Shadow Walker

Discussion in 'malware problems & news' started by Starrob, Jul 28, 2005.

Thread Status:
Not open for further replies.
  1. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
  2. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Re: Defenses against Shadow Walker

    That was an interesting article.

    One thing I noticed. It said Shadow Walker was a modification of FU. FU if I remember right was a memory resident rootkit...it doesn't survive reboot. It seems to read that SW doesn't survive reboot either (although it doesn't specifically say).

    I wonder if you could use one rootkit to install another rootkit.

    Heh, I don't know enough about how they work or what they are capable in memory.

    Nasty stuff.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Re: Defenses against Shadow Walker

    The problem with these types of articles is

    1) they prey on one's fear of the unknown

    2) they discuss detection/removal rather than prevention.

    A rootkit is a trojan. Trojans have to unpack/load drivers or other executables to run their payload.

    Process Guard has demonstrated the prevention of the FU infection:

    http://diamondcs.com.au/processguard/index.php?page=attack-rootkits

    Anti-Executable would block the unpacking of the msdirectx.sys driver. Actually, when I tried to test that, AE would not even let the package (fu.exe) download.

    A quote from the article:

    ---------------------------------
    By opting for virtual memory subversion, Sparks said Shadow Walker is capable of hooking in-memory security scanners that rely on the integrity of the memory view it collects.
    ---------------------------------

    PG would block any unauthorized hooking attempt.

    From an article on Cool Web Search spyware incorporating rootkit technology:

    -----------------------------
    CWS is a trojan...An executable file named bootconf.exe is copied to the \windows\system32\ folder and set to load at startup...

    More current variants also install a small web server, contained in a file named svchost32.exe...

    Yet another variant hijacks Internet Explorer's SearchHook setting with a file named dnsrelay.dll...
    ------------------------------

    All of those payloads can be prevented from installing.

    And, of course, users should ask an even more basic question: how would the trojan get into my system in the first place? There is the starting point for prevention.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  4. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    Heya Rich

    I didn't say it scared me, I said it was interesting. It's always interesting to see what advances malware makes.

    I do agree with you though, articles like that are written to generate fear, and rarely discuss prevention methods...doesn't mean it isn't interesting :)

    I have PG, Prevx1, and ShadowUser (plus NAV) all running so that's why I wasn't all too concerned about it, although thanks for the DCS link.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Sorry, Vikorr, it wasn't my intention to imply that with you. I was making a general statement.

    With your security lineup, you would seem to be in good shape :)

    EDIT: since you use ShadowUser, maybe you can answer some of the questions posed here:

    https://www.wilderssecurity.com/showthread.php?t=90907


    -rich
     
    Last edited: Jul 29, 2005
  6. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    The reason why I posted this was to discuss prevention methods since none was discussed in the article.

    Secondly, I posted it to highlight the fact that scanners might possibly not be the answer to the detection of such malware.

    I am observing one situation on one "bad website" in which you can supposedly download a codec for windows media player that can improve video in Windows Media player. Apparently, there are some websites out there that have videos that refer to this codec and when people go to the "bad" website to download the codec they get a load of http://www.viruslist.com/en/search?VN=Trojan-Downloader.Win32.Zlob.aa

    Now the people at that "bad" website are quite smart. They change the program every few days so that Kaspersky can't detect it. So every few days, I'll go to the bad "website" upload the file to the jotti's scanner and usually the only one that can detect it is NOD32 and Bitdefender I think. They both catch it with heuristics.

    I up load to jotti's because that it is a way to submit the file to Anti-virus companies. Usually after I upload the file, Kaspersky puts the "bad" file in it's detection within 12 hours to 2 days (Which sort of gives me a idea of how fast Kaspersky will update a new threat.

    Then after about two days to one week, the people on the "bad" website will change the program so that not only Kaspersky won't detect it but many other scanners as well.

    The fact that NOD32 will always detect it no matter what the changes tells me that heuristics will have a greater importance in the future as far as scanners are concerned and may be the reason that Kasperky is moving in that direction with KAV 6.0.

    It also speaks to the importance of prevention. I look at prevention in two ways. The most important part of prevention to me is education. I have found over time that the more education that I get about computer security the less need that I have for solving my security needs using software.

