[ResearchMalware]

Hi All,

I have gone through some of the 64 bit rootkit threads and observed that none of them actually hide any files in the infected machine that traditional 32 bit rootkit droppers used to do. Is there any family that does this in 64 bit Windows?

Thanks in Advance!!

[EP_X0FF]

Such hiding is ineffictive. Additionally patchguard and digital certificates complicates this on x64. However some trashware alike SpyEye (user mode) should be working.

[ResearchMalware]

Thank you. Have you come across any spyeye sample that does it effectively in X64? If possible, please let me know the MD5 so that I can try hands-on to observe it.

Thanks in Advance!

[rkhunter]

Thank you. Have you come across any spyeye sample that does it effectively in X64? If possible, please let me know the MD5 so that I can try hands-on to observe it.

Thanks in Advance!

Fresh dropper, try with it http://www.kernelmode.info/forum/viewto ... 360#p12229

[ResearchMalware]

Hi rkhunter,

Thanks for taking time to reply. I tried that sample, it creates the x64drvsys folder in C: However, it is not hidden as I am able to view the files through explorer.exe itself.

--VL

[EP_X0FF]

I tried that sample, it creates the x64drvsys folder in C: However, it is not hidden as I am able to view the files through explorer.exe itself.

You should clarify what exactly do you want. Ready-to-test rootkit with hooks for x64 or point to a type of malware that can "theoreticaly" operate/be ported to x64 without big pain for malware writers. Obviously 32 bit spyeye restricted in it's rootkit capabilities on x64 windows.

[rkhunter]

I tried that sample, it creates the x64drvsys folder in C: However, it is not hidden as I am able to view the files through explorer.exe itself.

Same result for me too (and after reboot), only hidden attribute for directory.

[ResearchMalware]

I tried that sample, it creates the x64drvsys folder in C: However, it is not hidden as I am able to view the files through explorer.exe itself.

You should clarify what exactly do you want. Ready-to-test rootkit with hooks for x64 or point to a type of malware that can "theoreticaly" operate/be ported to x64 without big pain for malware writers. Obviously 32 bit spyeye restricted in it's rootkit capabilities on x64 windows.

Ok. I want to investigate a 64 bit rootkit that hides files and test my scripts on them. I am doing it for learning purpose to improve my knowledge about 64 bit rootkits. For that I would be content even If I am able to find any Proof-of-concept or toy rootkit that hides files in 64 bit systems.

[kmd]

i may be wrong. none of them is x64 compatible ngrbot, spyeye, carberp, zeus - all the x86
splicing technique on x64 is pretty match the same

[ResearchMalware]

Thanks Kmd. I agree.

may be if i am lucky atleast I would be able to spot some Proof-of-concepts that hide files in x64 using any hooking.. not sure. I will update if I manage to get one or write some sample code. Though I am not fluent at writing code using WDK, I will try.

--VL.