/idata%2F0406688%2Fkavkarel%2Fkavseptembre%2Fhidderscan.jpg)
B) Classical ("hiders"/intrusion/hackers tools), malwares/automated and demo Rootkits: 1) Hidding a process with Trojan.Constructor.Uniskit.H (BitDefender): a) detection: P1/P2 By ProcessWalker: b) prevention: P1/P2 Servicedriver installation is detected.But...
/idata%2F0406688%2Fkavlastfev%2Frktlast%2Frkfine%2Frkfin0%2Fwire_wiretapstealthinstall.jpg)
C) Stealth keyloggers: Here only the detection is concerned : these commercial programs needs to be installed first with administrator privileges. Some keyloggers hide their own folders (not seen in Program Files folder). The result are often: F1: fail...
/idata%2F0406688%2Fkavlastfev%2Frktlast%2Fagonyrtkscan.jpg)
Rootkit prevention and detection A) Detection and prevention protection: Also for prevention (service/driver instalation, phisical memory access) see the part 1 (behaviour tests). Here we use Agony rootkit to hide file, registry key and active process.We...
/idata%2F0406688%2Fkavlastfev%2Fp23mai%2Fp23mai_backaladinoscan.jpg)
-Backdoor Aladino: P1/P2 -Backdoor Clindestine.152.a: P1/P2 Symantec? never heard of that... -Backdoor.Yuri (DrWeb and Panda have the more appropriated name): P1/P2 The "disable Task manager" choosed for the server is easily detected and blocked: -Backdoor...
/idata%2F0406688%2Fkavlastfev%2Fothermal%2Fotrmaldimtag_bdoorscan.jpg)
-Bdoor backdoor: P1/P2 -Hanuman Backdoor: F1/P2 This backdoor does not try to be permanent by wrinting the run key (F1): -HKShell backdoor: P1/P2 -ICMPDoor backdoor: P1/P2 NB. ICMP is consdered as a "poor protocol", but it is certainly one of the most...
/idata%2F0406688%2Fkavlastfev%2Favfine%2Fpart2%2Fpart2fin%2Fmaltroj_trojspybancos.jpg)
On part 7 and 8 we'll illustrate trojan spy and trojan bankers, a kind of brazilian speciality...People who use to surf on .br or .por domains should take a look at this site where an helpful forum and a specific tool are dedicated in the eradication...
/idata%2F0406688%2Fkavlastfev%2Favfine%2Fmalfine%2Fmalfinav_trojdownloader.small.dam.jpg)
-Trojan Downloader Small.dam: P1/P2 -Trojan Obfuscated.ev: P1/P2 -Trojan Spy Lmir.bgk: P1/P2 -Trojan Spy Mara.bo: P1/P2 -Trojan Spy Small.bs: P1/P2 Here again system process terminology is used: svchost is a generic process in relation with many services...
/idata%2F0406688%2Fkavlastfev%2Favfine%2Fpart2%2Fpart2fin%2Fmaltroj_trojspayqpass.jpg)
-Trojan Spy QQPass.rq: P1/P2 -Trojan Spy Bancos.tl: P1/P2 -Trojan Spy Bancos.yt: P1/P2 -Trojan Spy Banker.axc: P1/P2 -Trojan Spy Banker.ccc: P1/P2 -Trojan Spy PdPinch.gen: P1/P2 -Trojan Spy Banbra: P1/P2 -Backdoor Delf.ag: P1/P2 -Backdoor Shadows (detected...
/idata%2F0406688%2Fkavlastfev%2Favfine%2Fpart2%2Fpart2fin%2Fmaltroj_backvb.awjpg.jpg)
-Backdoor VB.aw: P1/P2 -Dialer CapreDeam.p: P1/P2 -MSNIPstealer: F1/F2 (only detected by Webwasher) NB. This is here a hack tool designed to " steal" IP of MSN users."fail" results can't really be considered as important: the goal was more to demonstrate...
/idata%2F0406688%2Fkavnico%2Ffeebs1.png)
b) Worms and virus: -Feebs : P1/ P2. KAV detects the launch of IE browser, which can be blocked, and detects startup entry once mshta.exe is running. Mshta.exe is not killed, but no harmful changes are made. AV detection : - WormRays : P1/ P2. Wormray...