    The second and less important part of prevention to me is software that can block and/or detect malware and remove it if necesarry.

    For some that are unwilling or simply have a hard time understanding security on computers, security software becomes more important.

    One of the reasons why I personally consider education more important is that with education, I rely on myself. With computer software I rely on others.......and others many times tend to disappoint.



    Starrob
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Very well put.

    I stated (a bit less eloquently) in a post above,

    ---------------------
    And, of course, users should ask an even more basic question: how would the trojan get into my system in the first place? There is the starting point for prevention.
    ---------------------


    Starrob, how do people arrive at that point where they have "less need...for solving security needs using software"? How would you lead someone to that point?

    There has to be a starting point for this education. Where does it begin? At the store where the user purchases the computer? That would be ideal, because computer security begins with having a basic understanding of how the computer works, and should include:

    --------------------------------------
    a file extension tells the operating system what to do with a file. Certain file extensions "execute" or run code.
    --------------------------------------

    How many people first turning on their new computer understand that? But if they don't they haven't grasped the starting point for understanding security.

    In a thread in another forum, I suggested that each person "adopt" someone just starting out in computing and teach them the basics of computing, leading into security. Each should develop her/his own method, create a tutorial, however you want to do it. The important part will be the hands-on time with the person.

    I've done this successfully many times. It requires "donating" some free time, and the results are very rewarding.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    I am not sure. Ever heard that saying that "You can't lead a horse to water"?

    You can be the best teacher in the world. You can have the most wonderful tools but if a person does not WANT to learn then very little can be taught.

    The first requirement is that you find someone with a "OPEN" mind. Someone that is NOT a "EXPERT" because experts think that they already know everything that they need to learn and therefore 'Experts" have "CLOSED" their minds to learning new things.

    Then you must find someone that has a active interest in learning.....that is eager to absorb new knowledge. These are people that can be taught about computer security.

    Getting someone to the point where they have a open mind and want to learn is something that even psychologists have a hard time doing. It is the equivalent of teaching a alcoholic how to stop drinking. All the expertise in the world is not going to help the alcoholic stop drinking if he does not want to stop.

    So, I am not sure how to answer your question. Do we issue licenses to drive on the internet? How do we enforce that? There is no central regulating authority on the internet (Although many governments want to try).

    You propose a interesting question. If I can come up with a theory, i'll post back on it but for now, I can't think of any viable solutions.


    Starrob
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Excellent and pertinent point.

    This principle is the guiding force in many groups today, AA for example. They won't take anyone who doesn't want to stop drinking.

    Like with AA, in my small group who "adopts" someone who wants to learn (or re-learn) computing, we won't take anyone who won't follow our plan.

    When you do, please share.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  10. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I think educational groups would also require those that would have both the time and ability to teach.

    Where would those type of people be found? I don't think most software developers would be interested because if people could make their own computer secure then who would buy their software.

    Many others have day jobs and would claim not to have the time.

    Hey....do you run your groups in reality or do you run your groups over the internet?



    Starrob
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    :cool:


    It's nothing elaborate, when one of us helps a person who seems interested in acquiring computing habits ("Why do I get so many virusses?"), then we go from there. Often, we'll find a person just starting out. They are the most fun because they have no bad habits to unlearn!

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  12. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    By education, I presume you mean (one part of it is) showing people that they need to change their dangerous behaviours ?

    Problem here would be that many people simply don't want to change their computer behaviours (of course some will)

    For the rest of how you defined education, that's pretty much what I think.

    Although for me...I think the minimum needed is Firewall, AV, HIPS (when hips get advanced enough that one does the job properly. I 'think' prevx is heading in the right direction for that). Actually...I think AV/HIPS will eventually merge, so down the track, Firewall + HIPSAV
     
  13. ---

    --- Guest

    Rootkits can technically be spread by worms as well. But otherwise absolutely correct.

    Personally I agree with the point about education. I've become so educated on computer security these days, I can eyeball a file and my sixth sense tells me whether it is malware or not.

    I believe it even beats NOD's Heuristics in finding unknown malware.

    I offered to be tested on VB100 but they rejected me because I would obviously be a strong competitor for NOD and you know how they are biased.

    Jotti rejected my services as a scanner because he only runs linux programs which I am not.
     
Thread Status:
Not open for further replies.