mailing list archives
Re: Re: computer with rootkit?
From: "Jamie Ivanov" <jamie.ivanov () gmail com>
Date: Thu, 29 Sep 2011 17:47:59 +0000
I never said they came alone, don't twist my words. I didn't feel like giving a whole history or breakdown on malicious
My point on combofix, like the others, should not be trusted in a hot and infected system. I've seen combofix miss
major infections. A great product yes. Nothing what I said was comprehensive so quit treating it as such.
As far as downtime, I'm well aware. Fixing a rootkit and analyzing the registry can be done in a half hour or less and
a system can be returned to production status. Rebuilding a system can take hours from the image deployment or RIS to
updates to policies to deployed software. I'm used to working in large corporate environments. I'm well aware of all of
I don't underestimate them, I admire them. Which is why I've spent my time on the other side of field and reverse
engineer these infections. They are beautiful but once you understand how they work in an operating system, its simply
no longer a big deal and rather easy to remove.
Jamie Ivanov / KC9LFD
-- -- -- -- -- -- -- -- -- -- -- --
This transmission (including any attachments) may contain confidential information, privileged material (including
material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any
use of this information by anyone other than the intended recipient is prohibited. If you have received this
transmission in error, please immediately reply to the sender and delete this information from your system. Use,
dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be
Sent from my BlackBerry
From: Adam Pal <pal_adam () gmx net>
Date: Thu, 29 Sep 2011 19:40:10
To: Jamie Ivanov<jamie.ivanov () gmail com>
Reply-To: Adam Pal <pal_adam () gmx net>
Cc: Brian Rogalski<brogalski () bkrservices com>; <listbounce () securityfocus com>; security basics<security-basics ()
Subject: Re: computer with rootkit?
Your statement is not correct. Rootkits dont come alone, they use
worms, botnets, dorppers, polymorphic encryption basicaly all
Usual drivers and system files are being replaced, simple registry
entries as mentioned in the list are not longer in use, the malware
use much more sophisticated ways to conceal its presence.
Are you sure that combofix use no system calls/libraries?
Those who have suggested a reinstall have experience in working
environments and know that a system outage means to loose time which
means to loose money. To replace the system using a default image
(part of BCM/DRP) is a mater of minutes.
Please dont take me wrong, but those who underestimate a rootkit
infection should be ashamed.
Thursday, September 29, 2011, 6:35:31 PM, you wrote:
<==============Original message text===============
JI> Clearly you don't have any experience with rootkits. If one were
JI> to get loaded from boot (bootkit) to initialize a driver or hook a
JI> driver, once the kernel SSDT gets modified your process list
JI> becomes inaccurate. You cannot perform *ANY* rootkit removal on an
JI> active system or your changes will be nullified by monitoring hooks.
JI> You need an offline environment like the Hirens boot CD to load
JI> portable envoronment. Not only wipe the mbr but check loaded
JI> drivers at each runlevel then check local user and global registry
JI> startup points. Also a system file check to verify/replace
JI> modified system files. Then, and only then, you can even run your
JI> malware finders such as combofix, malwarebytes antimalware, and spybot s&d.
JI> Repairing a rootkit infection is not that difficult. I've been
JI> reverse engineering them for years. Those who have suggested a reinstall should be ashamed.
JI> Jamie Ivanov / KC9LFD
JI> Blackberry: 32DD619E
JI> -- -- -- -- -- -- -- -- -- -- -- --
JI> This transmission (including any attachments) may contain
JI> confidential information, privileged material (including material
JI> protected by the solicitor-client or other applicable privileges),
JI> or constitute non-public information. Any use of this information
JI> by anyone other than the intended recipient is prohibited. If you
JI> have received this transmission in error, please immediately reply
JI> to the sender and delete this information from your system. Use,
JI> dissemination, distribution, or reproduction of this transmission
JI> by unintended recipients is not authorized and may be unlawful.
JI> Sent from my BlackBerry
JI> -----Original Message-----
JI> From: Brian Rogalski <brogalski () bkrservices com>
JI> Sender: listbounce () securityfocus com
JI> Date: Thu, 29 Sep 2011 07:01:20
JI> To: security basics<security-basics () securityfocus com>
JI> Subject: RE: computer with rootkit?
JI> There are a few things that you could try...
JI> Use tools like process hacker, what's running, capture bat and regshot ...
JI> Process explorer and process monitor can tell you what path and device
JI> files are being used. Also look at the
JI> (HKLM\currentversion\microsoft\windows\software\run) key in the registry
JI> ... most malicious program want to stay resident after a reboot... You can
JI> use a tool called autoruns at well.
JI> It looks like you may have a Kernel mode root kit. There is only so far
JI> that those tools will take you .. To complete your process you are going
JI> to have to dump the executable to a unaffected machine and perform more
JI> behavioral analysis follow by code and memory forensics.
JI> Hope that helps
JI> Securing Apache Web Server with thawte Digital Certificate
JI> In this guide we examine the importance of Apache-SSL and who
JI> needs an SSL certificate. We look at how SSL works, how it
JI> benefits your company and how your customers can tell if a site is
JI> secure. You will find out how to test, purchase, install and use a
JI> thawte Digital Certificate on your Apache web server. Throughout,
JI> best practices for set-up are highlighted to help you ensure
JI> efficient ongoing management of your encryption keys and digital certificates.
<===========End of original message text===========