Z0mBiE rootkit- Bypassed all ARK tools

http://forum.sysinternals.com/forum_posts.asp?TID=13773&PN=1

It has been a long time to read about some interesting malware/ POC.
Unforunately the rootkit is private.

 

According to EP_X0FF, this rootkit doesn't work in LUA

 

Are there rootkits that work in LUA?

 

EP_X0FF said:

 

Full user-mode rootkits should work in LUA.

 

How, if no execution/write is possible.

 

Execution is allowed everywhere under LUA (unless you're combining LUA with SRP) and you can do some process hiding (AFAIK)

 

If with LUA you mean simple standard Windows limited user account (without any other kind of restrictions) yes, there are, of course.

 

Thanks Lucas n Eraser.

 

Might be a good idea to now read the whole thread there...it is very funny So many ego's and not enough stages in the world.

 

Oh so true,the VT bit about samples made me chuckle....some folks forget that VT uploads are sent out on the wire as received to the participating Vendors.Whether or not they look at a sample is another kettle of fish tho but all uploads should be trackable and recoverable by MD5 alone IRC

So what's in a name ...."Z0mBiE"....returns

 

This was my point. I should have been more specific.

If used in conjunction with Windows Policies, that's false.

 

Correct
Have you tested LUA+SRP against live exploits?

 

Only related to the mass.

WakeUp_Neo why you do not join this thread? Mr Chameleon always present or his bot friend whatever.
Zombies are everywhere

 

Which HIPS and sandboxes does it bypass (when granted execution rights)?

 

Ya, System Junkie! can u try it against some HIPS, sandboxes and post us some screenshots or just plain info if it,s not against EULA?

I will like to know about:

CFP Defence plus
GesWall
ThreatFire
SBIE
EQS

Thanks

 

Of course, many. I have yet to be infected.

 

That's good to know. Thanks

 

It's (LUA+SRP) a methodology that not too many people seem to use. I don't know why; it's easy, secure, free and gets even better using 64-bit Vista. I have two test boxes, one with XP Pro, the other with Vista 64-bit. I try to test with the newest files I can find, the ones AV software don't recognize yet. I then check for any possible infiltration(s) using a variety of tools run from inside the hard drive and also from outside the hard drive.

 

That would be great.
LUA + SRP is slowly (but surely) catching people's attention here at Wilders. See here and here.

 

Probably it is

 

Are u sure? U might ask the vendor!