Nytro

[h=1]DEFCON 17: More Tricks For Defeating SSL[/h]Speaker: Moxie Marlinspike This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves. For more information visit: DEFCON

[h=1]DeepSec 2010: OsmocomBB: A tool for GSM protocol level security analysis of GSM networks[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Harald Welte, hmw-consulting The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network. Well-known and established techniques like protocol fuzzing can finally be used in GSM networks and reveal how reliable and fault tolerant the equipment used in the GSM networks really is. For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2010 on Vimeo

[h=1]DeepSec 2009: A Practical DoS Attack against the GSM Network[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Dieter Spaar GSM is riddled with security issues. Dieter Spaar talks about design flaws of the GSM protocol and how they can be exploited to shut down GSM base stations. The talk includes a live demonstration. For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2009 on Vimeo

[h=1]DeepSec 2007: The Three Faces of CSRF[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Martin Johns, University of Hamburg Even though Cross Site Request Forgery (CSRF) vulnerabilities have made it into the OWASP Top 10 [1], this vulnerability class is still often ignored and almost always belittled. While in 2006 alone 1282 XSS vulnerabilities were collected by the CWE project, only 5 (!) CSRF issues were recorded in the same timeframe [2]. This talk will discuss the various existing CSRF attack vectors and exemplify the issues with real world examples: * Executing arbitrary actions on the web application using the attacked user's identity and authentication context * Subverting the company's firewall and exploring the intranet * Leaking sensitive informations via hijacking JSON data Furthermore, we will demonstrate how a simple CSRF exploit can be created semi-automatically in less the 5 minutes. The last quarter of the talk will be devoted to a brief overview on our client side CSRF protection tools RequestRodeo [3] and LocalRodeo [4]. [1] OWASP Top 10: http://www.owasp.org/index.php/Top_10_2007 [2] Vulnerability Type Distributions in CVE: CWE - Vulnerability Type Distributions in CVE [3] RequestRodeo: RequestRodeo [4] LocalRodeo: databasement.net For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Oracle Security: Orasploit[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Alexander Kornbrust, Red Database Security Orasploit is an Oracle exploit framework which automatically exploits vulnerabilities in Oracle databases. With orasploit it is possible to exploit an (unprotected/unpatched) database. Orasploit supports various exploits, privilege escalation techniques and many different payloads. We show different possibilities to create / write / read files, D.o.S., new ways to send data via HTTP requests from the database, ... It's possible to extend orasploit with own/custom exploits. For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Web 2.0 Application Kung-Fu - Securing Ajax & Web Services[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Shreeraj Shah, Net Square Solutions Pvt. Ltd. With Web 2.0 applications being adopted by businesses at a very quick pace, security concerns around these technologies too have grown. Ajax and Web Services are key components in the Web 2.0 framework. Understanding new technology key components vis-à-vis attack vectors is imperative if the security concerns are to be adequately addressed. Financial services companies such as Wells Fargo and E*Trade are adopting Web 2.0 technologies by building next generation Enterprise 2.0 solutions. Ajax fingerprinting, crawling and scanning are key aspects for Web 2.0 threat profiling. It is possible to identify XSS and XSRF vulnerabilities and likely weak entry points on the basis of proper threat profiles. As ethical hackers, scanning and fuzzing must be accomplished before attackers have the chance to exploit vulnerable Web Services running on XML-RPC, SOAP and REST. This presentation is going to reveal methodologies, techniques and tricks to hack Web 2.0 applications and defense strategies to secure them. The presentation includes a number of demonstrations and real-life cases encompassing next generation attacks and defense. The speaker has already authored several tools -- wsChess (Web Services hacking toolkit), Ajaxfinger, ScanAjax and MSNPawn -- that will be demonstrated in detail. For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Fuzzing and Exploiting Wireless Drivers[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Sylvester Keil | Clemens Kolbitsch, Vienna University of Technology, Sec Consult This paper documents the process of identifying potential vulnerabilities in IEEE 802.11 device drivers through fuzzing. The relative complexity of 802.11 as compared to other layer two protocols imposes a number of non-trivial requirements on regular 802.11 protocol fuzzers. This paper describes a new approach to fuzzing 802.11 device drivers on the basis of emulation. First, the process of creating a virtual 802.11 device for the processor emulator QEMU is described. Then, the development of a stateful 802.11 fuzzer based on the virtual device is discussed. Finally, we report the results of fuzzing the Atheros Windows XP driver, as well as the official and open source MADWifi drivers. Furthermore, to document the process of exploiting 802.11 wireless device driver vulnerabilities, the issues of executing arbitrary code in kernel-mode on Linux and Windows systems will be addressed as well. We will present an Metasploit exploit implementation similar to the stager-approach taken in Metasploit's Windows kernel-mode exploits. For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Breaking and Securing Web Applications[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Nitesh Dhanjani The application layer exposes an organization to a huge attack surface. A single coding error within millions of lines of code can deem disaster for organization. Security products and consultants are trying hard to keep up with the new attack vectors, but so are the attackers. Few security vendors will admit the class of vulnerabilities that cannot be scanned, parsed, or fuzzed for. There are the categories of extremely high risk vulnerabilities that continue to plague web applications because organizations do not realize the root cause of these vulnerabilities while commercial product vendors continue to promise a one-click-and-scan solution. This talk will focus on the discussion of high risk vulnerabilities that plague web applications today, including the following: Cross Site Scripting (XSS), Cross Site Request Forgery (XSRF), (anti) DNS Pinning, Browser plugin hijacking, and more. This talk will also discuss how these vulnerabilities can be abused by an external entity to launch attacks against a company's internal network. These attacks are lethal because they can be abuse a a legitimate user's browser to act as a proxy between the attacker and the company's internal network. In other words, stop believing the security vendor hype. Your applications are more vulnerable than ever before, it has become much harder to secure them, and your 'enterprise' crown jewels are most likely hanging out in the open. For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Intercepting GSM traffic[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Steve This talk is about GSM security. We will explain the security, technology and protocols of a GSM network. We will further present a solution to build a GSM scanner for $900. The last part of the talk focuses on cracking a GSM converstation. http://wiki.thc.org/gsm For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2010: Android Reverse Engineering and Forensics[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Raphaël Rigo, French Network and Information Security Agency (ANSSI) While Android security architecture is now well understood and has been presented over and over, the details of actually reversing software running on it are scarce. This talk will explore the filesystem, memory, and reverse engineering techniques in-depth. For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2010 on Vimeo

