Malware Creators Are Quite Clever, You Know... Brian Long Brian Long Training & Consultancy Services brian@blong.com http://blong.com
Malware Malware = software that has malicious purpose or behaves maliciously: Worms Viruses Adware Spyware Exploit tools Backdoor servers Spreaders Rootkits
Malware Malware typically arrives through some exploit Backdoors are planted Stuff may get broken Data may be stolen Host facilities may be consumed parasitically
Malware Continued existence and stealth achieved through rootkits Terminology dates back some way with Unix Rootkits hide stuff Files Directories Registry keys/entries Processes and so on
Malware Rootkits are low-level, high-tech nasties Some use kernel-mode code installed through a driver Some achieve what they need to at user mode Various approaches implemented successfully Regular toolkit will not see rootkits Rootkit deployment is increasing rapidly
Case Study Live web server Locked away in a shed somewhere Only access via Remote Desktop Something seemed funny, hence the call Dodgy IP activity, but… …nothing visible
Case Study Turned out to be a skilled hacker’s P2P system 26.5GB of music and video files being distributed around an IRC crew on the quiet Rootkit installed Disk space faked Everything hidden Customer very surprised to see it all spill out into the open
Malware Common implementation language is Delphi If not, C++ or assembly language With lots of inline assembly Microsoft are getting on the case: http://research.microsoft.com/rootkit Sysinternals.com are getting on the case: http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
B.L.E.A.C.H. Infected by adware? Having trouble removing spyware? Suspect you have some malware? You need to clean your system with BLEACH*. BLEACH* is the quick and effective way to rid yourself of unwanted and malicious software on your Windows desktop, LAN servers and Web servers. Enquiries to brian@blong.com * Brian Long Elbows Away Computer Hackers
Thank you Brian Long brian@blong.com http://blong.com p|-|34|2 |v|’/ 1337 $|<!11z