Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, July 28, 2009

Malware classification proposal

Thanks to Joanna Rutkowska (
Type 0: Malware which doesn’t modify OS in any undocumented way nor any other process (non-intrusive)
Type I: Malware which modifies things which should never be modified (e.g. Kernel code, BIOS which has it’s HASH stored in TPM, MSR registers, etc…)
Type II: Malware which modifies things which are designed to be modified (DATA sections)
  • Type 0 is not interesting for us
  • Type I malware is/will always be easy to spot
  • Type II is/will be very hard to find
Type I malware examples
  • Hacker Defender (and all commercial variations)
  • Sony Rootkit
  • Apropos
  • Adore (although syscall tables is not part of kernel code section, it’s still a thing which should not be modified!)
  • Suckit
  • Shadow Walker – Sherri Sparks and Jamie Butler
  • Although IDT is not a code section (actually it’s inside an INIT section of ntoskrnl), it’s still something which is not designed to be modified!
  • However it *may* be possible to convert it into a Type II (which would be very scary)
Type II malware examples
  • NDIS Network backdoor in NTRootkit by Greg Hoglund (however easy to spot because adds own NDIS protocol)
  • Klog by Sherri Sparks – “polite” IRP hooking of keyboard driver, appears in DeviceTree (but you need to know where to look)
  • He4Hook (only some versions) – Raw IRP hooking on fs driver
  • prrf by palmers (Phrack 58!) – Linux procfs smart data manipulation to hide processes (possibility to extend to arbitrary files hiding by hooking VFS data structures)
  • FU by Jamie Butler
  • PHIDE2 by 90210 – very sophisticated process hider, still however easily detectable with X-VIEW...

No comments: