"undetectable" new spy? How to find out?

Discussion in 'other anti-malware software' started by Velocity, Jul 29, 2005.

Thread Status:
Not open for further replies.
  1. Velocity

    Velocity Registered Member

    Joined:
    Aug 2, 2003
    Posts:
    10
    Hi guys and gals! I was surfing the net and found an expensive program called UltraView Plus which *claims* to be completely undetectable. I don't want to spend $$$ to find out and was wondering how we would know if our security programs can detect it? It seems to be aimed more at detectives but the average joe can buy it too, so I'd consider it a real threat.
     
  2. wildewest

    wildewest Guest

    You mean this http://www.awarenesstech.com/
    It doesn't look like they have a free trial version available, so I can't test it out, too bad. For $100. US it's a bit too overpriced for my budget at this time.

    But here's what they claim at their website about it.


    "Invisibility

    Invisibility is of paramount importance when gathering information.

    With UltraView Plus, you can completely monitor all of their activity without them ever knowing that you are checking in on them. They will relax, and you can finally relax knowing that they are safe.

    Other monitoring methods are sloppy, only hiding the most obvious elements and not taking into account how computer savvy the average person can be today. UltraView Plus, however, was originally designed to meet the unbelievably demanding requirements of governmental intelligence agencies. So you can rest assured that none of the anti-spyware or anti-virus software currently available can detect UltraView Plus.

    By design, UltraView Plus is hidden from everyone except the people authorized to see it. It does not appear in the Registry, the Process List, the System Tray, the Task Manager, on the Desktop, or in Add/Remove programs. There aren’t even an visible files that can be detected!

    Not only does UltraView Plus work undetected, but it also circumvents ALL firewall programs, allowing you to gather the information you need without worrying about tripping any alarms.

    UltraView Plus is the ONLY industrial-strength computer monitoring software available. It won't let you or your family down."


    I find it hard to believe it can just get around your firewall as easy as they make it sound. But then again unless someone actually try's it out we won't know for sure.

    Maybe someone could comment on it who may have tried it, or knows for sure if it really can get around any firewall the way they claim it can and if it's really so undetectable to AV and AS software.
     
  3. Velocity

    Velocity Registered Member

    Joined:
    Aug 2, 2003
    Posts:
    10
    Yup, that's the one...sounds like a commercial rootkit to me.
     
  4. trilabs

    trilabs Guest

    If it's a rootkit, then you should be able to find it with RootkitRevealer or UnHackme, but I'm not totally sure about that.

    I'm really surprised there haven't been more responses to this thread. :(
     
  5. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    I would think that this is likely to be some kind of driver-based install like Elite Keylogger. Once you're in at that level it can be very difficult to detect (and remove) because it can easily hide from the registry, task list, explorer, etc.

    Ideally, in this case you would have some software running on the PC beforehand so that attempts to install it can be detected and logged. From here, we can find out how it works and a way to circumvent it.


    Mike
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    SpyCop claims to detect it as of 7/29. See

    http://www.dslreports.com/forum/remark,14018913

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Yes, I can confirm that my copy of Spycop has this in it's database. So much for undetectable!!!

    muf
     
  8. Velocity

    Velocity Registered Member

    Joined:
    Aug 2, 2003
    Posts:
    10
    Sounds good then - at least there is some protection against this program. Can any other (free) anti-kl programs find it?
     
  9. traveltimes

    traveltimes Guest

    I would bet that programs like Security task manager, that use a heuristic based detection method, could detect it. If spyflop can find it probably just about any anti-keylogger could. ;)
     
  10. Velocity

    Velocity Registered Member

    Joined:
    Aug 2, 2003
    Posts:
    10
    Thanks for the useful info everyone. I've decided to buy a Spycop license due to the overwhelmingly positive feedback on it in both this forum and in DSL reports. I had done some testing and experimenting with the program in trial mode a long while back and kind of forgot about it until now.

    MikeNash - Is a kernel mode spy program the same thing as a rootkit spy program or is there some difference?
     
  11. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,101
    Yes, Velocity, kernel mode rootkits are different - they are the real thing!

    Checkout this recent article based on demo at Black Hat conference in Vegas:
    'Shadow Walker' Pushes Envelope for Stealth Rootkits
    http://www.eweek.com/article2/0,1895,1841266,00.asp

    A new way to hide malicious programs.

    The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

    With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

    "This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

    Butler is co-author of new security book with focus on what an intruder can do to cover her presence on a compromised machine. Hoglund is author of rootkit.com website.

    Rootkits: Subverting the Windows Kernel by Greg Hoglund, Jamie Butler
    http://www.bookpool.com/sm/0321294319

    -- Tom
     
  12. trifactor

    trifactor Guest

    Lotuseclat79,

    I know your post was in response to Velocity, but I think it really should be in a thread of its own, so others can see this somewhat disturbing info on the next generation of rootkits.
     
  13. controler

    controler Guest

    I had allready posted it in another thread.

    Kevin Claims rootkits are no elproblemo.
    I would like his view on one of a kind builds.

    controler
     
Loading...
Thread Status:
Not open for further replies.