skip to main |
skip to sidebar
This paper also introduces .NET-Sploit 1.0 - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL.
Download and more info
In this paper we will analyse more deeply the structure of this malware, especially the polymorphic part that represents a typical sample of hostile code. Starting from the first load into IDA we can see that Megania's PE structure and Import Table destroyed, this is how looks from WinGraph:
Download PDF
Countering Kernel Rootkits with Lightweight Hook Protection
Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with other kernel data. In addition, there is a lack of flexible commodity hardware support, leading to the socalled protection granularity gap kernel hook protection requires byte-level granularity but commodity hardware only provides pagelevel protection.
Source: Schneier on Security
Download PDF
The Stoned Bootkit is a rootkit that is booted before the main operating system has, and is able to stay and hide itself in memory during execution of the guest operating system. The payload is executed beside the running operating system and comes with the bootkit. Stoned is designed to be operating system independent, it is multiplatform. It currently supports all 32-bit and 64-bit Windows systems and Linux.
It allows a very wide abstraction of the program and the running base, this means it is a new deployment platform of software. The current proof of concept payloads are a local privilege escalation and a remote surveillance tool. The platform, however is open for third-party future development.
The bootkit itself has an integrated module and plugin structure which allows extending its core features without touching the core code. New in this version is that it is totally independent from media, it can be started from hard disk (master boot record), but also CD/DVD/BD or even over the network.
Download PDF
Tuluka is a new powerful AntiRootkit, which has the following features:
Detects hidden processes, drivers and devices
Detects IRP hooks
Identifies the substitution of certain fields in DRIVER_OBJECT structure
Checks driver signatures
Detects and restores SSDT hooks
Detects suspicious descriptors in GDT
IDT hook detection
SYSENTER hook detection
Displays list of system threads and allows you to suspend them
IAT and Inline hook detection
and much more ...
Download: http://www.tuluka.org
More Info: http://www.rootkit.commuch more...
Posts
