http://kavtest.over-blog.com/ fr over-blog.com RSS 2.0 Generator http://kavtest.over-blog.com/article-3590289.html
FIRST PART based on the behaviour



NB: "Accès refusé" on screenshots means "Access denied".


1) Execution protection


a) with the TaskManager launched via Ctrl+Alt+Del: F1/F2

b)[...]]]> Tue, 12 Jun 2007 00:00:00 +0200 http://kavtest.over-blog.com/article-3590289.html http://kavtest.over-blog.com/article-6782645.html

These tests concerns endpoint threats: with the success of USB key, IPOd, and removable media, this is an excellent attack and infection vector.

Tests a, b, and c are simple demo which dump the content of My Documents folders, and file type content (Slurp).
Other test can really be a threat, locally[...]]]> Mon, 11 Jun 2007 20:22:53 +0200 http://kavtest.over-blog.com/article-6782645.html http://kavtest.over-blog.com/article-6386174.html

B) Classical ("hiders"/intrusion/hackers tools), malwares/automated and demo Rootkits:


1) Hidding a process with Trojan.Constructor.Uniskit.H (BitDefender):



a) detection: P1/P2



By ProcessWalker:




b) prevention:...]]> Wed, 30 May 2007 22:57:16 +0200 http://kavtest.over-blog.com/article-6386174.html http://kavtest.over-blog.com/article-6574029.html

C) Stealth keyloggers:

Here only the detection is concerned : these commercial programs needs to be installed first with administrator privileges.

Some keyloggers hide their own folders (not seen in Program Files...]]> Sun, 27 May 2007 21:37:00 +0200 http://kavtest.over-blog.com/article-6574029.html http://kavtest.over-blog.com/article-6656073.html
Rootkit prevention and detection



A) Detection and prevention protection:


Also for prevention (service/driver instalation, phisical memory access) see the part 1 (behaviour tests).

Here we use Agony rootkit to hide file, registry key and active process.
We also use a...]]> Sun, 20 May 2007 20:51:02 +0200 http://kavtest.over-blog.com/article-6656073.html http://kavtest.over-blog.com/article-6573791.html

-Backdoor Aladino: P1/P2









-Backdoor Clindestine.152.a: P1/P2





Symantec? never heard of that...





-Backdoor.Yuri (DrWeb and Panda have the more[...]]]> Tue, 08 May 2007 23:14:00 +0200 http://kavtest.over-blog.com/article-6573791.html http://kavtest.over-blog.com/article-6402636.html

-Bdoor backdoor: P1/P2









-Hanuman Backdoor: F1/P2




This backdoor does not try to be permanent by wrinting the run key (F1):





-HKShell[...]]]> Tue, 08 May 2007 23:10:00 +0200 http://kavtest.over-blog.com/article-6402636.html http://kavtest.over-blog.com/article-6475887.html

On  part 7 and 8 we'll illustrate trojan spy and trojan bankers, a kind of brazilian speciality...
People who use to surf on .br or .por domains should take a look at this site where an helpful forum and a specific tool are dedicated in the eradication of this[...]]]> Tue, 08 May 2007 22:39:00 +0200 http://kavtest.over-blog.com/article-6475887.html http://kavtest.over-blog.com/article-6500216.html

-Trojan Downloader Small.dam: P1/P2








-Trojan Obfuscated.ev: P1/P2










-Trojan Spy Lmir.bgk: P1/P2







[...]]]> Tue, 08 May 2007 22:20:00 +0200 http://kavtest.over-blog.com/article-6500216.html http://kavtest.over-blog.com/article-6476006.html

-Trojan Spy QQPass.rq: P1/P2

















-Trojan Spy Bancos.tl: P1/P2






-Trojan Spy Bancos.yt: P1/P2









-Trojan Spy...]]> Tue, 08 May 2007 22:18:00 +0200 http://kavtest.over-blog.com/article-6476006.html