One of the many features of Vista that Microsoft has included is PatchGuard v2. Skywing has posted a great article on Uninformed about subverting PatchGuard v2. The protection mechanisms that Microsoft employs are some of the exact same ones that malware authors have been using for years.
There are some startling techniques that Microsoft is using to protect itself from reverse engineering and modification. One of them is to do a standard IsDebuggerPresent (or KdDebuggerNotPresent) to validate that PatchGuard isn't being debugged. The next protection mechanism is to use self-decrypting and self-modifying code inside of the Integrity Check Routine. Skywing has done a great job of outlining the defenses that are taken, as well as methods for subverting the system.
PatchGuard is meant to protect against unauthorized modifications of the Vista kernel. In essence, Microsoft does not want you to modify their kernel with your bad code. While these mechanisms are useful for preventing rootkits, as Skywing has pointed out they can be modified.
Lately a lot of malwares are using rootkit techniques. Private and antivirus companies are trying to develop tools against malwares but, despite the fact that most of the techniques are well documented around the net, only a few companies are getting positive results. This particular malware is a perfect example because when it came out only a few tools were able to recognize its nasty operations. Don't know what you think but that's sound a little bit strange for me.
Nothing new, nothing special... just a malware analysis from me.
Virtual Machine Threats by Symantec Research
As virtual machine emulators have become commonplace in the analysis of malicious code, malicious code has started to fight back. This paper describes known attacks against the most widely used virtual machine emulators (VMware and VirtualPC). This paper also demonstrates newly discovered attacks on other virtual machine emulators (Bochs, Hydra, QEMU, and Xen), and describes how to defend against them.
Unreal rootkit hides file and driver. Works on NT-based operation systems with NTFS file systems. It doesnt have process, so it's not hides processes! It do not hide also a registry keys, so no registry keys are hidden! Make sure, that you readed this post before you start tests or write something.
pretty interesting read.
it seems like no rootkit detector is able to detect this.
SAVE seeks to classify closely related pieces of malicious software for the purposes of identifying future ones. The core idea is a good one: Byte code is modified for the purpose of obfuscating the signature of a piece of malware. The stated goal is to modify it in such a way that it is possible fool antivirus scanners. This is done in five different ways.
- Null operations are inserted into dead code. Assuming that one is modifying a section of code, insert null operations into the region. Nops are inserted at various places.
The Internet Storm Center has a post about a strange variant of the Big Yellow Worm that has been scanning an unusual port:
The port in question (2968/tcp) is reportedly used by the Netware version of SAV. Specifically, it's the port that rtvscan.nlm listens on. It also happens to be one off from the normal SAV port (2967/tcp). I had a chance to go over some of the captures that this beastie is sending out and it is identical to a variant that was released just before Christmas. No differences to account for the fact that it's attacking a Netware system.
Stumbled across a new variant of the Graybird trojan last night. Overall it seems to be pretty standard. It drops a file called prsvr.exe (a copy of itself) in the system32 directory. It also creates a small batch file called DELME.bat that it uses to delete the initial .exe file. It creates multiple startup entries in the registry, almost all of which can be identified by searching for "prsvr.exe" or "Procedure Distribution Service".
On the network side of the house it sends out some DNS lookup requests for 44384.ipread.com, which resolves to 126.96.36.199 (a netblock in China). It then tries to connect to this IP on port 8000, presumably to download the next stage. Alas for this critter this system seems to have been cleaned since all it gets back are RST packets.
ef430c604d3ba7aede5ef69679497a74 citi.scr 487,936 bytes
f5d9f30e2b83daf503e26ebf06604a27 fotos.scr 415,744 bytes
b15afa599cc10f86a8d7ea63376d6843 downloader.exe 48,640 bytes
058377b3fea342a37bf08aa9eb683550 clientsrv.exe 589,312 bytes