/idata%2F0406688%2Fkavkarel%2Fkavpart1a%2Fkavpart1tag_kavvsshellcodecalc.jpg)
FIRST PART based on the behaviour NB: "Accès refusé" on screenshots means "Access denied". 1) Execution protection a) with the TaskManager launched via Ctrl+Alt+Del: F1/F2 b) with srip32 launched by explorer.exe: F1/F2 c) with shellcode for running notepad.exe:...
/idata%2F0406688%2Fkavtestfin%2Fattackfev%2Fattackfev_kavvstrojademo.png)
These tests concerns endpoint threats: with the success of USB key, IPOd, and removable media, this is an excellent attack and infection vector. Tests a, b, and c are simple demo which dump the content of My Documents folders, and file type content (Slurp).Other...
/idata%2F0406688%2Fkavkarel%2Fkavseptembre%2Fhidderscan.jpg)
B) Classical ("hiders"/intrusion/hackers tools), malwares/automated and demo Rootkits: 1) Hidding a process with Trojan.Constructor.Uniskit.H (BitDefender): a) detection: P1/P2 By ProcessWalker: b) prevention: P1/P2 Servicedriver installation is detected.But...
/idata%2F0406688%2Fkavlastfev%2Frktlast%2Frkfine%2Frkfin0%2Fwire_wiretapstealthinstall.jpg)
C) Stealth keyloggers: Here only the detection is concerned : these commercial programs needs to be installed first with administrator privileges. Some keyloggers hide their own folders (not seen in Program Files folder). The result are often: F1: fail...
/idata%2F0406688%2Fkavlastfev%2Frktlast%2Fagonyrtkscan.jpg)
Rootkit prevention and detection A) Detection and prevention protection: Also for prevention (service/driver instalation, phisical memory access) see the part 1 (behaviour tests). Here we use Agony rootkit to hide file, registry key and active process.We...
/idata%2F0406688%2Fkavlastfev%2Fp23mai%2Fp23mai_backaladinoscan.jpg)
-Backdoor Aladino: P1/P2 -Backdoor Clindestine.152.a: P1/P2 Symantec? never heard of that... -Backdoor.Yuri (DrWeb and Panda have the more appropriated name): P1/P2 The "disable Task manager" choosed for the server is easily detected and blocked: -Backdoor...
/idata%2F0406688%2Fkavlastfev%2Fothermal%2Fotrmaldimtag_bdoorscan.jpg)
-Bdoor backdoor: P1/P2 -Hanuman Backdoor: F1/P2 This backdoor does not try to be permanent by wrinting the run key (F1): -HKShell backdoor: P1/P2 -ICMPDoor backdoor: P1/P2 NB. ICMP is consdered as a "poor protocol", but it is certainly one of the most...
/idata%2F0406688%2Fkavlastfev%2Favfine%2Fpart2%2Fpart2fin%2Fmaltroj_trojspybancos.jpg)
On part 7 and 8 we'll illustrate trojan spy and trojan bankers, a kind of brazilian speciality...People who use to surf on .br or .por domains should take a look at this site where an helpful forum and a specific tool are dedicated in the eradication...
/idata%2F0406688%2Fkavlastfev%2Favfine%2Fmalfine%2Fmalfinav_trojdownloader.small.dam.jpg)
-Trojan Downloader Small.dam: P1/P2 -Trojan Obfuscated.ev: P1/P2 -Trojan Spy Lmir.bgk: P1/P2 -Trojan Spy Mara.bo: P1/P2 -Trojan Spy Small.bs: P1/P2 Here again system process terminology is used: svchost is a generic process in relation with many services...
/idata%2F0406688%2Fkavlastfev%2Favfine%2Fpart2%2Fpart2fin%2Fmaltroj_trojspayqpass.jpg)
-Trojan Spy QQPass.rq: P1/P2 -Trojan Spy Bancos.tl: P1/P2 -Trojan Spy Bancos.yt: P1/P2 -Trojan Spy Banker.axc: P1/P2 -Trojan Spy Banker.ccc: P1/P2 -Trojan Spy PdPinch.gen: P1/P2 -Trojan Spy Banbra: P1/P2 -Backdoor Delf.ag: P1/P2 -Backdoor Shadows (detected...
