nezumi-lab
July 7th, 2009, 18:17
I was invited to Xcon 2009 ("http://xcon.xfocus.org/") Security Conference (Beijing, China, 18th-19th August 2009) where I’m going to talk about a new generation of passive non-resident win32/Linux root-kits. the brief introduction is followed bellow:.
In the dark…
…I heard your voice: “hey, you on the other side! In this dark and rainy night, we come out of the shadows just to finish what we began a thousand years ago. my gun is pumping, you’re down on your knees. a closer step to death. I think I’m coming, are you ready to receive? I spray you full with my killer disease! now life is death and light is dark!”
there is a full-scale subterranean war been raged for every shred of information, there are things that go bump in the night, everybody knows about it and nobody says anything about it. they don’t intend to upset the balance of the war. I’ll do. I’ll open a portal… and awaken the Ogdru Jahad. behind this door, a dark entity. evil, ancient and hungry.
The Seven Gods of Chaos turn out to be a new kind of root-kits. non-resident passive Ring-3 Root-Kits affect Windows and Linux. sounds boring, isn’t it? but hold a candle to the sun and listen. they’re coming inside to break you down, they hide exe/dll modules, using only well-documented win32 APIs, accordingly working _everywhere_ from 9x to Vista, they don’t request administrator rights and every known AV fails to find the hidden modules as well as to detect the root-kits, because there is nothing to detect — thanks to passive non-resident nature of them! your favorite tool — the manual detector (”hands-n-brain”
fails to detect them as well! soft-ice, syser, any root-kit finder show us nothing! what the hell is this — science or black magic?! I don’t know, I just hear how your PC box is crying: what’s happening to me? everything is so cold! everything is so dark! what is this pain I feel, why does it hurt? please no, let me die… let me die… let me die… hey! don’t you know it is supposed to work? you always get what you deserve! there is no cure. there is no solution. in the death and dark we are all alone.
facts: This is not something absolute new. this is what hacker community started to talk about a year ago. it was a part of my Reverse Engineering Courses lectured to Sec++ Group (Israel) Sense Post company ("http://www.sensepost.com") (South Africa) and many others. at that moment we considered it as a win32 bug, allowing us to infect running EXEs and loaded DLLs.
Discussing this stuff with Apple Panda and Soft Forum ("http://www.softforumglobal.com/")guys (Seoul, South Korea) suddenly we realized — this is much more than just infection, the same trick might be used for hiding and no way to find the coffined modules. it was supposed to be a part of my speech on CodeGate-2009 ("http://www.codegate.org/") conference, but for some reasons this topic was removed and suspended for a while.
There were some (just a few) internal reports that I sent to my company (McAfee, Avert Labs), but a wide public had no idea about what is going on till now, and from now till doomsday you know for sure what it’s all about. this is a new threat, spotlighting maladjustment of three major Windows engines - file system, virtual memory manager and object manager. Linux boxes are not affected. well, in fact, they’re affected, but for them there is a solution — a cure. but not for Windows! we’re all waiting for an official patch, fixing the problem.
/* snippets from New Rose Hotel, Queen Of The Damned, Hell-boy, BlutEngel, Pain were used */
http://nezumi-lab.org/gif/fractaldust.jpgnew generation of passive non-resident win32/Linux root-kits
http://nezumi-lab.org/blog/?p=201
In the dark…
…I heard your voice: “hey, you on the other side! In this dark and rainy night, we come out of the shadows just to finish what we began a thousand years ago. my gun is pumping, you’re down on your knees. a closer step to death. I think I’m coming, are you ready to receive? I spray you full with my killer disease! now life is death and light is dark!”
there is a full-scale subterranean war been raged for every shred of information, there are things that go bump in the night, everybody knows about it and nobody says anything about it. they don’t intend to upset the balance of the war. I’ll do. I’ll open a portal… and awaken the Ogdru Jahad. behind this door, a dark entity. evil, ancient and hungry.
The Seven Gods of Chaos turn out to be a new kind of root-kits. non-resident passive Ring-3 Root-Kits affect Windows and Linux. sounds boring, isn’t it? but hold a candle to the sun and listen. they’re coming inside to break you down, they hide exe/dll modules, using only well-documented win32 APIs, accordingly working _everywhere_ from 9x to Vista, they don’t request administrator rights and every known AV fails to find the hidden modules as well as to detect the root-kits, because there is nothing to detect — thanks to passive non-resident nature of them! your favorite tool — the manual detector (”hands-n-brain”
fails to detect them as well! soft-ice, syser, any root-kit finder show us nothing! what the hell is this — science or black magic?! I don’t know, I just hear how your PC box is crying: what’s happening to me? everything is so cold! everything is so dark! what is this pain I feel, why does it hurt? please no, let me die… let me die… let me die… hey! don’t you know it is supposed to work? you always get what you deserve! there is no cure. there is no solution. in the death and dark we are all alone.facts: This is not something absolute new. this is what hacker community started to talk about a year ago. it was a part of my Reverse Engineering Courses lectured to Sec++ Group (Israel) Sense Post company ("http://www.sensepost.com") (South Africa) and many others. at that moment we considered it as a win32 bug, allowing us to infect running EXEs and loaded DLLs.
Discussing this stuff with Apple Panda and Soft Forum ("http://www.softforumglobal.com/")guys (Seoul, South Korea) suddenly we realized — this is much more than just infection, the same trick might be used for hiding and no way to find the coffined modules. it was supposed to be a part of my speech on CodeGate-2009 ("http://www.codegate.org/") conference, but for some reasons this topic was removed and suspended for a while.
There were some (just a few) internal reports that I sent to my company (McAfee, Avert Labs), but a wide public had no idea about what is going on till now, and from now till doomsday you know for sure what it’s all about. this is a new threat, spotlighting maladjustment of three major Windows engines - file system, virtual memory manager and object manager. Linux boxes are not affected. well, in fact, they’re affected, but for them there is a solution — a cure. but not for Windows! we’re all waiting for an official patch, fixing the problem.
/* snippets from New Rose Hotel, Queen Of The Damned, Hell-boy, BlutEngel, Pain were used */
http://nezumi-lab.org/gif/fractaldust.jpgnew generation of passive non-resident win32/Linux root-kits
http://nezumi-lab.org/blog/?p=201
