A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #385  by EP_X0FF
 Mon Mar 22, 2010 12:41 pm

Since no information was provided (even privately) and regarding to muel-labs blog entry (PspCidTable, SwapContext bypassing) this rootkit can be easily detected.
But since we don't have sources or sample more likely it was just a non workable proof-of-concept or author (disappeared also) BS ;)

 #387  by Alex
 Mon Mar 22, 2010 1:29 pm
Probably no-one have samples of these rootkits, but as my tests show, it is easy to bypass all public detectors. I believe thet private detectors use some additional detection method, so they probably could detect these rootkits and my testing samples. Author of these rootkits claimed that own thread scheduler is the best solution for process/thread hiding. He was right, but it is possible to hide processes/threads even without any advanced thread scheduler and this was done in Invisible Process 1.0.

 #388  by EP_X0FF
 Mon Mar 22, 2010 1:45 pm
Alex wrote:Author of these rootkits claimed that own thread schedule
I believe it worked only on authors machines :mrgreen:
 #424  by EP_X0FF
 Wed Mar 24, 2010 6:24 pm
Topic moved to General Discussion because it's malware unrelated