http://kavtest.over-blog.com/ 2006-08-13T18:41:53Z over-blog.com Atom 1.0 Generator http://accel6.fdata.over-blog.com/99/00/00/01/img/avatar.png http://kavtest.over-blog.com/article-3590289.html 2008-01-03T10:50:06Z 2007-06-12T00:00:00Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavkarel/kavpart1a/kavpart1tag_kavvsshellcodecalc.jpg" />FIRST PART based on the behaviourNB: &quot;Accès refusé&quot; on screenshots means &quot;Access denied&quot;.1) Execution protectiona) with the TaskManager launched via Ctrl+Alt+Del: F1/F2b) with srip32 launched by explorer.exe: F1/F2c) with shellcode for<a href="http://kavtest.over-blog.com/article-3590289.html http://kavtest.over-blog.com/article-6782645.html 2008-01-03T10:50:11Z 2007-06-11T20:22:53Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavtestfin/attackfev/attackfev_kavvstrojademo.png" />These tests concerns endpoint threats: with the success of USB key, IPOd, and removable media, this is an excellent attack and infection vector.Tests a, b, and c are simple demo which dump the content of My Documents folders, and file type content (Slurp).Other test can really be a threat, locally<a href="http://kavtest.over-blog.com/article-6782645.html http://kavtest.over-blog.com/article-6386174.html 2008-01-03T10:50:11Z 2007-05-30T22:57:16Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavkarel/kavseptembre/hidderscan.jpg" />B) Classical (&quot;hiders&quot;/intrusion/hackers tools), malwares/automated and demo Rootkits:1) Hidding a process with Trojan.Constructor.Uniskit.H (BitDefender):a) detection: P1/P2 By ProcessWalker: b) prevention: P1/P2Servicedriver installation is detected.But if we allow the<a href="http://kavtest.over-blog.com/article-6386174.html http://kavtest.over-blog.com/article-6574029.html 2008-01-03T10:50:11Z 2007-05-27T21:37:00Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavlastfev/rktlast/rkfine/rkfin0/wire_wiretapstealthinstall.jpg" />C) Stealth keyloggers:Here only the detection is concerned : these commercial programs needs to be installed first with administrator privileges.Some keyloggers hide their own folders (not seen in Program Files folder).The result are often:F1: fail<a href="http://kavtest.over-blog.com/article-6574029.html http://kavtest.over-blog.com/article-6656073.html 2008-01-03T10:50:11Z 2007-05-20T20:51:02Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavlastfev/rktlast/agonyrtkscan.jpg" />Rootkit prevention and detectionA) Detection and prevention protection:Also for prevention (service/driver instalation, phisical memory access) see the part 1 (behaviour tests).Here we use Agony rootkit to hide file, registry key and active process.We also use a commercial program designed to hide files and folders and various tools<a href="http://kavtest.over-blog.com/article-6656073.html http://kavtest.over-blog.com/article-6573791.html 2008-01-03T10:50:10Z 2007-05-08T23:14:00Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavlastfev/p23mai/p23mai_backaladinoscan.jpg" />-Backdoor Aladino: P1/P2-Backdoor Clindestine.152.a: P1/P2Symantec? never heard of that... -Backdoor.Yuri (DrWeb and Panda have the more appropriated name): P1/P2The &quot;disable Task manager&quot; choosed for the server is easily detected and blocked: -Backdoor Zdmon: P1/P2 <a href="http://kavtest.over-blog.com/article-6573791.html http://kavtest.over-blog.com/article-6402636.html 2008-01-03T10:50:10Z 2007-05-08T23:10:00Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavlastfev/othermal/otrmaldimtag_bdoorscan.jpg" />-Bdoor backdoor: P1/P2-Hanuman Backdoor: F1/P2This backdoor does not try to be permanent by wrinting the run key (F1):-HKShell backdoor: P1/P2-ICMPDoor backdoor: P1/P2NB. ICMP is consdered as a &quot;poor protocol&quot;, but it is certainly one of the most<a href="http://kavtest.over-blog.com/article-6402636.html http://kavtest.over-blog.com/article-6475887.html 2008-01-03T10:50:10Z 2007-05-08T22:39:00Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavlastfev/avfine/part2/part2fin/maltroj_trojspybancos.jpg" />On  part 7 and 8 we'll illustrate trojan spy and trojan bankers, a kind of brazilian speciality...People who use to surf on .br or .por domains should take a look at this site where an helpful forum and a specific tool are dedicated in the eradication of this kind of pest.As malwares coders are more and more driven by money<a href="http://kavtest.over-blog.com/article-6475887.html http://kavtest.over-blog.com/article-6500216.html 2008-01-03T10:50:10Z 2007-05-08T22:20:00Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavlastfev/avfine/malfine/malfinav_trojdownloader.small.dam.jpg" />-Trojan Downloader Small.dam: P1/P2 -Trojan Obfuscated.ev: P1/P2 -Trojan Spy Lmir.bgk: P1/P2 -Trojan Spy Mara.bo: P1/P2 -Trojan Spy Small.bs: P1/P2 Here again system process terminology is used: svchost is a generic process in relation with<a href="http://kavtest.over-blog.com/article-6500216.html http://kavtest.over-blog.com/article-6476006.html 2008-01-03T10:50:10Z 2007-05-08T22:18:00Z SSTA http://www.over-blog.com/profil/blogueur-858582.html <img src="http://idata.over-blog.com/0/40/66/88/kavlastfev/avfine/part2/part2fin/maltroj_trojspayqpass68.jpg" />-Trojan Spy QQPass.rq: P1/P2 -Trojan Spy Bancos.tl: P1/P2-Trojan Spy Bancos.yt: P1/P2-Trojan Spy Banker.axc: P1/P2 -Trojan Spy Banker.ccc: P1/P2 -Trojan Spy PdPinch.gen: P1/P2 -Trojan Spy Banbra: P1/P2 -Backdoor Delf.ag: P1/P2 -Backdoor Shadows (detected only as suspicious by Fortinet on<a href="http://kavtest.over-blog.com/article-6476006.html