Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hidden Applications and rootkits for Windows

from [Russ] Network Security [Permanent Link]
Subject: Re: Hidden Applications and rootkits for Windows
Date: Mon, 28 Feb 2005 15:18:04 -0500 
Compendium of responses;

Quite a few people (Jason DePriest being first) pointed out the recently 
released RootkitRevealer from Sysinternals;

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

Together with a few glowing reports, there was this message from Bill Sanderson;
-----
I have to say, however, that the tool has some limitations. I don't find it 
usable on machines with Services for Macintosh installed and in use, and I'm 
told that there is an antivirus product which will have a similar effect--both 
balloon the number of entries found from a few hundred or less, to hundreds of 
thousands
-----

A number of other people (Daniel Weatherly being first) pointed out that 
Microsoft Research was already working on something;

http://research.microsoft.com/rootkit/

-----
Matt Tisdel added this story;

My brother was called into a company to deal with the following use of a 
Windows rootkit:

The worm was spread by a password protected .zip file that a user, God bless 
him, was convinced to open. (Although, it can also spread through ActiveX) The 
worm installs itself, emails everyone in the address book, sits dormant on the 
workstation until a Domain Admin logs in, then it spreads itself across the 
network. In this case the Domain Controllers were easily compromised and DNS 
pretty much quit working. I believe that many of the detrimental effects of 
this version of the worm were a by-product of the worm ceaselessly downloading 
torrents of spyware.

So, in this case, 3 normal precautions would have prevented or impeded the 
problem at 2 different levels.

1. No one logs in as a Domain Admin
2. No attachments; or at least follow basic precautions (If you aren't 
expecting an attachment from the person, don't open it)
3. If Windows XP SP2 had been installed would at least have a chance of 
stopping the ActiveX infection method.
-----

Cheers,
Russ - NTBugtraq Editor

--
NTBugtraq Editor's Note:

Most viruses these days use spoofed email addresses. As such, using an 
Anti-Virus product which automatically notifies the perceived sender of a 
message it believes is infected may well cause more harm than good. Someone who 
did not actually send you a virus may receive the notification and scramble 
their support staff to find an infection which never existed in the first 
place. Suggest such notifications be disabled by whomever is responsible for 
your AV, or at least that the idea is considered.
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Securing your Partners survey, Russ Cooper
Next by Date:  Re: Firescrolling [Firefox 1.0], Brian Bergin
Previous by Thread:  Hidden Applications and rootkits for Windows, Daniel Weatherly
Next by Thread:  [Full-Disclosure] RE: Firescrolling [Firefox 1.0], Eric McCarty
Indexes:  [Date] [Thread] [Top] [All Lists]