Z0mBiE rootkit- Bypassed all ARK tools

Discussion in 'malware problems & news' started by aigle, Mar 8, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,110
    Location:
    Saudi Arabia/ Pakistan
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    According to EP_X0FF, this rootkit doesn't work in LUA :)
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,110
    Location:
    Saudi Arabia/ Pakistan
    Are there rootkits that work in LUA?
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,110
    Location:
    Saudi Arabia/ Pakistan
    EP_X0FF said:
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Full user-mode rootkits should work in LUA.
     
  6. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    How, if no execution/write is possible.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Execution is allowed everywhere under LUA (unless you're combining LUA with SRP) and you can do some process hiding (AFAIK)
     
  8. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    If with LUA you mean simple standard Windows limited user account (without any other kind of restrictions) yes, there are, of course.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,110
    Location:
    Saudi Arabia/ Pakistan
    Thanks Lucas n Eraser.
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Might be a good idea to now read the whole thread there...it is very funny :D So many ego's and not enough stages in the world.
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Oh so true,the VT bit about samples made me chuckle....some folks forget that VT uploads are sent out on the wire as received to the participating Vendors.Whether or not they look at a sample is another kettle of fish tho but all uploads should be trackable and recoverable by MD5 alone IRC

    So what's in a name ...."Z0mBiE"....returns ;)
     
  12. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    This was my point. I should have been more specific.
    If used in conjunction with Windows Policies, that's false.
     
    Last edited: Mar 9, 2008
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Correct :)
    Have you tested LUA+SRP against live exploits?
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Only related to the mass.

    WakeUp_Neo why you do not join this thread? Mr Chameleon always present or his bot friend whatever.
    Zombies are everywhere :D:D
     
    Last edited: Mar 9, 2008
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Which HIPS and sandboxes does it bypass (when granted execution rights)?
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,110
    Location:
    Saudi Arabia/ Pakistan
    Ya, System Junkie! can u try it against some HIPS, sandboxes and post us some screenshots or just plain info if it,s not against EULA? :D

    I will like to know about:

    CFP Defence plus
    GesWall
    ThreatFire
    SBIE
    EQS

    Thanks
     
  17. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Of course, many. I have yet to be infected.
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That's good to know. Thanks :)
     
  19. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    It's (LUA+SRP) a methodology that not too many people seem to use. I don't know why; it's easy, secure, free and gets even better using 64-bit Vista. I have two test boxes, one with XP Pro, the other with Vista 64-bit. I try to test with the newest files I can find, the ones AV software don't recognize yet. I then check for any possible infiltration(s) using a variety of tools run from inside the hard drive and also from outside the hard drive.
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That would be great.
    LUA + SRP is slowly (but surely) catching people's attention here at Wilders. See here and here.
     
  21. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Probably it is :D ;)
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,110
    Location:
    Saudi Arabia/ Pakistan
    Are u sure? U might ask the vendor! :D
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.