Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43431
  • Total Topics: 16526
  • Online today: 2962
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2842
Total: 2843









Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Samker
« on: 15. July 2012., 07:10:48 »

Thanks for warning pal.  :thumbsup:
Posted by: Pez
« on: 11. July 2012., 09:47:02 »


ZeroAccess Misleads Memory-File Link

ZeroAccess, a kernel-mode rootkit, recently shifted its infection technique from kernel mode to user mode. (For more on ZeroAccess, which turns infected systems into a peer-to-peer botnet, read these posts from my colleagues Peter Szor and Aditya Kapoor.) Even in user mode, ZeroAccess can maintain its presence on an infected system.

ZeroAccess implements what I call file disassociation, which means it modifies memory-loaded objects into a file—in this case either explorer.exe or services.exe. This association of memory into a file is basically stored through LDR_DATA_TABLE_ENTRY. (For more on file-/memory-disassociation techniques, see our Virus Bulletin entry Predicting The Future of Stealth Attacks.)

LDR_DATA_TABLE_ENTRY is a process structure under Windows that works similarly to a table of contents or index of a book. All programs, libraries, and other files used by a running application are tracked under this double-linked list process structure in memory. (Click here for a general overview on Windows processes.)

ntdll!_LDR_DATA_TABLE_ENTRY
               +0×000 InLoadOrderLinks : _LIST_ENTRY
              +0×008 InMemoryOrderLinks : _LIST_ENTRY
              +0×010 InInitializationOrderLinks : _LIST_ENTRY
              +0×018 DllBase : Ptr32 Void
              +0x01c EntryPoint : Ptr32 Void
              +0×020 SizeOfImage : Uint4B
              +0×024 FullDllName : _UNICODE_STRING
                            +0×000 Length :
                            +0×002 MaximumLength :
                            +0×004 Buffer :
              +0x02c BaseDllName : _UNICODE_STRING
              +0×034 Flags : Uint4B
              ……..

ZeroAccess acquires its own LDR_DATA_TABLE_ENTRY via the API LdrFindEntryForAddress.

              .text:4567187D lea eax, [ebp+arg_0]
              .text:45671880 push eax
              .text:45671881 push [ebp+arg_0]
              .text:45671884 call dword ptr ds:LdrFindEntryForAddress
; acquires its own LDR_DATA_TABLE_ENTRY in the process

Once acquired, ZeroAccess verifies the length and does a wide-character-string copy of the hardcoded string “c:\\windows\system32\\n” into the FullDllName.Buffer

              .text:45671891 cmp word ptr [eax+24h], 2Ch ; check length
              .text:45671896 jb short loc_456718B2
              .text:45671898 push offset aCWindowsSystem ; “c:\\windows\\system32\\n”
              .text:4567189D push dword ptr [eax+28h] ; wchar_t * – buffer
              .text:456718A0 call ds:wcscpy

ZeroAccess has two key tactics. It:

•Fools users into thinking the malware is hidden in “c:\windows\system32\n”
•Removes references to the malware’s location as seen in process memory
McAfee antimalware products will detect and clean this threat from infected systems. As always, keep your products updated to protect against such threats.



Orginal article: Tuesday, July 10, 2012 at 9:24am by Lennard Galang

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023