A forum for reverse engineering, OS internals and malware analysis
kmd wrote:and other question:lolwut?
if you read ESET article about gapz they mentioned ELAM is bad in relation to bootkits.
Alex wrote:Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).IMO: Once you detect that its there you probably won't leave it alone so why the attacker needs to care about it?
r3shl4k1sh wrote:Because AV scanners mostly scan files/folders/startup locations by accessing disk so they can next use signature matcher/other modules working with read data. Inability to remove in most cases is a side effect of filtering used to "hide" actual data from scanners. Quick example from the past. TDL3 injected dll was detected by memory scan by some AV, but infected driver - not detected, as I/O requests filtered by rootkit. Scanner reports to user that he has infection on computer, then scanner "neutralizes" malware in memory, asks for reboot (as it cannot safely unmap all dll code), computer reboots - TDL3 starting up, injecting dll -> scannner again reports about infection. User panics and starts to create topics on internet forums - "invincible virus, please help", "gpu paravirtualization rootkit", "am i infected with blue pill?" etc.Alex wrote:Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).IMO: Once you detect that its there you probably won't leave it alone so why the attacker needs to care about it?
eyer wrote:Is Gapz.b even a rootkit? On Win7 it only creates an Autorun Key to launch itself :\!What is your test hardware configuration btw? What is "Gapz.b"? Use hashes instead of non meaninful names. Except explorer trick, this sad shit is totally uninteresting.
