http://kavtest.over-blog.com/ fr over-blog.com RDF 1.0 Generator admin@over-blog.com 2006-08-13T18:41:53Z http://kavtest.over-blog.com/article-3590289.html FIRST PART based on the behaviourNB: "Accès refusé" on screenshots means "Access denied".1) Execution protectiona) with the TaskManager launched via Ctrl+Alt+Del: F1/F2b) with srip32 launched by explorer.exe: F1/F2c) with shellcode for running notepad.exe: F1/F2d) launching calc.exe via an other[...]]]> fr 2008-01-03T10:50:06Z http://kavtest.over-blog.com/article-6782645.html These tests concerns endpoint threats: with the success of USB key, IPOd, and removable media, this is an excellent attack and infection vector.Tests a, b, and c are simple demo which dump the content of My Documents folders, and file type content (Slurp).Other test can really be a threat, locally (any computer with a physical access) or...]]> fr 2008-01-03T10:50:11Z http://kavtest.over-blog.com/article-6386174.html B) Classical ("hiders"/intrusion/hackers tools), malwares/automated and demo Rootkits:1) Hidding a process with Trojan.Constructor.Uniskit.H (BitDefender):a) detection: P1/P2 By ProcessWalker: b) prevention: P1/P2Servicedriver installation is detected.But if we allow the "rootkit" to register its...]]> fr 2008-01-03T10:50:11Z http://kavtest.over-blog.com/article-6574029.html C) Stealth keyloggers:Here only the detection is concerned : these commercial programs needs to be installed first with administrator privileges.Some keyloggers hide their own folders (not seen in Program Files folder).The result are often:F1: fail result for the Proactive[...]]]> fr 2008-01-03T10:50:11Z http://kavtest.over-blog.com/article-6656073.html Rootkit prevention and detectionA) Detection and prevention protection:Also for prevention (service/driver instalation, phisical memory access) see the part 1 (behaviour tests).Here we use Agony rootkit to hide file, registry key and active process.We also use a commercial program designed...]]> fr 2008-01-03T10:50:11Z http://kavtest.over-blog.com/article-6573791.html -Backdoor Aladino: P1/P2-Backdoor Clindestine.152.a: P1/P2Symantec? never heard of that... -Backdoor.Yuri (DrWeb and Panda have the more appropriated name): P1/P2The "disable Task manager" choosed for the server is easily detected and[...]]]> fr 2008-01-03T10:50:10Z http://kavtest.over-blog.com/article-6402636.html -Bdoor backdoor: P1/P2-Hanuman Backdoor: F1/P2This backdoor does not try to be permanent by wrinting the run key (F1):-HKShell backdoor: P1/P2-ICMPDoor backdoor: P1/P2NB. ICMP is consdered as a "poor protocol", but it is certainly one of the most interesting for firewall and IDS...]]> fr 2008-01-03T10:50:10Z http://kavtest.over-blog.com/article-6475887.html On  part 7 and 8 we'll illustrate trojan spy and trojan bankers, a kind of brazilian speciality...People who use to surf on .br or .por domains should take a look at this site where an helpful forum and a specific tool are dedicated in the eradication of this kind of pest.As malwares coders are more and more driven by...]]> fr 2008-01-03T10:50:10Z http://kavtest.over-blog.com/article-6500216.html -Trojan Downloader Small.dam: P1/P2 -Trojan Obfuscated.ev: P1/P2 -Trojan Spy Lmir.bgk: P1/P2 -Trojan Spy Mara.bo: P1/P2 -Trojan Spy Small.bs: P1/P2 Here again system process terminology is used: svchost is a generic process in relation with many[...]]]> fr 2008-01-03T10:50:10Z http://kavtest.over-blog.com/article-6476006.html -Trojan Spy QQPass.rq: P1/P2 -Trojan Spy Bancos.tl: P1/P2-Trojan Spy Bancos.yt: P1/P2-Trojan Spy Banker.axc: P1/P2 -Trojan Spy Banker.ccc: P1/P2 -Trojan Spy PdPinch.gen: P1/P2 -Trojan Spy Banbra: P1/P2 -Backdoor Delf.ag: P1/P2 -Backdoor Shadows (detected only as suspicious by Fortinet on VirusTotal):[...]]]> fr 2008-01-03T10:50:10Z