[h=1]27c3: Wideband GSM Sniffing (en)[/h]Speakers: Karsten Nohl, Sylvain Munaut GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year -- like wide-band sniffing and real-time signal processing -- will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones. For more information visit:Welcome - 27C3 public wiki To download the video visit: Index of /CCC/27C3

[h=1]25c3: Running your own GSM network[/h]Speakers: Dieter Spaar, Harald Welte This presentation will mark the first public release of a new GPL licensed Free Software project implementing the GSM fixed network, including the various minimal necessary functionality of BSC, MSC, HLR. It will introduce the respective standards and protocols, as well as a short demonstration of an actual phone call between two mobile phones registered to the base station. On the Ethernet/IP based Internet, we are used to Free Software and general-purpose hardware. The worlds second largest communications network GSM couldn't be any more different. Even though the protocols are standardized and publicly available at the ETSI, all implementations are highly-guarded proprietary secrets of a few major players in the industry. The hardware is even more closed, as there is not a single GSM subscriber or base station chipset with even the least bit of publicly known information. Nonetheless, in recent years there are a number of different projects working on driving a wedge of Openness into this world. You might have heard about other projects like the THC GSM sniffer project (pure wireshark-like functionality) and OpenBTS (a software defined radio based GSM base station interfacing with the Asterisk VOIP server). This presentation is about yet another new GSM related Open Source project. A project that follows the GSM specs more closely and actually aims at interoperability with existing equipment such as hardware BTS hooked up via S2M interface to a Linux-running PC. As part of the presentation we plan to show a live demonstration of a phone call using our own GSM network. More information about the 25th Chaos Communication Congress can be found via the Chaos Communication Congress website: 25C3: 25th Chaos Communication Congress Source: Conference Recordings - 25C3 Public Wiki

