Here you will find the latest, and sometimes the strangest, news on Rootkits featuring our very own News-Roots Reporter wawadave.




* Anyone can post rootkit related news here. Include a brief excerpt and the link to the full story.

(Please do not quote whole articles verbatim unless you have the written permission of the authors or publishers to do so.)

**If you want to discuss these stories, please open a seperate New Topic. Thanks.

***All posts are subject to our approval.

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

Hello
This is not the newest or the strangest. But the news event that brought windows rootkits into the open for all to see.

Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights ...

Yes long since after the fact. But to any newbies you should have a read and do a google you can see and learn some basics!

If anyone else has any recent news or alerts please feel free to post small exert and link to the original source web page will work fine!

invisiblethings: Introducing Blue Pill
All the current rootkits and backdoors, which I am aware of, are based on a concept. For example: FU was based on an idea of unlinking EPROCESS blocks from the kernel list of active processes, Shadow Walker was based on a concept of hooking the page fault handler and marking some pages as invalid, deepdoor on changing some fields in NDIS data structure, etc... Once you know the concept you can (at least theoretically) detect the given rootkit.
http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

7/11: Backdoor.Pcclient.B Trojan Dropped by Other Trojan
Backdoor.Pcclient.B is a back door Trojan horse program with rootkit functionality that
allows a remote attacker unauthorized access to the compromised computer.

http://nl.internet.com/ct.html?rtr=on&s=1,2led,1,9bsk,9mal,9s3s,a9gz

The Haxdoor family.......

They all steal passwords for mail accounts and online banking and opens
an backdoor.

http://www.f-secure.com/v-descs/haxdoor_m.shtml

http://www.f-secure.com/v-descs/haxdoor.shtml

http://www.symantec.com/security_response/writeup.jsp?docid=2006-071214-4735-99&tabid=1


Interresting "mismatch" between security vendors and versions....

Windows rootkits of 2005, part one
This three-part article series looks at Windows rootkits indepth. Part one discusses what a rootkit is and what makes them so dangerous, by looking at various modes of execution and how they talk to the Windows kernel.
By: James Butler, Sherri Sparks 2005-11-04
http://www.securityfocus.com/infocus/1850


Windows rootkits of 2005, part two
This three-part article series looks at Windows rootkits indepth. Part two focuses on the latest cutting edge rootkit technologies that are used to hide malicious code from security scanners.
By: James Butler, Sherri Sparks 2005-11-17
http://www.securityfocus.com/infocus/1851


Windows rootkits of 2005, part three
The third and final article in this series explores five different rootkit detection techniques used to discover Windows rootkit deployments. Additionally, nine different tools designed for administrators are discussed.
By: James Butler, Sherri Sparks 2006-01-05
http://www.securityfocus.com/infocus/1854

Thank you TRPM!!!

MS HIRES ROOTKIT SLEUTH
Microsoft Corp. has acquired Winternals Software LP, the company
co-founded by rootkit detective Mark Russinovich.
http://www.net-security.org/news.php?id=11758

Suicidal' malware threatens corporate secrets: Cybertrust

Munir Kotadia, ZDNet Australia
July 28, 2006
URL: http://www.zdnet.com.au/news/security/soa/_Suicidal_malware_threatens_corporate_secrets_Cybertrust/0,2000061744,39265027,00.htm


The latest threat to intellectual property comes in the shape of malicious software (malware) that is capable of infecting a computer, hiding itself until the user accesses specific files or Web sites -- in order to steal files or passwords -- and then deleting any trace of itself.

Speaking at the IT Security in Government Conference in Canberra on Friday, Brian Denehy, security assurance engineer at CyberTrust, told delegates that the vast majority of new malware uses "some type of stealth" or anti-forensic technology in an attempt to remain undetected before, during and after an attack.

Some good info and links in this link.
Roootkit info and detection apps

Hi

Maybe Off-topic....

From F-secures weblog:

Australian band Root Kit - a favorite of ours - was the runner up in Gidol at GoogleIdol.com's Original Competition Demo. Root Kit received 4796 votes. Gidol, not affiliated with Google, holds online competitions using publicly available Google Videos.

If you have missed Root Kit's video "Patch Me Up", then you should definitely check it out at Google Video. Listen to the lyrics carefully; there's some sound security (and love life) advice in there.

http://www.f-secure.com/weblog/archives/archive-082006.html#00000949

Video.....
http://video.google.com/videoplay?docid=9151435244001559688

Greetings,

Detecting the Blue Pill Hypervisor rootkit is possible but not trivial

Kindest regards,

Dragan Glas

Just got this info from AplusWebMaster.

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

Researchers discover 'invisible' rootkit
Will run on Vista too

http://www.pcadvisor.co.uk/news/index.cfm?newsid=6606

_________________

Microsoft MVP Consumer Security 2006, 2007 & 2008

They would commandeer a hidden section of a hard drive, zip up as many files as possible and immediately transmit the data to way stations in South Korea, Hong Kong or Taiwan before sending them to mainland China. They always made a silent escape, wiping their electronic fingerprints clean and leaving behind an almost undetectable beacon allowing them to re-enter the machine at will.

http://www.time.com/time/magazine/article/0,9171,1098961,00.html

This was the first article that lead me to learning about Rootkits. This was published last year, Sept. 5, 05.

(Copyright law allows me to excerpt any written published material for any purpose as long as it does not exceed 250 words in length and contains a reference to the author and or publisher. Does an html link constitute an acceptable reference?)