Jump to content


Photo

(Son of) Worst Trojan on the Net


  • Please log in to reply
39 replies to this topic

#1 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 23 February 2005 - 04:16 PM

The RSA Security Conference 2005 just wrapped up last week in San Francisco. Forum members should be *delighted* to note that two researchers from the world's largest software company, M$, made utter fools of themselves at this presentation:

Hackers & Threats II - HT2-101
Detecting and Removing Rootkits in Windows

http://2005.rsaconfe...o.aspx?id=10068


Apparently, that NUTTY Swami even has the MS Security Solutions Group researchers fooled! Don't they know this is just an urban myth and the SpywareInfo thread has already been closed? For cryin' out loud, it's IMAGINARY! ComputerWorld ends up playing out this collosal hoax even further and publishes this (can you believe it??):

http://www.computerw...1,99843,00.html

RSA: Microsoft on 'rootkits': Be afraid, be very afraid
Rootkits are a new generation of powerful system-monitoring programs
News Story by Paul Roberts

FEBRUARY 17, 2005 (IDG NEWS SERVICE) - Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals.


and a few paragraphs later in the article, go on to claim:

...The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products, the researchers said...


Our friends across the pond are quick to fall into Swami's web of deception [sigh]. The Inquirer perpetuates this myth by adding this quote from the same researcher in their version:

http://www.theinquir.../?article=21326

Microsoft warns of future security danger
Kernel Rootkits could be the next bad thing
By Nick Farrell: Friday 18 February 2005, 08:25

Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools, says Danseglio.



Hey... that's not suppose to be possible, is it? Well, I certainly hope 1) they have a proof-of-concept example or 2) have samples from the wild. Otherwise, they will get the trouncing they so rightly deserve from this forum for causing unnecessary panic. What if some newb reads that article?? Well, not to worry, because the article goes on to explain how Microsoft has found the cure:

Microsoft researchers have developed a tool, named "Strider Ghostbuster" that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences.


It must be some kind of top secret tool reverse engineered from the Roswell crash. What else could possibly remove an imaginary virus? Apparently, Microsoft has been wasting time on this hoax for a while! Jeez... don't they read SpywareInfo? They have an invisible detection tool (adjust your monitor as necessary) as well as more imaginary references here:

http://research.microsoft.com/rootkit/

Oh... it's just WinDiff. Well, it might be an alien WinDiff! But HEY - won't they be embarassed when they find what stooges they've been? [GOOD one, Swami!] Not only that, but check out this little tidbit from their web page:

...Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.

WHAT?? Stealth software that hides in BIOS?? Oh come ON! [chuckle] Won't these guys ever quit? They actually have the audacity to suggest that this 'software' or whatever already exists right now.


Hats off to you, Swami, wherever you are.


Me? I'm headin' back to my imaginary crack pipe... Elvis is haulin' his fat butt over here in his black helecopter and he is the worst pilot ever. I prefer not to be lucid for the ordeal, but (supposedly) he's bringing a couple of three-armed alien chicks and... well, now I'm just rambling... sorry.

#2 Swandog46

Swandog46

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 10,190 posts

Posted 23 February 2005 - 06:08 PM

Are you trying to suggest that rootkits are not a problem, or that they can be easily removed by most known tools? Trust me: they are real, and although there are methods to deal with them (some better than others depending on the design), they can be a real mess to clean up. Hacker Defender is horrendous; Narrator recently has become almost as bad. What are you trying to say?

Edited by Swandog46, 23 February 2005 - 06:09 PM.


#3 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 23 February 2005 - 10:36 PM

Having personally removed several rootkits, including hackerdefender, as well as having several in my virus collection, I can assure you that rootkits are not a myth. These parasites do exist, not as prototypes or zoo infections, but in the wild. They can hide themselves from detection and they can be a nightmare to remove.

