"undetectable" new spy? How to find out?

Discussion in 'other anti-malware software' started by Velocity, Jul 29, 2005.

Thread Status:
Not open for further replies.
  1. Velocity

    Velocity Registered Member

    Aug 2, 2003
    Hi guys and gals! I was surfing the net and found an expensive program called UltraView Plus which *claims* to be completely undetectable. I don't want to spend $$$ to find out and was wondering how we would know if our security programs can detect it? It seems to be aimed more at detectives but the average joe can buy it too, so I'd consider it a real threat.
  2. wildewest

    wildewest Guest

    You mean this http://www.awarenesstech.com/
    It doesn't look like they have a free trial version available, so I can't test it out, too bad. For $100. US it's a bit too overpriced for my budget at this time.

    But here's what they claim at their website about it.


    Invisibility is of paramount importance when gathering information.

    With UltraView Plus, you can completely monitor all of their activity without them ever knowing that you are checking in on them. They will relax, and you can finally relax knowing that they are safe.

    Other monitoring methods are sloppy, only hiding the most obvious elements and not taking into account how computer savvy the average person can be today. UltraView Plus, however, was originally designed to meet the unbelievably demanding requirements of governmental intelligence agencies. So you can rest assured that none of the anti-spyware or anti-virus software currently available can detect UltraView Plus.

    By design, UltraView Plus is hidden from everyone except the people authorized to see it. It does not appear in the Registry, the Process List, the System Tray, the Task Manager, on the Desktop, or in Add/Remove programs. There aren’t even an visible files that can be detected!

    Not only does UltraView Plus work undetected, but it also circumvents ALL firewall programs, allowing you to gather the information you need without worrying about tripping any alarms.

    UltraView Plus is the ONLY industrial-strength computer monitoring software available. It won't let you or your family down."

    I find it hard to believe it can just get around your firewall as easy as they make it sound. But then again unless someone actually try's it out we won't know for sure.

    Maybe someone could comment on it who may have tried it, or knows for sure if it really can get around any firewall the way they claim it can and if it's really so undetectable to AV and AS software.
  3. Velocity

    Velocity Registered Member

    Aug 2, 2003
    Yup, that's the one...sounds like a commercial rootkit to me.
  4. trilabs

    trilabs Guest

    If it's a rootkit, then you should be able to find it with RootkitRevealer or UnHackme, but I'm not totally sure about that.

    I'm really surprised there haven't been more responses to this thread. :(
  5. MikeNash

    MikeNash Security Expert

    Jun 9, 2005
    Sydney, Australia
    I would think that this is likely to be some kind of driver-based install like Elite Keylogger. Once you're in at that level it can be very difficult to detect (and remove) because it can easily hide from the registry, task list, explorer, etc.

    Ideally, in this case you would have some software running on the PC beforehand so that attempts to install it can be detected and logged. From here, we can find out how it works and a way to circumvent it.

  6. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    SpyCop claims to detect it as of 7/29. See


    ~~Be ALERT!!! ~~
  7. muf

    muf Registered Member

    Dec 30, 2003
    Manchester, England
    Yes, I can confirm that my copy of Spycop has this in it's database. So much for undetectable!!!

  8. Velocity

    Velocity Registered Member

    Aug 2, 2003
    Sounds good then - at least there is some protection against this program. Can any other (free) anti-kl programs find it?
  9. traveltimes

    traveltimes Guest

    I would bet that programs like Security task manager, that use a heuristic based detection method, could detect it. If spyflop can find it probably just about any anti-keylogger could. ;)
  10. Velocity

    Velocity Registered Member

    Aug 2, 2003
    Thanks for the useful info everyone. I've decided to buy a Spycop license due to the overwhelmingly positive feedback on it in both this forum and in DSL reports. I had done some testing and experimenting with the program in trial mode a long while back and kind of forgot about it until now.

    MikeNash - Is a kernel mode spy program the same thing as a rootkit spy program or is there some difference?
  11. lotuseclat79

    lotuseclat79 Registered Member

    Jun 16, 2005
    Yes, Velocity, kernel mode rootkits are different - they are the real thing!

    Checkout this recent article based on demo at Black Hat conference in Vegas:
    'Shadow Walker' Pushes Envelope for Stealth Rootkits

    A new way to hide malicious programs.

    The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

    With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

    "This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

    Butler is co-author of new security book with focus on what an intruder can do to cover her presence on a compromised machine. Hoglund is author of rootkit.com website.

    Rootkits: Subverting the Windows Kernel by Greg Hoglund, Jamie Butler

    -- Tom
  12. trifactor

    trifactor Guest


    I know your post was in response to Velocity, but I think it really should be in a thread of its own, so others can see this somewhat disturbing info on the next generation of rootkits.
  13. controler

    controler Guest

    I had allready posted it in another thread.

    Kevin Claims rootkits are no elproblemo.
    I would like his view on one of a kind builds.

Thread Status:
Not open for further replies.