[h=1]DeepSec 2010: Targeted DOS Attack and various fun with GSM Um[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Sylvain Munaut, Independent Researcher Recent years have seen a dramatic drop in the barrier to entry into GSM research. A couple of years ago, tools like OpenBTS & OpenBSC have appeared, allowing anyone to run an experimental GSM network with a relatively low budget. Much more recently, Osmocom-BB bringed MS-side experimentation at an even lower budget. This talk presents an exploit discovered while working on those projects that allows to perform a DOS on a specific target: from its first inception to its actual implementation on a TI Calypso based phone with a custom firmware. This talk will also cover other interesting tricks possible with modified phones, like using them as a cheap alternative to USRP for passive listening for instance For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2010 on Vimeo

[h=1]BlackHat USA 2011: SSL And The Future Of Authenticity[/h]Speaker: MOXIE MARLINSPIKE In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it's amazing that SSL has endured for as long as it has, some parts of it -- particularly those concerning Certificate Authorities -- have always caused some friction, and have more recently started to cause real problems. This talk will provide an in-depth examination of the current problems with authenticity in SSL, discuss some of the recent high-profile SSL infrastructure attacks in detail, and cover some potential strategies for the future. It will conclude with a software release that aims to definitively fix the disintegrating trust relationships at the core of this fundamental protocol. For more information or download the video visit: Black Hat

28c3: 802.11 Packets in Packets Travis Goodspeed: 802.11 Packets in Packets A Standard-Compliant Exploit of Layer 1 http://www.youtube.com/watch?v=thUM323ufG0 New to 2011, Packet-in-Packet exploits allow for injection of raw radio frames into remote wireless networks. In these exploits, an attacker crafts a string that when transmitted over the air creates the symbols of a complete and valid radio packet. When radio interference damages the beginning of the outer packet, the receiver is tricked into seeing only the inner packet, allowing a frame to be remotely injected. The attacker requires no radio, and injection occurs without a software or hardware bug. This lecture presents the first implementation of Packet-in-Packet injection for 802.11B, allowing malicious PHY-Layer frames to be remotely injected. The attack is standards-compliant and compatible with all vendors and drivers. Unlike the simpler implementations for 802.15.4 and 2FSK, 802.11B presents a number of unique challenges to the PIP implementer. A single packet can use up to three symbol sets and three data-rates, switching rates once within the header and a second time for the beginning of the body. Additionally, a 7-bit scrambler randomizes the encoding of each packet, so the same string of text can be represented 128 different ways at the exact same rate and encoding. This lecture presents the first implementation of Packet-in-Packet injection for 802.11B, allowing malicious PHY-Layer frames to be remotely injected. The attack is standards-compliant and compatible with all vendors and drivers. As a demo, we intend to present a malicious string which can be embedded in any file with lots of slack space, such as an ISO image. When this image is downloaded over HTTP on 802.11B, beacon frames will be injected. For the demo, we will be injecting the SSID stack buffer overflow frames from Uninformed Volume 6. Sursa: https://www.youtube.com/user/28c3#p/u/10/thUM323ufG0

28c3: Defending mobile phones Karsten Nohl, Luca Melette: Defending mobile phones http://www.youtube.com/watch?v=XK_Jx1993Eg Cell phone users face an increasing frequency and depth of privacy intruding attacks. Defense knowledge has not scaled at the same speed as attack capabilities. This talk intends to revert this imbalance. Most severe attack vectors on mobile phones are due to an outdated technology base that lacks strong cryptographic authentication or confidentiality. Given this discrepancy between protection need and reality, a number of countermeasures were developed for networks and phones to better protect their users. We explain the most important measures and track their deployment. Furthermore, we will release tools to measure the level of vulnerability of networks. Sharing the results of these measurements will hopefully create problem awareness and demand for more security by phone users around the world. Sursa: https://www.youtube.com/user/28c3#p/u/5/XK_Jx1993Eg

Mathias Payer: String Oriented Programming Circumventing ASLR, DEP, and Other Guards The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice. Sursa: https://www.youtube.com/user/28c3#p/u/3/bjcm391lkyA

Dan Kaminsky: Black Ops of TCP/IP 2011 Sursa: https://www.youtube.com/user/28c3#p/u/1/KYS0XHzxOsY De urmarit, se vorbeste despre multe lucruri interesante.