Here are just a few samples of posts from this forum that involve rootkit infections:
http://forums.spywar...showtopic=28065
http://forums.spywar...showtopic=37867
http://forums.spywar...p?showtopic=332
http://forums.spywar...showtopic=12619

#4 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 24 February 2005 - 02:01 AM

And this has what to do with the epic spyware thread?

#5 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 24 February 2005 - 02:23 AM

Since we're on the topic of rootkits now, I thought this might be a nice piece of news:

http://www.sysintern...kitreveal.shtml

SysInternals has released a rootkit revealer.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#6 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 24 February 2005 - 02:40 AM

Can a helper, TA, mod or admin test this tool and post the results at Boot Camp?
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#7 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 24 February 2005 - 06:38 AM

Rootkits are real.

Some of the things they postulate are theortical of course, similar to the things that swarmi said infected him. That's why the thread lasted so long, because it was not impossible.

I havent read all the links, did the researchers actually mention this thread?
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#8 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 24 February 2005 - 09:09 AM

Can a helper, TA, mod or admin test this tool and post the results at Boot Camp?

View Post

I posted info on this programís release yesterday here. I would be willing to test this program on a rootkit and post the results at Boot Camp. It might take a few days though, I boxed up my test system and put it in storage a few weeks ago.

One of the best detection methods that I have found is to use an antivirus software from a boot disk or rescue environment.

Edited by Trilobite, 24 February 2005 - 09:15 AM.


#9 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 25 February 2005 - 02:11 AM

Yeah, rootkits are real, and have been for some time.
But whether the supposed infection was a rootkit or not is pretty much irrelevant, as a simple reinstall would get rid of such.

But the interesting aspect of the original epic thread was (re)infection vector. In that regard, there were some very interesting posts made about hidden harddisk partitions, assembler code, flash storage, and irq redirects.

Swami claimed that his machine was reinfected even after he physically replaced the harddrive. That was what made the discussion interesting :)

#10 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 25 February 2005 - 07:21 AM

I have never seen spyware that does that, although I know that there are viruses like that. I think these viruses are those from floppy disks only.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#11 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 25 February 2005 - 11:02 PM

Don't place any bets on that. I've seen some that got installed through e-mails that a family member sent.

It's arguable that Spector could be considered a rootkit and keylogger, since it runs as a hidden NT service.
Signature file is under revision. This will be back shortly.

#12 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 26 February 2005 - 03:22 AM

Then if there are any such worms spreading using vulnerabilities that can be exploited automatically without user interaction, then what can we do?

I'm not talking about rootkits here, I'm talking about the virus that infects hardware. How does it do that?

Edited by LostAccount, 26 February 2005 - 03:24 AM.

<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#13 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 26 February 2005 - 05:02 AM

I can't believe that malware is capable of causing PHYSICAL damage to any hardware component.
Malware programs don't have a hammer or a screw driver.

Destroying DATA on a hardware component is something else :
- wipe out a BIOS chip
- format a harddisk
- change software settings for hardware components
- remove drivers
- ...
is always possible, but that is software not hardware.

How they do it ? Beats me. Only the source code of a malware program can tell you that and who has the source code ?
The malware writer.

Edited by ErikAlbert, 26 February 2005 - 05:15 AM.

ErikAlbert
Simplicity is always brilliant.

#14 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 26 February 2005 - 06:46 AM

Then if there are any such worms spreading using vulnerabilities that can be exploited automatically without user interaction, then what can we do?

View Post


Then you are dead.

Seriously, that's why you need to stay alert, keep on top of patches, run sandboxes, checksum important files etc.. That is if you are paranoid
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#15 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 28 February 2005 - 03:21 AM

I'm talking about the virus that infects hardware. How does it do that?


All malware is memory resident.
Usually that memory is offline storage, and usually that offline storage is a harddrive, but it doesn't have to be.

If you know how to add and retrieve data from a specific type of memory, you can use it to store information, even if that is firmware memory on your bios, gfx card, or usb camera.

