[EP_X0FF]

Since authors of this crapware were really dumb they decided to mirror these changes to the disk at I/O filter level leaving port driver file at disk untoched.

there must be any reason for this isn't?

Yes sure. This is how they added compatibility with inline hook scanning. By making copy of modified code looks mirrored as if it was read from disk. No differences - no warnings. Pretty idiotic however as they are giving to everybody ability to detect itself. What was the point of lolkit then? As always authors of such shit suffers from lack of common sense.

[radikal]

What userland injection methods it uses to bypass HIPS ? i guess same like gapz ?

[EP_X0FF]

What userland injection methods it uses to bypass HIPS ? i guess same like gapz ?

And why it should? There is MS11-080 and UAC COM elevation (in the meaning of authors that's 0days) + infecting system driver with shellcode, forcing it to load, and continuing to load actual malware kernel mode driver from it. This rootkit is sad shit and full of bugs. Due to mad skillz copy-paste level of it developers it is incompatible with several disk controllers resulting in 100% BSOD after few minutes of work. Very "stable and effecient" piece of shit.

[rkhunter]

Two droppers and other stuff mentioned here in attach
http://www.welivesecurity.com/2013/08/2 ... uing-saga/