Attack of the "trojan/rootkit/virus"

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FRustock.A!gen

http://www.viruslist.com/en/analysis?pubid=204792011



Re: Attack of the "trojan/rootkit/virus"




|
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%
| 3AWin32%2FRustock.A!gen

| http://www.viruslist.com/en/analysis?pubid=204792011



Old stuff -- Why are you posting this ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Attack of the "trojan/rootkit/virus"




Quoted text here. Click to load it
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%
Quoted text here. Click to load it

Because they call this "rootkit" both a "trojan" and a "virus". It just
seemed to me that it can't very well be both.



Re: Attack of the "trojan/rootkit/virus"




Quoted text here. Click to load it

| Because they call this "rootkit" both a "trojan" and a "virus". It just
| seemed to me that it can't very well be both.


OK  :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Attack of the "trojan/rootkit/virus"



Right so if you use mal-ware, you cover both...

--



Quoted text here. Click to load it



Re: Attack of the "trojan/rootkit/virus"



That's fine for most purposes, but there comes a time when one needs to
know what exactly a malware program [is/does].

Most experts label non self-replicating malware programs as trojans and
self-replicating ones as viruses (or worms).

I am quite used to the "Virus found" alerts stating a trojan was found -
that's not what I'm finding here - I'm finding technical details
suggesting that this malware trojan is viral.

In the first case

1) it infects programs (code injection into processes named 'explorer')
2) it copies itself to an NTFS volume (as a file or as an ADS to a
directory)

As these functions seem disjoint (and non-recursive), I think it falls
short of being viral.

In the second case

"The rootkit was classified as Virus.Win32.Rustock.a, since Rustock is
in fact a fully functional file virus that operates in kernel mode."

I've even seen some write-ups that claim that it is "polymorphic"
because it is variously encrypted when it lands on new hardware. True in
the sense that it may be self-responsible for its many different forms,
but I'm more used to polymorphic being a label of spreading mode for
viruses and not for being variously encrypted using some hardware
constant as a decryption key.

As an aside not related to this malware, I'm also wondering about the
oxymoronic "user mode rootkit" - if it is a user mode entity, what does
"root" have to do with it?

Quoted text here. Click to load it



Re: Attack of the "trojan/rootkit/virus"




Quoted text here. Click to load it

I can accept it as being a rabbit jumping from service to service once
installed on the system.



Re: Attack of the "trojan/rootkit/virus"




Quoted text here. Click to load it

I attended a conference a few months ago that had a talk about non
admin user virus issues. Even if  not admin, the CEO of a company
still has access to critical data and info. If the CEO were to get a virus
or malware the results for that company or user could be devastating.

Simply removing admin privs from everyone is not necessarily the
end all answer. So when I hear about "user mode rootkit", it makes
me wonder if that would be similar.

--




Re: Attack of the "trojan/rootkit/virus"





Quoted text here. Click to load it

| I attended a conference a few months ago that had a talk about non
| admin user virus issues. Even if  not admin, the CEO of a company
| still has access to critical data and info. If the CEO were to get a virus
| or malware the results for that company or user could be devastating.

| Simply removing admin privs from everyone is not necessarily the
| end all answer. So when I hear about "user mode rootkit", it makes
| me wonder if that would be similar.

| --

You are correct "Simply removing admin privs from everyone is not necessarily
the end all
answer." when you take into consideration the exploitation/vulnerability vector
in terms
of buffer overflow conditions and an elevation of privileges.

However, it does reduce the capcity to be infected to some degree.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Attack of the "trojan/rootkit/virus"



Quoted text here. Click to load it

Running as a limited rights user only makes it more difficult for
malware to be sticky. Since the malware has the rights of the user,
there is still much that it *can* do.

Quoted text here. Click to load it

There are no "end all" answers, only measures that can be taken to
reduce impact.

The "root" in rootkit is the *nix term for the higher privilege account.
The "kit" refers to a set of modified programs (tools and utilities)
that a user with root privileges could use to replace the ones on the
target system (to hide nefarious activities from the victim). The
attacker needed to have root privileges in order to implement the kit.

Now, both "root" and "kit" no longer apply to what is actually happening
in a user mode rootkit scenario. Granted, it is the Windows equivalent
of a similar purpose, to hide certain information (about nefarious
activities) from the user.



Re: Attack of the "trojan/rootkit/virus"





Quoted text here. Click to load it


| Running as a limited rights user only makes it more difficult for
| malware to be sticky. Since the malware has the rights of the user,
| there is still much that it *can* do.

Quoted text here. Click to load it

| There are no "end all" answers, only measures that can be taken to
| reduce impact.

| The "root" in rootkit is the *nix term for the higher privilege account.
| The "kit" refers to a set of modified programs (tools and utilities)
| that a user with root privileges could use to replace the ones on the
| target system (to hide nefarious activities from the victim). The
| attacker needed to have root privileges in order to implement the kit.

| Now, both "root" and "kit" no longer apply to what is actually happening
| in a user mode rootkit scenario. Granted, it is the Windows equivalent
| of a similar purpose, to hide certain information (about nefarious
| activities) from the user.


A little something by Marco Giuliani of Prevx on the most prevalent RootKit
threat
http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Attack of the "trojan/rootkit/virus"



Quoted text here. Click to load it

Thanks David.

That's one stealthy sucker.

...lets just hope that no wormable exploit comes along that gets admin
rights.



Site Timeline