Luckily for us, companies tend to develop their own standards for non-harddrive offline memory, which has the following implications:

1. Whoever wants to store something has to be familiar with the standard.

2. Whatever program module is developed for accessing that memory will only work for that specific type of memory.

3. Thus you get things like a virus that only infects a specific type of gfx card, which makes it of limited use to the asshats who wrote it.

4. If you are unlucky enough to get infected with something like this, and the hardware provider doesn't have a solution, few people will be able to help you.
In fact, the cheapest solution may be to dump the infected hardware.

5. Ofcourse, if something like this ever became common for malware, anti-malware companies would be on the case in a jiffy.

#16 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 28 February 2005 - 06:07 AM

So any technical expert, who has been fired in a hardware company, can become a potential malware writer to wipe out non-harddrive offline memory (like chips) for that specific hardware brand, if he is revengeful enough.
Am I right about this ?

Edited by ErikAlbert, 28 February 2005 - 06:11 AM.

ErikAlbert
Simplicity is always brilliant.

#17 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 28 February 2005 - 06:21 AM

So any technical expert, who has been fired in a hardware company, can become a potential malware writer to wipe out non-harddrive offline memory (like chips)  for that specific hardware brand, if he is revengeful enough.
Am I right about this?


Nope, it's even worse than you think.
Anyone with a university degree in computer engineering can do this, if they are willing to spend the necessary time on it.

#18 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 28 February 2005 - 07:26 AM

Nope, it's even worse than you think.
Anyone with a university degree in computer engineering can do this, if they are willing to spend the necessary time on it.

Very depressing news and most malware writers are students, according my readings. Pfffff.

Is there any good news at all at SWI, besides a new forum server ? I read nothing but bad news here.
I'm glad my Warn Meter is still zero (Thanks cnm!), otherwise I would be even more depressive.
ErikAlbert
Simplicity is always brilliant.

#19 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 28 February 2005 - 08:07 AM

I wouldn't worry too much, if I were you.

Reverse engineering takes a lot of time and resources.
Why would a malware writer spend time and money on something like that, when he could at best hope to infect a few percentiles of the worlds PC's.

Much easier to create something that is OS dependent, and much better return on the investment too.

Also consider how few serious malware writers you hear about.
Except for coolwebsearch, and a few others, how much malware takes more than a few minutes to remove?

We are not dealing with evil geniuses.
More like a horde of cockroaches...

Edited by Misereor, 28 February 2005 - 08:09 AM.


#20 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 28 February 2005 - 08:09 PM

You may want to look up the CIH (Chernobyl) virus. It's listed as W32.CIH or W32.Chernobyl. It was able to physically ruin components as well as completely destroying data on drives.

I don't know what happened to the guy who wrote it - Cheng Ing-Hau - but hopefully, he's in prison now.
Signature file is under revision. This will be back shortly.

#21 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 01 March 2005 - 12:44 AM

Tuxedo Jack,
Source: http://www.getvirush...rnobyl/info.ssi

Once infected the virus does two things. First, it overwrites and deletes data on your hard disk. It's only a matter of time before it hits the computer's master boot sector making all data inaccessible. Second, it tries to rewrite the computer's ROM BIOS completely crippling the computer and potentially destroying the chip altogether.

Is a chip without data physically damaged ? No, but it doesn't work anymore.
Put the data back in the chip and the chip works again.
Is a car without gas physically damaged ? No, but it doesn't drive anymore.
Put the gas back in the car and the car drives again.
It all depends on which solution is the cheapest : buy a new chip or recover the chip.

I admit that I would be completely lost, when I ever meet such a virus, but that is a matter of bad luck. If it happens, I live with it and I accept it like any other bad thing in my life.

BTW according my readings, the writer was never punished, because there was never an official complaint. He said, he was sorry and helped even victims to recover their computers. (The later "Kriz virus" was based on the "Chernobyl Virus").
I didn't search too long to find any other info about him, because the guy bores me.
In my opinion, he should have been convicted and pay for all the damage he caused as a warning for other malware writers. In Belgium they probably would have punished him with an attachment of wages to pay off the damage for life.
ErikAlbert
Simplicity is always brilliant.

