Results 1 to 6 of 6

Thread: Good Read - W32 Root Kits

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    Good Read - W32 Root Kits

    I know that I have seen a few underground versions of similar software (and tested some too) but for those who are responsible for network security, especially in an enterprise setting, this will be a worthwhile read for you if you haven't looked into the possibility of running across a W32 rootkit.

    http://www.securityfocus.com/news/2879

    Hope this helps.

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    wow thats some article thehorse13! it says once the rootkit is installed its undetectable does that mean my av could detect it 'before' it gets installed?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    w0w, thanx for the head's up! i'm going to look into this

    Troj/Slanret-A
    Aliases
    Backdoor.Ierk, Backdoor-ALI.sys
    Type
    Trojan
    Detection
    A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and is incorporated into the March 2003 (3.67) release of Sophos Anti-Virus.

    At the time of writing Sophos has received no reports from users affected by this Trojan. However, we have issued this advisory following enquiries to our support department from customers.
    Description

    Troj/Slanret-A is a Trojan that may be used as a driver component, with the filename ierk8243.sys, by another application to gain unauthorized shared stealth access to the target computer.

    Upon execution the malicious application would install Troj/Slanret-A as a device with the devicename Mp437bba8e and may set the following registry entry:

    HKLM\System\CurrentControlSet\Services\Ierk8243

    Functioning as a device, Troj/Slanret-A provides an interface that allows an application to run hidden with full system privileges.
    Recovery
    Please read the instructions for removing Trojans.

    You will also need to edit the following registry entry, if it is present.

    At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

    Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

    Locate the HKEY_LOCAL_MACHINE entry:

    HKLM\System\CurrentControlSet\Services\Ierk8243

    and remove it if it exists.

    Close the registry editor.
    yeah, I\'m gonna need that by friday...

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Posts
    119
    I love it when new SecurityFocus.com articles come out.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    If you grab this rootkit and try to unzip it, Norton will nail it right away. What would be interesting to see is if Norton keys on the default filename or actual lines of code within the exe file.

    I am going to rename the files within the ZIP file and see what Norton does when I unzip it. Hopefully they are smart enough to base the signature on code, not a filename.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    i'm pretty sure Norton uses something similar to signatures to nab malware?
    yeah, I\'m gonna need that by friday...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •