back to article Whitehat cracks notorious rootkit wide open

A malware analyst has deconstructed a highly advanced piece of crimeware believed to be the work of the notorious Russian Business Network The step-by-step instructions for reverse engineering the stealthy ZeroAccess rootkit is a blow to its developers, who took great care to make sure it couldn't be forensically analyzed. The …

COMMENTS

This topic is closed for new posts.
FAIL

Muhahaha

If you mount an infected windows partition with a Linux host having NTFS support, I can't see how these "secret" things could not be discovered.

Only a problem for the Windows retards who don't know the Unix command line and think Windows PE is the ultimate tool.

It's ironic - repairing an infected Windows machine requires Linux.

2
20
Grenade

@ Admiral of The Pink (Oboe)

I dunno about Windows PE, but you come across as a bit of a tool yourself.

15
2
Stop

Fail yourself, Pink Slip

If that stuff is designed sector based it lives beyond any file system. It creates its on volumes and file system that look like broken sectors and are ignored even by oh so glorious Linux. Still it runs...

Can't be done? If you say so...

0
0

This post has been deleted by its author

Thumb Down

The pr0nz

Personally I regard the "porn gives you viruses" thing as a bit of a myth. It is indeed "notorious", but I think that's mostly undeserved. Sure it's one of the things malware purveyors bait their traps with, but they have plenty of other tricks. One might as well warn people against googling recent news headlines.

Perhaps this advice was more relevant some time in the past, before the malware biz got so crafty, and before there were so many trustworthy porn sites.

1
0
Rob
Terminator

I'd be extremely careful...

... if I'd just cracked open a bit of software that had the Russian Business Network's fingerprints on it, especially after I'd just published that info for world + dog to read.

2
1
FAIL

Oh, We Are So Scared

no more words.

0
10
Stop

RE: "Oh, We Are So Scared"

It's not that security researchers haven't been physically attacked by mobsters for impairing their "business" (like banking trojans etc), or the data centers of ISPs burned down for refusing to host their "services".

Don't be mistaken, we are talking serious bad asses here...

0
0

Windows 98 laughs at this malware

I'm staying with Windows 98 with KernelEx API enhancement. This ZeroAccess rootkit (and probably all root kits and most malware in general) probably can't run under Win-98.

0
1
FAIL

However

But neither can my new hardware.

1
0
Anonymous Coward

IE and Flash are the main problems, accursed Active-X!

IE is still an open wound, as is anything with uses its browser component, and will stay so until Active-X is no longer supported by IE and Windows, and replaced by a properly sand-boxed and secured plug-in framework. Lazy web site owners using Active-X plug-ins must stop being humoured, and actively blocked by all browsers, with a security message to users, it's the only way both will learn!

Flash is also a steaming pile of insecurity, because it is not coded to be secure, does not have a proper security model, and does not provide an non-browser preferences GUI, so it continues to crash browsers and infect OSs! e.g. Flash malware can even get through Google Chrome, given I've seen clean system prompts from Microsoft Security Essentials, while using it on some sites!

I so hope that all sites get rid of Flash video players ASAP, and that Flash is removed from all other sites!

Email is only a problem if you run an insecure email client or are stupid enough to open spam attachments.

It would help loads if all supported Microsoft OS's was fixed to never allowed any external media to auto-run without a prompt and a virus scan, to prevent careless malware distribution from compromised machines.

Windows 7 UAC is a step in the right direction, however the UAC is still far too coarse and annoying, because its repeated prompts become noise, thus blindly clicked or disabled.

4
0
FAIL

All this fluff

"It would help loads if all supported Microsoft OS's was fixed to never allowed any external media to auto-run without a prompt and a virus scan, to prevent careless malware distribution from compromised machines."

Last I checked, most AVs come with an on-access scanner. This will scan any file upon attempting to open it, media on a CD included.

"Windows 7 UAC is a step in the right direction, however the UAC is still far too coarse and annoying, because its repeated prompts become noise, thus blindly clicked or disabled."

So, all this complaining about ActiveX and the Evils of IE and you finally get to how most crapware is installed: the user said "yes." Twice. (for those of you that "use linux only," XP/7 [there is no Vista....] asks if you want to Run/Save/Cancel and then says "This may be malicious software! You sure you want to run it???" to which they hit "Run" again).

User stupidity is more effective than any ActiveX/Flash exploit. Especially since anyone "in the know" would have a decent AV running to catch the bugger when it attempted to worm its way onto the machine.

0
3
Bronze badge
FAIL

...you'd think the title would default for a reply, same as eMails...

"It would help loads if all supported Microsoft OS's was fixed to never allowed any external media to auto-run without a prompt and a virus scan, to prevent careless malware distribution from compromised machines."

Unfortunately, all this would do is create yet another generation of "blind-clickers" - i.e., people who immediately click the OK button without checking the message, or even registering it.

It's the problem with so many "false positives" being created - people just get used to the OS bitching at them and blindly click/hit ENTER.

0
0
Coat

So it's come to this then, has it?

When you write "San Francisco" you don't have to add the ", California" bit because everyone already knows what you mean. It's even ingrained in a list the Associated Press publishes which states which city names in the world do not need to be qualified with a state, province or country tag.

Likewise, as this article shows, when you write about a "rootkit" you no longer have to add the qualifier "Windows" before it since all and sundry know damn well what you're talking about. I assume the same is true of "virus", "malware", "trojan", "patch", "brain dead user" and "sucks".

Mines the one with the "AP Stylebook" in the pocket.

2
2
Flame

Windows

Most publicised rootkits deal with Windows since most people would have a vested interest. However, it's the Linux rootkits that are especially fun to deal with. Yes, they do exist, but you probably don't even know if you have one.

2
0
FAIL

YOU are a tool

This isn't English class - it's a blog!

0
0
This topic is closed for new posts.

Forums