How somebody might have sample, if this stuff not yet released?
I dont understand why this rootkit is undetectable...
According to original "Cached Data Attack" published in 2008 main goal of this technique was on the fly patching kernel memory belongs to registry hives.
In simple words:
1. virtual memory address for key located
2. determined address of sensitive data value (that holds administrator hashes)
3. value rewrites with precomputed fake data
Since this was done without using Configuration Manager internal/external mechanisms data wasn't flushed on disk (as Windows normally does with reg hives - creates list of so-called dirty bins when registry value is written and then schedules hive flush).
This is detectable via cross checking of the in-memory hive and on-disk hive. Volatility for example does it.
Thread moved, because it's malware unrelated.
