Z0mBiE rootkit- Bypassed all ARK tools

Discussion in 'malware problems & news' started by aigle, Mar 8, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    According to EP_X0FF, this rootkit doesn't work in LUA :)
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Are there rootkits that work in LUA?
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    EP_X0FF said:
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Full user-mode rootkits should work in LUA.
     
  6. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    How, if no execution/write is possible.
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Execution is allowed everywhere under LUA (unless you're combining LUA with SRP) and you can do some process hiding (AFAIK)
     
  8. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    If with LUA you mean simple standard Windows limited user account (without any other kind of restrictions) yes, there are, of course.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Lucas n Eraser.
     
  10. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Might be a good idea to now read the whole thread there...it is very funny :D So many ego's and not enough stages in the world.
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Oh so true,the VT bit about samples made me chuckle....some folks forget that VT uploads are sent out on the wire as received to the participating Vendors.Whether or not they look at a sample is another kettle of fish tho but all uploads should be trackable and recoverable by MD5 alone IRC

    So what's in a name ...."Z0mBiE"....returns ;)
     
  12. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    This was my point. I should have been more specific.
    If used in conjunction with Windows Policies, that's false.
     
    Last edited: Mar 9, 2008
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Correct :)
    Have you tested LUA+SRP against live exploits?
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Only related to the mass.

    WakeUp_Neo why you do not join this thread? Mr Chameleon always present or his bot friend whatever.
    Zombies are everywhere :D:D
     
    Last edited: Mar 9, 2008
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Which HIPS and sandboxes does it bypass (when granted execution rights)?
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ya, System Junkie! can u try it against some HIPS, sandboxes and post us some screenshots or just plain info if it,s not against EULA? :D

    I will like to know about:

    CFP Defence plus
    GesWall
    ThreatFire
    SBIE
    EQS

    Thanks
     
  17. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Of course, many. I have yet to be infected.
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That's good to know. Thanks :)
     
  19. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    It's (LUA+SRP) a methodology that not too many people seem to use. I don't know why; it's easy, secure, free and gets even better using 64-bit Vista. I have two test boxes, one with XP Pro, the other with Vista 64-bit. I try to test with the newest files I can find, the ones AV software don't recognize yet. I then check for any possible infiltration(s) using a variety of tools run from inside the hard drive and also from outside the hard drive.
     
  20. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    That would be great.
    LUA + SRP is slowly (but surely) catching people's attention here at Wilders. See here and here.
     
  21. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Probably it is :D ;)
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Are u sure? U might ask the vendor! :D
     
Loading...
Thread Status:
Not open for further replies.