#22 iCQ

iCQ

    Member

  • New Member
  • Pip
  • 1 posts

Posted 01 March 2005 - 02:40 AM

So any technical expert, who has been fired in a hardware company, can become a potential malware writer to wipe out non-harddrive offline memory (like chips)† for that specific hardware brand, if he is revengeful enough.
Am I right about this?


Nope, it's even worse than you think.
Anyone with a university degree in computer engineering can do this, if they are willing to spend the necessary time on it.

View Post


Exactly... now i have to admit i did not run into any of these kind of malware last few 5 years... but i sure seen these kind of techniques being used years ago!!!!

It is quite simple... it is technically possible... if things are technically possible then they WILL BE or lets say ARE BEING done or used!

One should not think directly about silly tards who want to spy your pc for commercial activities/reasons. But u will most likely find these things with cases that involve international business spying, militairy use, advanced organized criminiality and such things.

I have to disapoint you; i cannot prove or backup these claims. But you can do that yourself! Open your eyes and your mind. Take a little asm course (maschine code/core programming language) and find the power that many have for MANY YEARS. Google may help u in your quest for finding proof. Anyhow, what u need proof for beats me. If u do not believe it only means u dont know how IT works, which is in its turn: QUITE ACCEPTABLE :p

I wouldnt worry if you are not a real potential 'target'...

Edited by iCQ, 01 March 2005 - 03:08 AM.

user posted image†††††††††††††††††††††††††††††††††††††††††††††††††††††††user posted image

#23 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 01 March 2005 - 04:19 AM

One should not think directly about silly tards who want to spy your pc for commercial activities/reasons. But u will most likely find these things with cases that involve international business spying, militairy use, advanced organized criminiality and such things.



Something like that.

The keyword being "Return On Investment".
Even is something is possible, noone will be willing to pay the price, unless they think they are going to come out ahead in some sense, neh?

In fact, Joe from the local diner could probably kill the president.
The question is if he would be willing to pay the price?


At this time, social engineering is much more profitable than super malware.
Why spend a million bucks on developing a super trojan to get access to your competitors business data, when you can pay one of their key employees 50,000 to deliver it in a gift wrapping?


If something is possible, then every once in a while someone will get "hit", but that is no different from crossing a street.

Sh*t happens, but as long as it doesn't inconvenience the community too much, life goes on... :)

Edited by Misereor, 01 March 2005 - 04:24 AM.


#24 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 01 March 2005 - 04:13 PM

Can a helper, TA, mod or admin test this tool and post the results at Boot Camp?

View Post

Done.

For those who do not have access to boot camp, hereís a quick synopsis of the results.
Sysinternalís rootkit detector appears to work. It identifies registry entries, files and folders that are hidden by rootkits as well as those hidden by Windows.
However, Sysinternalís rootkit detector will not remove rootkit files, folders or registry entries, and it will not identify all of the rootkitís components (apparently it only identifies the hidden components).

#25 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 March 2005 - 01:26 AM

Sysinternalís rootkit detector appears to work.



Sure... for the rootkits of yesteryear. Granpappy and the Smithsonian will both be thrilled that they can now detect that ol' nugget "Hacker Defender" in their archived copies of Windows ME.

It identifies registry entries, files and folders that are hidden by rootkits as well as those hidden by Windows.


As well as? I guess in the same sense that HijackThis identifies malicious registry entries 'as well as' a few regular Windows values. You'll also see how Norton loves to hide some of their stuff. Daemon tools hides its driver; VFD; Real Player, etc. Better start the "Post your Rootkit Detector logs HERE" forum to sift through the pages of suspicious info. It's better than nothing I guess, but...