Anonymusii = Gigi Becali mai degraba.

Tot astia ziceau ca nu ei sunt autorii atacului, deoarece nu se incadreaza in aria lor de activitate, ca nu este nimic etic in aceasta actiune. Acum na, imi pun si eu o masca si spun ca cei de la CIA sunt in spatele atacului, o bag pe aia cu "We are anonimusii" si gata, crede tot poporul ce zic eu.

Mi-am cumparat si eu azi doua carti clasice: - F.M. Dostoievski - Crima si pedeapsa - Vladimir Nabokov - Lolita

Official Android Market host many Malware Games F-Secure researchers recently found malware in the Android Market disguised as free versions of popular games. Disguising malware as a free version of a popular game (such as Cut the Rope and Assassin’s Creed) seems to be a popular tactic that the bad guys are using to scam users of Google’s Android Market app store. Overnight more malware appeared in Google’s official app repository. The Trojanized games have been uploaded by a company calling itself Eldar Limited. This is the second time in two weeks malware disguised as free games has been uploaded to the Android Market. Google's app police managed to detect this fraud and quickly removed it from the Android Market. While the apps are still listed on AppBrain and AndroidZoom, the links will direct users back to the official Android Market where they have already been removed. "These have now been removed by Google, but their appearance in the official Android Market in the first place is worrying. Not only is Google putting Android users into contact with malware, it is also allowing the brand names of reputable companies to be tarnished by letting the bad guys upload this stuff to the Android Market in the first place." Zdnet posted. F-Secure posted a tip to help you figure out whether a free app is genuine or not : A useful tip for users out there is to search for the paid version of the app and take note of the developer’s name. If the name on both paid and free versions matches, then it is very likely to be a safe app. Otherwise, don’t proceed with the download. Sursa: http://thehackernews.com/2011/12/official-android-market-host-many.html

Remote Windows Kernel Exploatation - A step into Ring0 Blackhat US 05. Authors: Barnaby Jack Download: www.blackhat.com/presentations/bh-usa-05/BH_US_05-Jack_White_Paper.pdf

