[Cr4sh]

Hi.
Maybe, it would be interesting for someone.

Slides from my ZeroNights 2012 talk about the rootkits and vulns: http://dl.dropbox.com/u/22903093/Applie ... ensics.pdf

Source code of the rootkit from the presentation: https://github.com/Cr4sh/WindowsRegistryRootkit (described inside)

[EP_X0FF]

Hi,

thanks for sharing, it is of course interesting, since no one else doing anything on public now and ITW malware rootkits become boring or died / stoped evolving.
Seems in rootkit you reimplemented yours old regbd idea dated back to 2006(?) + added feature your previously released (https://github.com/Cr4sh/DrvHide-PoC/bl ... driver.cpp, was discussed earlier http://www.kernelmode.info/forum/viewto ... f=11&t=574). Good job overall.

Kind Regards.

[Cr4sh]

reimplemented yours old regbd idea dated back to 2006(?)

No, It's completely different research motivation and background, also the new rootkit doesn't modify anything except few registry values at all. It blindly exploits zero day vulnerability in win32k.sys for startup from the system registry at os boot.

[EP_X0FF]

reimplemented yours old regbd idea dated back to 2006(?)

No, It's completely different research motivation and background, also the new rootkit doesn't modify anything except few registry values at all. It blindly exploits zero day vulnerability in win32k.sys for startup from the system registry at os boot.

Thanks for clarification. What do you think about different method of startup, in case if this bug will be patched? With keeping registry as rootkit home. I assume since it was public speak this zeroday maybe already reported to MSRC?

[Cr4sh]

What do you think about different method of startup, in case if this bug will be patched?

There is a lot of similar bugs and attack vectors.

With keeping registry as rootkit home. I assume since it was public speak this zeroday maybe already reported to MSRC?

Just because such rootkits are not for the mass-spreading malware.

[EP_X0FF]

There is a lot of similar bugs and attack vectors.

I thought so, win32k is a complete bugfest :) Latest fun denial of service bug with nested windows and hittest for example published week ago.

As for discardable sections hiding, have you anyhow changed this method for this rootkit, from your initial release? Sorry being lazy to look and compare sources.

[Cr4sh]

As for discardable sections hiding, have you anyhow changed this method for this rootkit

No, method code is almost the same.
Detection of this method I saw only on the pictures from other people, but not in the public-available antirk-tools, seems that nobody cares :)

[Brian]

Excellent! Thanks for sharing, Dmitry.

[R00tKit]

http://www.youtube.com/watch?v=Yw0rh8hr ... tN&index=3
:)