Type 0: Malware which doesn’t modify OS in any undocumented way nor any other process (non-intrusive)
Type I: Malware which modifies things which should never be modified (e.g. Kernel code, BIOS which has it’s HASH stored in TPM, MSR registers, etc…)
Type II: Malware which modifies things which are designed to be modified (DATA sections)
Type I: Malware which modifies things which should never be modified (e.g. Kernel code, BIOS which has it’s HASH stored in TPM, MSR registers, etc…)
Type II: Malware which modifies things which are designed to be modified (DATA sections)
- Type 0 is not interesting for us
- Type I malware is/will always be easy to spot
- Type II is/will be very hard to find
Type I malware examples
- Hacker Defender (and all commercial variations)
- Sony Rootkit
- Apropos
- Adore (although syscall tables is not part of kernel code section, it’s still a thing which should not be modified!)
- Suckit
- Shadow Walker – Sherri Sparks and Jamie Butler
- Although IDT is not a code section (actually it’s inside an INIT section of ntoskrnl), it’s still something which is not designed to be modified!
- However it *may* be possible to convert it into a Type II (which would be very scary)
Type II malware examples
- NDIS Network backdoor in NTRootkit by Greg Hoglund (however easy to spot because adds own NDIS protocol)
- Klog by Sherri Sparks – “polite” IRP hooking of keyboard driver, appears in DeviceTree (but you need to know where to look)
- He4Hook (only some versions) – Raw IRP hooking on fs driver
- prrf by palmers (Phrack 58!) – Linux procfs smart data manipulation to hide processes (possibility to extend to arbitrary files hiding by hooking VFS data structures)
- FU by Jamie Butler
- PHIDE2 by 90210 – very sophisticated process hider, still however easily detectable with X-VIEW...
LibreOffice
Firefox
OpenSUSE
No comments:
Post a Comment