Short key IDs are bad news (with OpenPGP and GNU Privacy Guard) Mon, 26 Dec 2011 Summary: It is important that we (the Debian community that relies on OpenPGP through GNU Privacy Guard) stop using short key IDs. There is no vulnerability in OpenPGP and GPG. However, using short key IDs (like 0x70096AD1) is fundementally insecure; it is easy to generate collisions for short key IDs. We should always use 64-bit (or longer) key IDs, like: 0x37E1C17570096AD1 or 0xEC4B033C70096AD1. TL;DR: This now gives two results: gpg --recv-key 70096AD1 Some background, and my two keys Years ago, I read dkg's instructions on migrating the Debian OpenPGP infrastructure. It told me that the time and effort I had spent getting my key into the strong set wasn't as useful as I thought it had been. I felt deflated. I had put in quite a bit of effort over the years to strongly-connect my key to a variety of signatures, and I had helped people get their own keys into the strong set this way. If I migrated off my old key and revoked it, I'd be abandoning some people for whom I was their only link into the strong set. And what fun it was to first become part of the strong set! And all the eyebrows I raised when I told people I was going meet up with people I met on a website called Biglumber... I even made it my Facebook.com user ID. So if I had to generate a new key, I decided I had better really love the short key ID. But at that point, I already felt pretty attached to the number 0x70096AD1. And I couldn't come up with anything better. So that settled it: no key upgrade until I had a new key whose ID is the same as my old key. That dream has become a reality. Search for my old key ID, and you get two keys! $ gpg --keyserver pgp.mit.edu --recv-key 0x70096AD1 gpg: requesting key 70096AD1 from hkp server pgp.mit.edu gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 2 gpg: imported: 2 (RSA: 1) A neat stunt abusing --refresh-keys Thanks to a GNU Privacy Guard bug, it is super easy to get my new key. Let's say that, like many people, you only have my old key on your workstation: $ gpg --list-keys | grep 70096AD1 pub 1024D/70096AD1 2005-12-28 Just ask GPG to refresh: $ gpg --keyserver pgp.mit.edu --refresh-keys gpg: refreshing 1 key from hkp://pgp.mit.edu gpg: requesting key 70096AD1 from hkp server pgp.mit.edu gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported gpg: key 70096AD1: "Asheesh Laroia <asheesh@asheesh.org>" not changed gpg: Total number processed: 2 gpg: imported: 1 (RSA: 1) gpg: unchanged: 1 gpg: no ultimately trusted keys found Now you have two: $ gpg --list-keys | grep 70096AD1 pub 1024D/70096AD1 2005-12-28 pub 4096R/70096AD1 2011-03-11 There is a bug filed in GNU Privacy Guard about this. It has a patch attached. There is, at the moment, no plan for a new release. A faster attack, but nothing truly new My friend Venkatesh tells me there is an apocryphal old Perl script that could be used to generate key ID collisions. Here in the twenty-first century, l33t h4x0rz like Georgi Guninski are trying to create collisions. In May 2010, "halfdog" posted a note to the full-disclosure list that generates PGP keys with chosen short key IDs. I haven't benchmarked or tested that tool, but I have used a different tool (private for now) that can generate collisions in a similar fashion. It takes about 3 hours to loop through all key IDs on a dinky little netbook. You don't have to use any of these tools. You can just rent time on an elastic computing service or a botnet, or your own personal computer, and generate keys until you have a match. I think that it's easy to under-estimate the seriousness of this problem: tools like the PGP Key Pathfinder should be updated to only accept 64-bit (or longer) key IDs if we want to trust their output. My offer: I will make you a key I've been spending some time wondering: What sort of exciting demonstration can I create to highlight that this is a real problem? Some ideas I've had: Publish a private/public key pair whose key ID is the same as Phil Zimmerman's, original author of PGP Publish a private/public key pair whose key ID is the same as Werner Koch's, maintainer of GNU Privacy Guard Publish a set of public keys that mimic the entire PGP strong set, except where I control the private key of all these keys The last one would be extremely amusing, and would be a hat-tip to some work discussed in Raph Levien's Google Tech Talk about Advogato. For now, here is my offer: If you send me a request signed with a key in the strong set, I will create a 4096-bit RSA public/private key pair whose 32-bit key ID is one greater than yours. So if you are 0x517DD4E4 I will generate 0x517DD4E5. I will post the keys here, along a note about who requested it, and instructions on how to import them into your keyring. (Note: I will politely decline to create a new key whose 32-bit key ID would create a collision; apologies if your key ID is just one away from someone else's.) P.S. The prize for best sarcastic retort goes to Ian Jackson. He said, "I should go and create a lot of keys with your key ID. I'll set the real name to 'Not Asheesh Laroia' so everyone is totally clear about what is going on." Sursa: Short key IDs are bad news (with OpenPGP and GNU Privacy Guard) :: Asheeshworld

[h=1]RootkitRevealer v1.71[/h] By Bryce Cogswell and Mark Russinovich Published: November 1, 2006 [h=3]Introduction[/h]RootkitRevealer is an advanced rootkit detection utility. It runs on Windows XP (32-bit) and Windows Server 2003 (32-bit), and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know! The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior. [h=3]What is a Rootkit?[/h]The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Persistent Rootkits A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention. Memory-Based Rootkits Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot. User-mode Rootkits There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries. The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration. Kernel-mode Rootkits Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer. Download: http://download.sysinternals.com/Files/RootkitRevealer.zip Sursa: RootkitRevealer Via: Top 3 Tools To Remove Rootkits and Prevent Them from Infecting Your PC