[SecurityRatty] tag: rootkit

Startup offers rootkit protection, partitioning

Thu, 20 Nov 2008 02:00:00 +0000

Start-up Integrity Global Security is coming out with a version of technology used in the military that can provide the features of virtual machines but with built-in security.

Start-up offers rootkit protection, partitions virtual machines

Wed, 19 Nov 2008 21:00:00 +0000

Start-up Integrity Global Security is coming out with a businesses version of technology used on military fighters and bombers that can provide the features of virtual machines but with built-in security.

Malware Uses GDI Local Elevation Of Privilege Vulnerability To Install Untraceable Rootkit

Tue, 30 Sep 2008 18:46:47 +0000

Security researchers from F-Secure have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date. The AutoRun-NOX worm extends the standard VXer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows [...]

Rootkit Evolution

Mon, 01 Sep 2008 05:21:06 +0000

I saw my first rootkit in 2004, when I was still a rookie virus analyst. At that point I had some vague knowledge of UNIX-based rootkits. One day I stumbled on an executable for Windows that didnt se...

CERT Warns About Phalanx Attacks Against Linux Servers

Wed, 27 Aug 2008 12:03:19 +0000

The US Computer Emergency Readiness Team (CERT) is warning about attacks in the wild against Linux systems with compromised SSH keys. The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as [...]

Know what the Alt-F4 command does?

Tue, 05 Aug 2008 19:36:47 +0000

Great article, ya gotta read it. Great tips on staying secure.
Well done!

clipped from itknowledgeexchange.techtarget.com

Nine Steps to System Security - 2008

It isn’t getting any better on The Wild, Wild Web, despite state and federal government attempts to arrest and prosecute those responsible for electronically-perpetrated criminal acts. Spyware and malware of all kinds are increasingly more stealthy and difficult to remove thanks to rootkit technology. With the advent of Web 2.0 and its emphasis on sharing and collaboration, web-based attacks are more prevalent than ever, especially those that rely on JavaScript and other scripting languages.

Storm Worm's Lazy Summer Campaigns

Thu, 31 Jul 2008 02:39:35 +0000

The Storm Worm-ers seem to be lacking their usual creativity in respect to the usual social engineering attacks taking advantage of the momentum we're used to seeing. These days they're not piggybacking on real news items, they're starting to come up with new ones.

Storm's latest "FBI vs Facebook" campaign is an example of very badly executed one, lacking their usual fast-flux, any kind of social engineering common sense, as well as client side exploits next to centralizing all the participating domains on a single nameserver.

Domains used :
wapdailynews .com
smartnewsradio .com
bestvaluenews .com
toplessnewsradio .com
companynewsnetwork .com
goodnewsgames .com
marketgoodnews .com
fednewsworld .com
toplessdailynews .com
stocklownews .com

DNS servers :
NS.BRPRBGOK6 .COM
NS2.BRPRBGOK6 .COM
NS3.BRPRBGOK6 .COM
NS4.BRPRBGOK6 .COM
NS5.BRPRBGOK6 .COM
NS6.BRPRBGOK6 .COM

Strangely, the domain has been registered using an email hosted on a known Storm fast-flux node used in the recent 4th of July campaign and the U.S's invasion of Iran :

Administrative Contact:
Lee Chung lee@likethisone1.com
+13205897845 fax:
1743, 34
Los-Angeles CA 321458
us

This Storm Worm sample is also "phoning back home" over HTTP next to the P2P traffic, and trying to obtain the rootkit from the now down, policy-studies.cn /getbackup.php using already known Storm nameservers :

ns2.verynicebank .com
ns3.verynicebank .com
ns.likethisone1 .com
ns2.likethisone1 .com
ns3.lollypopycandy .com
ns4.lollypopycandy .com

Someone's bored, definitely, making it look like it's almost someone else managing a Storm Worm campaign on behalf of them.

Hunt for the elusive rootkit 'Rustock.C' revealed

Mon, 14 Jul 2008 20:00:00 +0000

Rootkits embody software code designed to hide from view, so the tale of how Kaspersky Lab hunted down the rumored Rustock rootkit reads like a Sherlock Holmes story.

Homer Simpson and the Kimya Botnet

Fri, 11 Jul 2008 13:46:17 +0000

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, every Simpsons fan with net access immediately added Chunkylover53 to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file about 150kb in size, and it looks like this:

Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

...and it currently advertises a link for a dating website:

We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control.

We detect this as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

Ad-Aware 2008 Now Available!

Mon, 30 Jun 2008 11:38:14 +0000

Whats new in 2008?

Integrated anti-virus protection
Our powerful anti-spyware software now includes extended
anti-virus protection for Ad-Aware 2008 Plus and Pro versions.
Improved rootkit removal system
An improved rootkit removal system is now available to
address today's threat framework.
Bigger and better detection
Lavasoft's new extended anti-virus engine boosts detection
to include over one million additional virus and malware threats.
Substantially reduced use of computer memory
Plus and Pro users will notice a significant reduction in
computer memory used while in watchguard mode.
64-bit platform support
Ad-Aware 2008 Free, Plus and Pro versions will have full
64-bit platform support as well as Windows Vista compatibility.
Faster updates
New download compression results in faster product updates
for users on all systems.
New international network of malware security volunteers
submitting samples of the latest malware threats in the wild.

Now Available on the SpywareBiz AntiSpyware page. Get it now!