To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Yes, it's a nasty beast....try to google "System32:18467". http://www.gmer.net/files.php http://forums.spywareinfo.com/index.php?showtopic=76762&st=0 http://securityresponse.symantec.com/avcenter/venc/data/backdoor.rustock.a.html
It uses ADS, but it's not the only improved technique, this RK also: - hooks kernel API through MSR_SYSENTER - patches kernel image to avoid discrepancies in MSR offset - unlinks its driver from kernel module list (similar to DKOM technique) - creates a SYSTEM thread to lock its ADS file - ....it's polymorphic! - downloads and installs ICQ - runs also in safe mode - it has offensive retro-code against RK detectors; - sends spam (contains the PDB string "spambot") When installed on a machine it can't be detected by rkrevealer/icesword/blacklight. :( You can detect its presence using GMER or with the latest DarkSpy. IceSword is only able to see the driver registry key "pe386" . EF ----- Original Message ----- From: "Gadi Evron" <[EMAIL PROTECTED]> To: <[email protected]> Cc: <[email protected]> Sent: Sunday, June 11, 2006 3:14 PM Subject: [botnets] NTFS Streams rootkit? > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > First reported in 1998 > (http://www.securiteam.com/windowsntfocus/3H5PQS0N5G.html) and reported > since every couple of years or so (last time was last week on bugtraq), > now (that we know of) there is apparently a rootkit using this technique. > > Check out this discussion at Sysinternals: > http://www.sysinternals.com/forum/forum_posts.asp?TID=6084&PN=1 > > Gadi. > > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law > enforcement upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
