A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #1977  by cjbi
 Sat Aug 14, 2010 3:10 pm
Title: Exploring Rootkit Detectors’ Vulnerabilities Using a New Windows Hidden Driver Based Rootkit
Subject: IEEE International Conference on Social Computing / IEEE International Conference on Privacy, Security, Risk and Trust
Authors: Woei-Jiunn Tsaur, Yuh-Chen Chen

Download: ftp://ftp.computer.org/press/outgoing/p ... 11a842.pdf

Interesting!
 #1978  by EP_X0FF
 Sat Aug 14, 2010 3:25 pm
Thanks for posting. As in fact they did nothing new. I see adopted rkdemo (more to say, looks like totally copy-pasted)/phide_ex/unreal methods. Researching again 3 years old methods is something strange :) Because this rootkit doing actually nothing it was undetected. Unreal/phide_ex were detected by traces they leave while work (because it nearly impossible to hide them all). For me it is unknown, why authors still use DKOM for loaded driver, while it is almost 3 years kernel mode loader based rootkits ITW. So techniques described in this paper is totally out of date. Yet again, without public retesting this sample or publishing valuable proofs nobody can't claim bypassing of something.
 #1979  by cjbi
 Sat Aug 14, 2010 3:39 pm
EP_X0FF, You are welcome, and thank you for the reply!
EP_X0FF wrote:Yet again, without public retesting this sample or publishing valuable proofs nobody can't claim bypassing of something.
Yes, I really agree with you.
 #1980  by Alex
 Sat Aug 14, 2010 3:54 pm
Thanks for the link!
As in fact they did nothing new.
Yes because even old demo rootkits used object and object header erasing. But in other hand object and object header erasing is truly weakness of almost all detectors - Hidden Driver Detection Test. I guess why there isn't CodeWalker between tested software :D

Alex