> Some of them can (almost) hide from everything > because of the way they integrate.
Not everything...check out my book. > Even hashes > won't work for program execution detection very > well. I'm not entirely clear on how a hash of a file pertains to detecting the execution of a program...can you explain? > Ok so you argue that to find it all you have to do > is name a file "_root_ > ... Filename" and see if it disappears. But that's *only* if you use Greg Hoglund's proof of concept NT kernel-mode rootkit. If someone has the ability to install such a thing, they already have greater control of the box than you do. > Of course there are some limitations here. Once a > virus uses a specific make > of it a signature that discovers the "keyphrase" of > that make can be crafted > for the AV. Unless it's placed someplace on the system not viewed by the A/V. > Another option is morphic code that is self > referencing. Both of those options take this well > out of script kiddie land. Dude, I have to say...you crack me up! Really! So far, you've just been using incorrect terms in most cases...but now you're using partially correct (ie, it's not "morphic", it's "polymorphic")...though I have no idea what you're referring to when you say "self referencing". > You are right when you say that they cannot be > "completely" invisible (that > would make them useless) but in the Win world even > one that makes Task > manager, Regedit and filemanager / CLI useless > creates significant > troubleshooting problems for normal admins. I'd agree with that, and include the fact that it can be overcome with knowledge. I've outlined a good deal of this knowledge in my book, "Windows Forensics and Incident Recovery". > Add to > the possibility of having > to customize AV monitoring mechanisms away from the > standard windows Dll's > and you get some problems. ??? > The possible combinations invoke visions of scary > viruses. Viruses don't scare me. Worms and trojans do. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