Granted, some script kiddies might be too lazy to download one of the various true memory-only kernel mode rootkits with out of band file structures. (Which would be the newer ones that CoolWebSearch will likely pay to have developed for their next 'marketing campaign'). Signatures for older process API-hooking rootkits that hide files and registry keys, such as Backdoor.HackerDefender (NAV naming), are already scanned for at the disk level in many AV programs today. Those older 'rootkits' (which hardly qualify as such - more like 'file list/reg key filters') are not the ones the MSSS researchers were warning about at the conference.

FU is just the tip of the iceberg on current rootkit development. As long as companies can continue to profit off of CoolWebSearch-type software, there will be plenty of new laptops and hard cash waiting for malware developers. And all they do is figure out ways to avoid detection - no spyware outfit is going to pay them for dusting off an old API-hooker like HackerDefender.

I hope another Dutch grad student is working on a solution (for free, in their spare time, etc.) to save us.

#26 Swami

Swami

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 24 March 2005 - 07:12 PM

Longtime no hear from ...eh?

I assure you that rootkits are real ... I didn't mean to start a panic in the community, but what i had was real and inevitably defeated me in the end.I have since realised where it came from and what it is and i will be able to avoid it in the future.
But the hidden legacy drivers, bios infection, ramdisk image, and the "Host Protected Area" on the hard drive that was password protected and contained a bootloader were all very real events.

Automatic adjustment of host protected area by BIOS

A method that adjusts the host protected area of a hard disk drive automatically using BIOS during power on self test (POST) by adjusting the start address of the host protected area of the hard disk drive and all service entries in the directory of services. Host protected area physical disk addresses are automatically adjusted by the BIOS when the hard disk drive has a different location from the host protected area used to create the source image of the data placed in the host protected area of the hard disk drive.


Even bios makers are looking to make money off of company's who want to embed their software into the bios and then onto the HPA (Host Protected Area)
http://www.phoenix.c...ISV Partner.htm

Go read about the technology behind Co-Linux and you have a pretty good idea of how this particular thing worked. Linux compiled password protected kernel level rootkits running in Windows is the future ... believe it. -
http://www.colinux.org/
http://wiki.colinux....-bin/coLinuxFAQ

I have read alot of negative comments about my original post and about me personally and have decided not to be baited into some flamewar.
I only related my experience to maybe help some others ... Im sorry to anyone who came away a non-believer - please accept this lovely parting gift (my post) and may 1,000 flea's nest in your armpits. :rofl:

Swami

Edited by Swami, 24 March 2005 - 09:12 PM.


#27 ThisSideTowardsEnemy

ThisSideTowardsEnemy

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 25 March 2005 - 12:17 AM

SWAMI! They almost had me convinced you didn't exist.

Longtime no hear from ...eh?

I assure you that rootkits are real ...

I hope you understand that I was being sarcastic when I made the title post on this thread. It was in response to the skeptics on your original thread that started going on about 'their' doubts and how 'they' wouldn't believe it until someone could prove that it existed and the AV co.'s would be all over it already and blah blah blah.

Which, of course, anyone would have every right to do in a public forum IF the context had specifically been a general disscussion about the possibility of 'mysterious, non-AV detectable viruses'.

It wasn't.

That doesn't mean someone shouldn't question things they read here, but the context clearly was a few people trying to help each other figure out what kind of virus or whatever was causing the problem. I would expect reasonable people to ask, "...but how could that be?" On the other hand, it's irritating to have to deal with an extremely complex, frustraing problem and have to carry on a side debate asking for proof that it exists.

Critical thinking? Yes... but that doesn't mean standing up half way through a movie and announcing your critique for the audiences benefit "...because they might not understand what they're seeing."

I have read alot of negative comments about my original post and about me personally and have decided not to be baited into some flamewar.
I only related my experience to maybe help some others ...

Which is the really sad part about this whole topic. How unbearable can it be to offer the simple courtesy of assuming a poster is sincere?

At any rate, Swami, I'm sure you ended up helping a lot of people that read your original thread. There's some consolation (for me, anyways) in knowing that I'm not the only one...

