Hidden Applications and rootkits for Windows

From: Daniel Weatherly (Daniel.Weatherly_at_REMETTRA.COM)
Date: 02/16/05

  • Next message: Dean Brissinger: "Keeping up with new tools and information" 
    Date:         Wed, 16 Feb 2005 08:58:34 -0600
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    I am sure we have all had our rounds with spyware. I have even run up
    against the type of spyware/tojan that hides itself from the system so
    that it does not appear in any process list and it even hides from
    explorer and anything that may use the FileSystemObject to access the
    hard drive.

    While doing some research for a friend whose server had crashed I ran up
    on a couple of web sites that I thought everyone should see. Imagine
    processes and applications running on your Windows machines that cannot
    be detected by anti-virus and spyware applications. I have never seen
    this type of discussion on bugtraq before and it may not be considered a
    bug, but I feel that this topic needs some press time. It's VERY scarey.

    http://weblogs.asp.net/robert_hensing/archive/2005/01/14/353156.aspx

    http://www.rootkit.com <http://www.rootkit.com/> (I have not
    downloaded, nor have I used any of the applications from this web site.)

    -Daniel 

    --
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
  • Next message: Dean Brissinger: "Keeping up with new tools and information"

    Relevant Pages

    • Re: Legitimate file or Spyware?
      ... > several different spyware scans and they all say my computer is clean. ... Have you ran at least 5 of the applications in the SPYWARE section below? ... using Windows XP "prettifications". ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: hi jacked home page
      ... > no matter what I do, what spyware I install or how many ... Have you used the first 5 applications listed under the "SPYWARE" section of ... If you don't wish to follow all of the advice immediately, ... using Windows XP "prettifications". ...
      (microsoft.public.security)
    • Re: CPU 100% Virtual Memory gone
      ... At that moment I was not even able to upload Task Manager. ... Application tab in Task Manager when explorer.exe is using 100% CPU ... Not all running applications are displayed on the Applications ... I would expect spyware to run as soon as ...
      (microsoft.public.windowsxp.general)
    • Re: CPU 100% Virtual Memory gone
      ... At that moment I was not even able to upload Task Manager. ... Application tab in Task Manager when explorer.exe is using 100% CPU ... Not all running applications are displayed on the Applications ... I would expect spyware to run as soon as ...
      (microsoft.public.windowsxp.general)
    • Re: pc keeps crashing
      ... >> than 2002) and spyware applications? ... If you do not have any spyware or antivirus ... and feel if the laptop is getting too hot. ...
      (microsoft.public.windowsxp.general)