A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18731  by kmd
 Thu Mar 28, 2013 3:52 am
@EP_X0FF

thx
i think number of HIPS will allow write that way

and other question:

if you read ESET article about gapz they mentioned ELAM is bad in relation to bootkits.

Opinions?
 #18732  by EP_X0FF
 Thu Mar 28, 2013 4:28 am
kmd wrote:and other question:

if you read ESET article about gapz they mentioned ELAM is bad in relation to bootkits.
lolwut?

I didn't noticed it earlier.

ELAM was created for ISV, so they will be able load their drivers before "boot" drivers and ISV be able to control other boot drivers loading, in simple words: give the safe, documented way to start first in drivers booting chain. It wasn't designed to fight against bootkits. He stated this and can stop at this point. But no, next you can see an example of crappy AV promotion -> security researcher from AV company shows OS vendor as if it is lacking of security in their newly implemented security feature. Yes, they are all idiots, and only in ESET are real specialists.

ELAM was designed to be a part of Windows NT 6.2 secured boot architecture. Not a standalone feature. "Secure boot" protocol which is part of UEFI 2.3.1 is what was designed to address bootkits.

Overall I suggest author RTFM next time before posting such crappy AV article.
 #18881  by Alex
 Tue Apr 09, 2013 7:24 pm
Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).
 #18882  by r3shl4k1sh
 Tue Apr 09, 2013 8:11 pm
Alex wrote:Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).
IMO: Once you detect that its there you probably won't leave it alone so why the attacker needs to care about it?
 #18886  by EP_X0FF
 Wed Apr 10, 2013 7:00 am
r3shl4k1sh wrote:
Alex wrote:Maybe Gapz is "the most complex bootkit seen so far in the wild", but it doesn't change a fact that it is easier to detect and clean it than some older bootkits (see real mebroot for example).
IMO: Once you detect that its there you probably won't leave it alone so why the attacker needs to care about it?
Because AV scanners mostly scan files/folders/startup locations by accessing disk so they can next use signature matcher/other modules working with read data. Inability to remove in most cases is a side effect of filtering used to "hide" actual data from scanners. Quick example from the past. TDL3 injected dll was detected by memory scan by some AV, but infected driver - not detected, as I/O requests filtered by rootkit. Scanner reports to user that he has infection on computer, then scanner "neutralizes" malware in memory, asks for reboot (as it cannot safely unmap all dll code), computer reboots - TDL3 starting up, injecting dll -> scannner again reports about infection. User panics and starts to create topics on internet forums - "invincible virus, please help", "gpu paravirtualization rootkit", "am i infected with blue pill?" etc.

Plus that active "antiremoval feature" give +$$$$ to malware price, as the most users of it are too dumb so they even cannot properly configure their webshits.

As for bootkits overall - they all are mediocre shit, where most advanced setting their I/O filters on the disk port driver level and exploiting computer boot scheme in a different ways (MBR/VBR with variations).
 #19072  by eyer
 Thu Apr 25, 2013 4:03 am
I was only able to get the first Gapz.a dropper to infect WinXP & Win7x64SP1.
2nd one only Win7x64SP1.
Gapz.b no infection on xpsp3.

Did you guys observe anything differently?
 #19078  by eyer
 Fri Apr 26, 2013 1:11 am
Is Gapz.b even a rootkit? On Win7 it only creates an Autorun Key to launch itself :\!
 #19079  by EP_X0FF
 Fri Apr 26, 2013 1:20 am
eyer wrote:Is Gapz.b even a rootkit? On Win7 it only creates an Autorun Key to launch itself :\!
What is your test hardware configuration btw? What is "Gapz.b"? Use hashes instead of non meaninful names. Except explorer trick, this sad shit is totally uninteresting.