Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses

From: Mike Barushok <mikehome () kcisp net>
Date: Sat, 25 Sep 2004 00:08:19 -0500 (CDT)

Back in the day, 1994 to be exact, there was a virus that with the
commonly available tools was quite difficult to eliminate, and
which was usually detected by effects rather than the presence
on disk, or in main memory. 

One of the effects it had was to "delete or stops the execution
of programs called SCAN, CLEAN, NETSCAN, CPAV, MSAV, TNTAV".
Actually many other executables other than those were interfered
with also. Another effect was a system with a modem would start
answering on the seventh ring. And it deleted files named
'CHKLIST.*' (defeating integrity checking, but noticeable).

Had it been truly polymorphic, less 'noisy', and
with several modern tricks, it could initially have been credibly
described as almost undetectible. Erasing the CMOS memory
could have seemed like a dead battery. 

Checkout GOLDBUG, see:
http://www.f-secure.com/v-descs/goldbug.shtml
http://www.textfiles.com/virus/gold-bug.txt
http://vx.netlux.org/lib/static/vdat/retrovir.htm

For all intents and purposes anything you would expect the system
to do under certain circumstances, can be subverted such that the
expected result would be generated falsely. File scanning,
registry keys and values, process enumeration, could all be made
to appear to suceed in finding nothing out of the ordinary.
Windows regedit is well known to hide some of the key names
and their values. Disk areas other than the 'file system' can
hold data. Processes that are already always running (like
Kernel32 itself, could be the process that was modified to do
the dirty deeds. Generally, with any general purpose computer,
the ability to trust the results of any particular action
depend on fully knowing the complete state of the machine.
So, a machine in an unknown state cannot verify itself to be
in an 'expected' state.

Additionally, it is theoretically feasible to modify the
CPU's microcode to alter execution of already present software
as desired. This was mentioned as far back as twenty years ago
by someone who instead demonstrated a trojan that worked by
modifying the Unix login, when the login program was compiled,
and that detected a new version of the compiler being compiled
and replicated itself to the new compiler object code. 
See: K. Thompson. Reflections of Trusting
     Trust, Communication of the ACM, Vol. 27, No. 8, Aug 1984,
     pp. 761-763. http://www.acm.org/classics/sep95

He stated "You can't trust code that you did not totally create
yourself. (Especially code from companies that employ people like
me). No amount of source-level verification or scrutiny will
protect you from using untrusted code. In demonstrating the
possibility of this kind of attack, I picked on the C compiler. I
could have picked on any program-handling program such as an
assembler, a loader, or even hardware microcode. As the level of
program gets lower, these bugs will be harder and harder to
detect. A well installed microcode bug will be almost impossible
to detect".

So, although I doubt that any company is really selling any
completely undetectible code, for the purposes being discussed
in this thread, there almost certainly is some very difficult to
detect software already being used for other purposes important
to certain three-letter-agencies.

On Thu, 23 Sep 2004, GuidoZ wrote:


It is quite possible to hide processes, reg keys and files, and is often
done by various malware.


Aye. I didn't word my statements correctly. (Was tired... =P ) You are
very much correct.

I guess I was trying to speak along the lines of AV detection and
forensics. I've yet to find a rootkit, spyware, or malware that is
COMPLETLY hidden, in every aspect, from the user. There is always a
way to find it. Granted, they can bypass the "usual means" (regedit,
taskmanager, etc) in Windows, however there are specialized tools
(process viewers for example) that show hidden processes. What I meant
to express is they seem to claim being able to hide from everything.
(Even if an AV solution detected the very program they use as an
installer.) That, I doubt.


To save someone else from saying this, I'll reply to my own comment. =)


I've yet to find a rootkit, spyware, or malware that is
COMPLETLY hidden, in every aspect, from the user.


Well, DUH. How could you find it if it was COMPLETELY hidden? ;)
Clarification: The user and a sysadmin that has a clue are two very
different people.)

--
Peace. ~G


On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt () systemlinux net> wrote:

GuidoZ wrote:

Interesting indeed. Although, I imagine this was a spam email, and I
never believe (nor buy) anything from spam. I wondr how credible this
really is. If there was such a way to do what they claim, don't you
think it would have been big news?  >One would think you wouldn't first
hear about it through spam.


It is quite possible to hide processes, reg keys and files, and is often
done by various malware.


Also - nice website they have. http://www.randexsoft.com Simply says:

Access Forbidden -- Go away.

I love a company who is customer friendly.

--
Peace. ~G


On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image
<xillwillx () yahoo com> wrote:


I recieved this in my inbox today:
how long do you think this company will last?



Date: Wed, 22 Sep 2004 19:02:44 -0400
From: Jacques Tremblay <jacques.tremblay () gmail com>
To: xillwillx () yahoo com
Subject: Hide your adware from all Adware removers
and Anti-viruses

To: Business development manager

Subject: Hide your adware from all Adware removers
and  Anti-viruses



Hi,
      Adware removers are gaining in popularity and
they cause a big
revenue threat to adware based businesses, as we see
our software
installations get desinstalled after a period of
time that is shorter
and shorter, we see our revenues get smaller and
smaller.

      Why would an honest adware based business
lose revenue just because
some adware remover has identifyed it as being
something to remove ?

      We beleive we have the right to hide from
these adware removers as
long as we provide a way for the user to uninstall
and that he agrees
that the software will be uninstalled only with the
provided
uninstaller.

      It is in that spirit that we created the
solution to the problem :


AdProtector 1.2


      We have developed software capable of hiding
your software from all
adware removers and anti-viruses on a Windows
NT/2000/2003/XP machine.

      Basically we have filtered the windows kernel
so that we could mofify
the behavior of the system itself. So now we can
hide anything we want
from windows.

                          It can :   - Hide Registry Keys
                                     - Hide Files
                                             - Hide Processes

      By hiding these 3 key elements from windows,
your application won't
ever be detected by any adware removers.

      Interesting ?

      For more information or to resquest a Demo :
 email :
hexa () randexsoft com

Business is moving fast, keep ahead of the
competition!



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html








-- 
Peace. ~G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: