Z0mBiE rootkit- Bypassed all ARK tools

[aigle]

http://forum.sysinternals.com/forum_...TID=13773&PN=1

It has been a long time to read about some interesting malware/ POC.
Unforunately the rootkit is private.

[lucas1985]

According to EP_X0FF, this rootkit doesn't work in LUA

[aigle]

Are there rootkits that work in LUA?

[aigle]

EP_X0FF said:

Quote:

I believe, in x64, only system approach can handle this NT hell. Fully restricted access to kernel mode part, new security model (with updated NTFS) and a fully isolated kernel with self-integrity control. But this will lead to the end of: personal firewalls, host intrusion prevention system, some antiviruses, sandboxes, most of utilities and executable packers.

Everything else just a weak attempts and hijacking money from users.

Quote:

One good solution cannot change everything. Besides it will become a primary target for script-kiddies, malware writers etc. So its bypassing will be a question of time (as it was in case of RkTrap). Windows already support enough security model, but almost nobody doesn't use it. It is very strange be against something with administrative .

New OS is better than security through obscurity.

[lucas1985]

Quote:

Originally Posted by aigle

Are there rootkits that work in LUA?

Full user-mode rootkits should work in LUA.

[SirMalware]

Quote:

Full user-mode rootkits should work in LUA.

How, if no execution/write is possible.

[lucas1985]

Execution is allowed everywhere under LUA (unless you're combining LUA with SRP) and you can do some process hiding (AFAIK)

[EraserHW]

Quote:

Originally Posted by aigle

Are there rootkits that work in LUA?

If with LUA you mean simple standard Windows limited user account (without any other kind of restrictions) yes, there are, of course.

[aigle]

Thanks Lucas n Eraser.

[Primrose]

Might be a good idea to now read the whole thread there...it is very funny So many ego's and not enough stages in the world.

[fcukdat]

Quote:

Originally Posted by Primrose

Might be a good idea to now read the whole thread there...it is very funny So many ego's and not enough stages in the world.

Oh so true,the VT bit about samples made me chuckle....some folks forget that VT uploads are sent out on the wire as received to the participating Vendors.Whether or not they look at a sample is another kettle of fish tho but all uploads should be trackable and recoverable by MD5 alone IRC

So what's in a name ...."Z0mBiE"....returns

[SirMalware]

Quote:

unless you're combining LUA with SRP

This was my point. I should have been more specific.

Quote:

Execution is allowed everywhere under LUA

If used in conjunction with Windows Policies, that's false.

[lucas1985]

Quote:

Originally Posted by SirMalware

If used in conjunction with Windows Policies, that's false.

Correct
Have you tested LUA+SRP against live exploits?

[SystemJunkie]

Quote:

Unforunately the rootkit is private.

Only related to the mass.

WakeUp_Neo why you do not join this thread? Mr Chameleon always present or his bot friend whatever.
Zombies are everywhere

[lucas1985]

Which HIPS and sandboxes does it bypass (when granted execution rights)?

[aigle]

Quote:

Originally Posted by lucas1985

Which HIPS and sandboxes does it bypass (when granted execution rights)?

Ya, System Junkie! can u try it against some HIPS, sandboxes and post us some screenshots or just plain info if it,s not against EULA?

I will like to know about:

CFP Defence plus
GesWall
ThreatFire
SBIE
EQS

Thanks

[SirMalware]

Quote:

Have you tested LUA+SRP against live exploits?

Of course, many. I have yet to be infected.

[lucas1985]

That's good to know. Thanks

[SirMalware]

It's (LUA+SRP) a methodology that not too many people seem to use. I don't know why; it's easy, secure, free and gets even better using 64-bit Vista. I have two test boxes, one with XP Pro, the other with Vista 64-bit. I try to test with the newest files I can find, the ones AV software don't recognize yet. I then check for any possible infiltration(s) using a variety of tools run from inside the hard drive and also from outside the hard drive.

[lucas1985]

That would be great.
LUA + SRP is slowly (but surely) catching people's attention here at Wilders. See here and here.

[SystemJunkie]

Quote:

if it,s not against EULA?

Probably it is

[aigle]

Are u sure? U might ask the vendor!