Full Disclosure mailing list archives
Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses
From: GuidoZ <uberguidoz () gmail com>
Date: Sat, 25 Sep 2004 02:22:55 -0400
Thanks for the interesting reading Mike. =) Good stuff there. -- Peace. ~G On Sat, 25 Sep 2004 00:08:19 -0500 (CDT), Mike Barushok <mikehome () kcisp net> wrote:
Back in the day, 1994 to be exact, there was a virus that with the commonly available tools was quite difficult to eliminate, and which was usually detected by effects rather than the presence on disk, or in main memory. One of the effects it had was to "delete or stops the execution of programs called SCAN, CLEAN, NETSCAN, CPAV, MSAV, TNTAV". Actually many other executables other than those were interfered with also. Another effect was a system with a modem would start answering on the seventh ring. And it deleted files named 'CHKLIST.*' (defeating integrity checking, but noticeable). Had it been truly polymorphic, less 'noisy', and with several modern tricks, it could initially have been credibly described as almost undetectible. Erasing the CMOS memory could have seemed like a dead battery. Checkout GOLDBUG, see: http://www.f-secure.com/v-descs/goldbug.shtml http://www.textfiles.com/virus/gold-bug.txt http://vx.netlux.org/lib/static/vdat/retrovir.htm For all intents and purposes anything you would expect the system to do under certain circumstances, can be subverted such that the expected result would be generated falsely. File scanning, registry keys and values, process enumeration, could all be made to appear to suceed in finding nothing out of the ordinary. Windows regedit is well known to hide some of the key names and their values. Disk areas other than the 'file system' can hold data. Processes that are already always running (like Kernel32 itself, could be the process that was modified to do the dirty deeds. Generally, with any general purpose computer, the ability to trust the results of any particular action depend on fully knowing the complete state of the machine. So, a machine in an unknown state cannot verify itself to be in an 'expected' state. Additionally, it is theoretically feasible to modify the CPU's microcode to alter execution of already present software as desired. This was mentioned as far back as twenty years ago by someone who instead demonstrated a trojan that worked by modifying the Unix login, when the login program was compiled, and that detected a new version of the compiler being compiled and replicated itself to the new compiler object code. See: K. Thompson. Reflections of Trusting Trust, Communication of the ACM, Vol. 27, No. 8, Aug 1984, pp. 761-763. http://www.acm.org/classics/sep95 He stated "You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me). No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect". So, although I doubt that any company is really selling any completely undetectible code, for the purposes being discussed in this thread, there almost certainly is some very difficult to detect software already being used for other purposes important to certain three-letter-agencies. On Thu, 23 Sep 2004, GuidoZ wrote:It is quite possible to hide processes, reg keys and files, and is often done by various malware.Aye. I didn't word my statements correctly. (Was tired... =P ) You are very much correct. I guess I was trying to speak along the lines of AV detection and forensics. I've yet to find a rootkit, spyware, or malware that is COMPLETLY hidden, in every aspect, from the user. There is always a way to find it. Granted, they can bypass the "usual means" (regedit, taskmanager, etc) in Windows, however there are specialized tools (process viewers for example) that show hidden processes. What I meant to express is they seem to claim being able to hide from everything. (Even if an AV solution detected the very program they use as an installer.) That, I doubt. To save someone else from saying this, I'll reply to my own comment. =)I've yet to find a rootkit, spyware, or malware that is COMPLETLY hidden, in every aspect, from the user.Well, DUH. How could you find it if it was COMPLETELY hidden? ;) Clarification: The user and a sysadmin that has a clue are two very different people.) -- Peace. ~G On Thu, 23 Sep 2004 14:38:34 +1000, Matt <matt () systemlinux net> wrote:GuidoZ wrote:Interesting indeed. Although, I imagine this was a spam email, and I never believe (nor buy) anything from spam. I wondr how credible this really is. If there was such a way to do what they claim, don't you think it would have been big news? >One would think you wouldn't first hear about it through spam.It is quite possible to hide processes, reg keys and files, and is often done by various malware.Also - nice website they have. http://www.randexsoft.com Simply says: Access Forbidden -- Go away. I love a company who is customer friendly. -- Peace. ~G On Wed, 22 Sep 2004 20:10:28 -0700 (PDT), Will Image <xillwillx () yahoo com> wrote:I recieved this in my inbox today: how long do you think this company will last?Date: Wed, 22 Sep 2004 19:02:44 -0400 From: Jacques Tremblay <jacques.tremblay () gmail com> To: xillwillx () yahoo com Subject: Hide your adware from all Adware removers and Anti-viruses To: Business development manager Subject: Hide your adware from all Adware removers and Anti-viruses Hi, Adware removers are gaining in popularity and they cause a big revenue threat to adware based businesses, as we see our software installations get desinstalled after a period of time that is shorter and shorter, we see our revenues get smaller and smaller. Why would an honest adware based business lose revenue just because some adware remover has identifyed it as being something to remove ? We beleive we have the right to hide from these adware removers as long as we provide a way for the user to uninstall and that he agrees that the software will be uninstalled only with the provided uninstaller. It is in that spirit that we created the solution to the problem : AdProtector 1.2 We have developed software capable of hiding your software from all adware removers and anti-viruses on a Windows NT/2000/2003/XP machine. Basically we have filtered the windows kernel so that we could mofify the behavior of the system itself. So now we can hide anything we want from windows. It can : - Hide Registry Keys - Hide Files - Hide Processes By hiding these 3 key elements from windows, your application won't ever be detected by any adware removers. Interesting ? For more information or to resquest a Demo : email : hexa () randexsoft com Business is moving fast, keep ahead of the competition!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Will Image (Sep 22)
- Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses GuidoZ (Sep 22)
- Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Matt (Sep 22)
- Re: Rootkit For Spyware? Hide your adware from Darren Reed (Sep 23)
- Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses GuidoZ (Sep 23)
- Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Mike Barushok (Sep 24)
- Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses GuidoZ (Sep 24)
- Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Matt (Sep 22)
- Re: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses GuidoZ (Sep 22)
- <Possible follow-ups>
- Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses macmanus () gmail com (Sep 23)
- RE: Rootkit For Spyware? Hide your adware from all Adware removers and Anti-viruses Todd Towles (Sep 24)