Yes they undeniable offer “more protection”, but you’re still in the same
old cat and mouse malware game that you’ve always been in, Russinovich
mentions this in his blog I think, it just depends how hard the other party
is trying…
I also don’t believe there has been a “pressure” on the rootkit community to
*really* put effort into either x86 or x64 Vista/Win7 based rootkits simply
because the corporate take up of Vista has been so poor. Having said that,
as Win7 rolls out and large corporates “actually” start to move away from XP
(will they?), we may see a surge of development in this area.
As far as corporates adopting x64 technology though over x86 in the current
economy, they would have to have good reason I imagine, and also good
understanding of the benefits to be excited about it…
But I’d dare to say that if someone had explained to the Dalai Lama how
Vista x64 would have stopped the Chinese Govt hacking him simply through
driver signing protection, that he might have been receptive to an
upgrade…ahh the joy of hindsight.
Alex Ionescu has done some some interesting work regarding PatchGuard and
session 0 exploits though James, and the usual rootkit site links also have
some “interesting” code.
My 2 english pence.
crispin.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of James Harper
Sent: 10 September 2009 10:54
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How to Hard Reboot a system?
Based on my experience with one latest variant of a rootkit, I will
say the OP
is in correct direction.
One can treat is as a malware; but than other options are format the
system
or live with the rootkit. based on the several feedback I received
from our
support guys, customers are ready to try anything to avoid format.
*even* when
support guys told them that xyz tool is in beta and may crash your
machine to
unrecoverable state.
regarding the malware,
I observed is that the latest version of one type of rootkits which do
not
drop any files in machine; instead they change sectors, hooks to
storage
stack. rootkit driver has registered shutdown notification so even if
you
change the infected part on disk the rootkit will overwrite that
during
shutdown IRP processing. So the only possible workaround is to restart
the
machine without generating shutdown notification, and we have tested
this
working with success till the latest version of rootkit.
I have found that they are also ‘safe mode proof’ so the old trick of
booting into safe mode and cleaning out the registry just doesn’t work
anymore.
I know I’m taking this further offtopic, but do you (or anyone else)
have an opinion on the protections offered by the 64 bit kernels and how
useful they are in preventing this sort of exploit? My opinion based on
general observations of such protections is that they only need to be
broken once and it’s all over until the next windows patch (and between
the time when the patch is released and when it starts to get rolled
out, the malware has already been updated too).
James
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4413 (20090910) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4413 (20090910) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com