Search blog.co.uk

About me

tibbar

tibbar

Calendar

<<  <  October 2008  >  >>
Mo Tu We Th Fr Sa Su
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    

Last comments

NDIS backdoor
by tibbar @ 2006-02-15 - 23:50:44

I just spotted a scary looking rootkit project:

http://www.xfocus.net/tools/200602/uay_source.rar

this is written by a guy called Uay, and it has the makings of a powerful rootkit.

He has hooked the lowest level point of networking in the kernel, the ndis layer, which means he is invisible to software firewalls.

The rootkit at the moment will provide a "cmd.exe" style shell that supports commands such as cd, dir copy, del using native api that are exported by ntoskrnl.exe.

I suspect it will also be invisible to most rootkit detectors, as he is not hiding anything like files, ports etc - although a ndis hook detector will find it.

This reminds me of some ideas I had been working on recently - implementing malware purely in the kernel.

I've made a ircbot that runs 100% in ring0 for fun, using Valerino's socket library for the kernel. Perhaps I will post it here some time soon...

Oh and on a closing note, check out Yorn's blog at: http://yorn.wordpress.com/

See ya.

1 comment | Trackback (0) | Permalink | Recommend this post
Tags:

 
Disable ads
 

Trackback address for this post:

authimage

Comments, Trackbacks: Hide subcomments

Yorn [Visitor]
http://yorn.wordpress.com
16/02/06 @ 20:32

Thanks for the link!

I just got that rootkit downloaded and looked at it and that's some pretty dang impressive work. I liked your ring0 irc client, it was still in the baby stages, but clearly showed that the task of getting notification back to the attacker, even with a rootkit, isn't any harder than a traditional trojan.

Leave a comment :

Your email address will not be displayed on this site.
Your URL will be displayed.
Allowed XHTML tags: <!, p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, a, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small, img>
URLs, email, AIM and ICQs will be converted automatically.
Options:
 
(Line breaks become <br />)
(Set cookies for name, email & url)
All comments on this blog will be moderated by the author.
Validation code:
Please enter the above code here:
For protection from spambots (case-sensitive).

Recent Posts

  1. Reflecting on better times
    by tibbar on 2008-07-21
  2. CodeCrypter 1 Year On
    by tibbar on 2006-12-26
  3. Hooking drivers
    by tibbar on 2006-12-22
  4. linux server framework
    by tibbar on 2006-10-19
  5. ReactOS
    by tibbar on 2006-07-15
  6. update
    by tibbar on 2006-06-18
  7. What comes next?
    by tibbar on 2006-04-11
  8. Kernel Mode Ircbot
    by tibbar on 2006-04-06
  9. codeCrypter next release plans
    by tibbar on 2006-03-31
  10. jotti scan
    by tibbar on 2006-03-23

Footer

The content of this website belongs to a private person, blog.co.uk is not responsible for the content of this website.