I just spotted a scary looking rootkit project:
http://www.xfocus.net/tools/200602/uay_source.rar
this is written by a guy called Uay, and it has the makings of a powerful rootkit.
He has hooked the lowest level point of networking in the kernel, the ndis layer, which means he is invisible to software firewalls.
The rootkit at the moment will provide a "cmd.exe" style shell that supports commands such as cd, dir copy, del using native api that are exported by ntoskrnl.exe.
I suspect it will also be invisible to most rootkit detectors, as he is not hiding anything like files, ports etc - although a ndis hook detector will find it.
This reminds me of some ideas I had been working on recently - implementing malware purely in the kernel.
I've made a ircbot that runs 100% in ring0 for fun, using Valerino's socket library for the kernel. Perhaps I will post it here some time soon...
Oh and on a closing note, check out Yorn's blog at: http://yorn.wordpress.com/
See ya.
Thanks for the link!
I just got that rootkit downloaded and looked at it and that's some pretty dang impressive work. I liked your ring0 irc client, it was still in the baby stages, but clearly showed that the task of getting notification back to the attacker, even with a rootkit, isn't any harder than a traditional trojan.