see how to start with this mess).

More details are on my blog.

Thanks,

--- phocean

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] suspicion of rootkit
  - From: valdis . kletnieks

Prev by Date: Re: [Full-disclosure] How much time is appropriate for fixing
Next by Date: Re: [Full-disclosure] suspicion of rootkit
Previous by thread: [Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Multipoint Switch
Next by thread: Re: [Full-disclosure] suspicion of rootkit
Index(es):
- Date
- Thread