Re: Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!!


karl levinson, mvp wrote:
"Polanski24" <infodate@xxxxxxxx> wrote in message
news:1152955474.459968.263370@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello!

Last week one of my home systems was seriously compromised with than
brand new and undetected Trojan-Downloader.Win32.Small.dey. I got
bitter credit from KasperskyLabs for discovering malware but they did
not manage to provide any solution to removing all payloads installed
by it. Due to fortunate errors made by rootkit programmer which allows
for easy spotting of its presence with system abnormal behaviour
symptoms I coul easily spot presence of malware on compromised system.

Question, I'm curious what was the name of the file you submitted to
Kaspersky?

You're certain there's no chance the SVV could be incorrect? It doesn't
look like there are any guarantees made with that tool. You don't have a
similarly configured system you could run SVV against and compare the
results, do you?

OMG

If IDT (Interrupt Descriptor Table) entry No 14 is redirected to memory
area which has no module with executable code in there system should
crash with blue screen of death at first page fault (even without that
since it will happen immediately after memory manager starts running).

I would recommend reading:

"IA-32 Intel Architecture Software Developer's Manual Volume 3 -
System Programming Guide" item No - 253668-16 in particular chapter 5.

And after that phrack #63 article on raising the bar for rootkit
detection.

rgrds

.