#28 Swami

Swami

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 25 March 2005 - 01:02 PM

I just wanted to check back in yesterday ... i had been away the last year or so with my own health problems (not a rootkit :D) - I hold no grudges towards anyone, life is too short.

I know it's a fantastic story to believe without any proof (which i really didn't have) but how do you take a picture of the invisible man? I would like to clear up some things that i have learned since my original posting about that infection.

It didn't come from the download i was doing, or the website i connected with.
Kaspersky going off was just an unrelated coincidence ... yes that site did try to slam me, but was stopped by Kaspersky.
But that is the event that got me looking into my files and eventually stumbling across this rootkit. At the time i had limited access to my system (thanks to mr. rootkit) and could never really get to the bottom of it.

Bottomline is i was using a pirated version of XP :whistle: ... apparently given to the world by it's creator as a gift ... with a good reason.
This version (copy) has a built-in rootkit (slipstreamed in i imagine) ... so thus the re-infection over and over and why nothing could ever find it. The OS itself is the rootkit but looked upon as trusted OS files by potential scanners - which someone had mentioned in the original post that it sounded like infected installation discs to them (that was a good call).

I originally discounted that after buying a clean XP Pro and having it do the same thing - it was in fact clean but had gotten infected from my pre-infected system during install somehow (be it bios, ramdisk, HPA, firmware, Elvis - who knows) which gave me the feeling of "There is No Escape and There will be No Survivors" i was desperation personified.

It took alot of time, money, and trial & error to get it the hell away from me, and i'm sorry for being an alarmist. In the final analysis it was my own fault for running known pirated software and it's a lesson well learned.


Swami

#29 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 29 March 2005 - 01:07 PM

which someone had mentioned in the original post that it sounded like infected installation discs to them (that was a good call).

View Post


Hah! Damn straight, baby! (and by page 2 no less :lol: )
Actually, I figured you had discovered an embarressingly simple cause for the problem, and that was why you didn't show your face again, but the discussion was just too interesting to let go...

So did you get positive confirmation of the reinfection vector?

#30 Systems_Fatal_Error

Systems_Fatal_Error

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 09 April 2005 - 07:40 PM

Well I hate to inform you "above thinking outside the box people" but it is true, i myself got infected after switching to broadband, i removed motherboard with a new one, asus a8n-sli deluxe, kingston512 400 mhz ddram 2 sticks, a new ati x800 series pci express graphics card and a brand new hd, and apon installing them all, bam...same problem existed...now in my bios it lists under hard drive boot devices, my normal hd and a new "bootable add-in cards" i fried ram dick by removing hd during windows being up and running reflashed bios, removed ram sticks all drives...removed bios battery, then plugged them all back in after 15 minutes and it helped my system some, but it is still sending data in and out at 43-75% on network, without a single program being open that uses the net for anything, i also get connections under netstat like akamaitechnologies, and reverse.the.com and that's with them blocked in my hosts files, and if you don't believe me i'll gladly send anyone my exe2bin file to prove it, i know that's not the dropper file, but i can't nor can 64 anti virus programs find the dropper file, but it did once and only once detected the exe2bin file as a troj.gl.small virus, then...never detected it again but it's still happening, i'm not one to make up stories as i have no need to, i'd rather spend my time playing online games with the broadband conncetion i payed for instead of posting bogus entries on a help forum. Oh and btw, if you check out the posts created under my name you'll notice i posted ab out the problem a few days ago, BEFORE i even found the foruim with another user having the same problem...which means i'm not even just going on by what he said...in fact i even make note after my first 2 posts that i found a forum where some one else had it...and if you don't think it's real after that...it's your loss, whe n you do get it and it costs you over 800 bucks and still infected you'd have wished you had listened to us.

Edited by Systems_Fatal_Error, 09 April 2005 - 07:51 PM.

The Internet is but a playground for the elite and the weak, much as life itself, which are you?

