Standalone Kernel Mode Bot

General Topics
1

http://www.emailbattles.com/archive/battles/virus_aaddcefedj_d/

What’s this kernel mode bot?

Cheers

2

Hi guruh,

Very interesting link, guruh, good find, and thanks for the heads up on this malware.
This bot can be detected by a good nids, like System Safety Monitor. This intrusion detection system monitoring program gets all rootkit & variants. Furthermore droppers cannot drop this malware if you surf without admin’s rights. Two important precautions you have to take, when you are online on “unknown” terrain.
Read about malicious bot developments here:
http://www.symantec.com/avcenter/reference/the.evolution.of.malicious.irc.bots.pdf

greets,

polonus

3

Hi malware fighters,

Windows rootkits are normally made up from a combination of "usermode"rootkits that run as normal applications (possibly via an injected dll) and "kernelmode"rootkits, which are actually device drivers running under System Rights. The kernel mode rootkit hides files and network communications and the more advanced varieties have a kernel mode backdoor. This rarely means that all functionality comes bundled into the driver (sys file), making the rootkit at least when it is active, very hard to detect.
The attacker will not have all functionality inside the driver, but needs additional usermode applications for items, like ftp servers, irc bots, etc. The developer of this standalone kernel
mode bot now developed a proof of concept for a kernel mode driver, in which all of these tools come combined. It was just published for development. It means that in rootkit terms malware authors can now change “from a bike to a car”.
I foresee a complete new development in bot nets, when this animal appears “in the wild”.

polonus

PS Here: http://www.rootkit.com/board.php?thread=6135&did=edge452&disp=6135
you can read we are out in the trenches.

D.