Re: Removal and forensics of advanced rootkit employing Shadow Walker technology - help needed!!!


Karl Levinson wrote:

... assuming the results from the tool are accurate, hence my question.

The SVV tool is open source - pls find short blog entry on it and link
to source code

http://theinvisiblethings.blogspot.com/

If you do not trust IDT and kernel module scanning code its easy to
verify. I do not think that Joanna would make any flop and would
introduce major errors here.

I do not see anything esoteric in calling SIDT assembler instruction
and than walking IDT and comparing it to locations of loaded modules in
system memory either. So detected IDT redirections are trustworthy (it
was spotted at the very beginning as a "Shadow Walker" diagnostic
feature) indicating that page faults are processed by hidden code.

Name of file submitted to Kaspersky is of no significance as it was
loaded with www page content and activated by user action on that page.
AV scanner simply marked it as safe ;).

rgrds

.