#31 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 10 April 2005 - 04:52 AM

i also get connections under netstat like akamaitechnologies, and reverse.the.com


Both sites are legitimate... not sure how it comes up here, eh?

Can you give us other symptoms? It would be great to know more about this new "malware"...

i fried ram dick


Check your spelling and grammer please... I take it you meant RAM disk...

Edited by LostAccount, 10 April 2005 - 05:09 AM.

<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#32 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 10 April 2005 - 05:13 AM

Can all those who talked about this "hardware malware" state what they believe their source of infection was?

If it came from another piece of hardware (floppies), then usually there's no reason to panic. But I'll be worried if it came from the Internet...

Edited by LostAccount, 10 April 2005 - 07:59 AM.

<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#33 Systems_Fatal_Error

Systems_Fatal_Error

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 10 April 2005 - 07:36 AM

Ok here's a list of everything it has done to my pc.

1. added in bios under hard disks "hard drive" "Bootable add-in cards" NOT THERE WHEN I FIRST TURNED NEW BOARD ON.

2. it has disabled my floppy drive entirely dis-allowing a low level format, or complete master boot record refresh, aka restoring dick back to factory as was when i bought it.

3. it disabled my network on board and i'm having to use a pci card to use my net.

4. i'm running sygate firewall, and the incoming light, lights up about every 5 seconds and say anywhere from 120-380 kb is being downloaded, but my network is NOT lighting up, showing the connection as being used.

5. it has disabled cd-rom drives from being able to locate any .bin files from dos, aka, putting a fresh bios flash onto bios from system disk.

6. it took over several system files, when i go to dos and type in delete c: and hit y for yes, it says "msdos.sys, Io.sys, netdetect.com, Ntldr" "access is denied" aka infected and probably password protected to keep windows from being able to wipe them from the drive.

7. i've ran all kinds of network tracing programs, and none are detecting where this info is coming from.

8. it has taken over my exe2bin file there for allowing it to write malicious code to bin files as i'm flashing bios in windows.

9. lastly i know there a virus because as i said i couldn't be lagging in UNREAL with the setup i'm running, no possible way.


if any further info is needed i'll get it for you.

thanks for not calling me a nut case, or dis-accounting that this thing isn't real.
I assure you it is.

P.S. lostaccount, it DID come from the internet, because all my disks i've ever used, i didn't have this problem till a few weeks ago, no borrowed disk usage, no pirated copies of ANY software, it came possibly from a website that had this thing either embedded into an invisible image file, or some active x passing itself off to my system as authentic "by means of certificate spoofing". and i did mean ram disk, not ram dick, sorry.

Edited by Systems_Fatal_Error, 10 April 2005 - 07:52 AM.

The Internet is but a playground for the elite and the weak, much as life itself, which are you?

#34 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 10 April 2005 - 07:58 AM

Thank you for that prompt reply...

Whew... what a horrible thing the malware is... :(

Let's all hope that new PCs will be granted protection against this type of malware.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#35 Systems_Fatal_Error

Systems_Fatal_Error

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 10 April 2005 - 08:11 AM

Your very welcome, i sent suspicious and files i personally know to be affected to trend micro, and they don't even know what this thing is, or where to start to kill it...you're right it is scary, someone with that kinda talent, imagine if they worked for the government how much money they could make. Makeing controlled environment info sniffing virus's and programs to spy on our enemies...but alot on here seem to think it's a hoax and even microsoft called it a hoax, but i sent the file to them as well, i hope some little M I T punk used one of their network computers to analyze it and got their entire network, no one seems to listen until it's to late.
The Internet is but a playground for the elite and the weak, much as life itself, which are you?

#36 dave38

dave38

    Devout Murphyite!

  • Retired Staff
  • PipPipPipPipPip
  • 8,508 posts

Posted 16 April 2005 - 04:05 PM

msdos.sys, Io.sys, netdetect.com, Ntldr"


These are system files, with the hidden, system and read only flags set.
What make you think they are infected?
The fact that you cannot delete them is NOT evidence of infection. It is the method used by Windows to protect vital system files from deletion.

As your list included ntldr you are running WinXp. This is, most probably, with NTFS filesystem, and therefore, you could not have been using DOS, but booting to a command prompt, which is not the same thing.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#37 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 17 April 2005 - 09:38 AM

I thought all Windows XP systems (regardless of their file systems) cannot boot into DOS.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#38 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 17 April 2005 - 09:44 AM

6. it took over several system files, when i go to dos and type in delete c: and hit y for yes, it says "msdos.sys, Io.sys, netdetect.com, Ntldr" "access is denied" aka infected and probably password protected to keep windows from being able to wipe them from the drive.

View Post


If you really want to delete everything on the C: drive, you'll have to boot from another disk.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#39 WyoCowboy

WyoCowboy

    Member

  • Full Member
  • Pip
  • 62 posts

Posted 20 April 2005 - 04:10 PM

I thought all Windows XP systems (regardless of their file systems) cannot boot into DOS.

View Post


There is no way to boot into DOS from ntldr (e.g. the F8 boot menu), but when you (not the OEM) are installing XP, you can install it as FAT32 instead of NTFS. If you do that, you can get to the hard drive files by booting from a win9x boot floppy. Otherwise, to boot to a command prompt, you have to go into Recovery Console, which is the only choice with NTFS partitions.

#40 WyoCowboy

WyoCowboy

    Member

  • Full Member
  • Pip
  • 62 posts

Posted 20 April 2005 - 04:31 PM

Ok here's a list of everything it has done to my pc.

1. added in bios under hard disks "hard drive"  "Bootable add-in cards" NOT THERE WHEN I FIRST TURNED NEW BOARD ON.


Are you sure about that? This is a common option in newer boards, under "boot device priority" and such.

2. it has disabled my floppy drive entirely dis-allowing a low level format, or complete master boot record refresh, aka restoring dick back to factory as was when i bought it.


What is the floppy doing/not doing? Are you sure you have the cable connected correctly? If the floppy drive LED comes on immediately when you power on, you have the cable on backwards.

3. it disabled my network on board and i'm having to use a pci card to use my net.


Did you check in the BIOS to make sure it is enabled? It is usually under "Peripherals"

4. i'm running sygate firewall, and the incoming light, lights up about every 5 seconds and say anywhere from 120-380 kb is being downloaded, but my network is NOT lighting up, showing the connection as being used.


Please explain what you mean by "my network is not lighting up" - what are you looking at?

5. it has disabled cd-rom drives from being able to locate any .bin files from dos, aka, putting a fresh bios flash onto bios from system disk.


CD-rom drives are not accessible from DOS, unless you boot from a floppy or CD that is formatted as a DOS boot disk, AND it has the appropriate real-mode CD-rom drivers on it, AND it has the correct statements in the config.sys and autoexec.bat, which also have to be on said disk. What are you booting from when you can't access the CD drive?

6. it took over several system files, when i go to dos and type in delete c: and hit y for yes, it says "msdos.sys, Io.sys, netdetect.com, Ntldr" "access is denied" aka infected and probably password protected to keep windows from being able to wipe them from the drive.


As others have said, these are hidden system files that have the read only flag set, so this is normal operation for uninfected files with these names.

7. i've ran all kinds of network tracing programs, and none are detecting where this info is coming from.


What info?

8. it has taken over my exe2bin file there for allowing it to write malicious code to bin files as i'm flashing bios in windows.


How do you know this?

9. lastly i know there a virus because as i said i couldn't be lagging in UNREAL with the setup i'm running, no possible way.


There are alternate explanations for everything you have listed. I'm not convinced that you have any kind of virus infection.

thanks for not calling me a nut case, or dis-accounting that this thing isn't real.
I assure you it is.

View Post


It may be real, but it doesn't look like a virus to me (I remove viruses and scumware for a living)




Member of UNITE
Support SpywareInfo Forum - click the button