http://security.over-blog.com/ 2006-01-18T17:23:59Z over-blog.com Atom 1.0 Generator http://accel6.fdata.over-blog.com/99/00/00/01/img/avatar.png http://security.over-blog.com/article-15899846.html 2008-01-22T18:20:26Z 2008-01-22T18:13:00Z Blog discontinued...1000 sorry! Hope that visitors have enjoyed the stuff... Visit kareldjag.over-blog for more news in a near futur :) http://security.over-blog.com/article-3548107.html 2007-09-17T18:23:30Z 2007-12-30T22:34:00Z Kareldjag http://www.over-blog.com/profil/blogueur-348303.html <img src="http://idata.over-blog.com/0/22/17/61/janv/kavjagfin/tracerkdem2.jpg" />Rootkit technologies detection and prevention:- with Rootkit Demo1.2: this russian demo uses is designed to hide its presence and to make speakers beeps.RKDemo does not use particular hidding method, but take advantage of Windows functions (returs an &quot;error control &quot; to the system).More over, this demo uses<a href="http://security.over-blog.com/article-3548107.html http://security.over-blog.com/article-1633967.html 2007-09-17T18:23:30Z 2007-12-30T22:30:00Z Kareldjag http://www.over-blog.com/profil/blogueur-348303.html <img src="http://idata.over-blog.com/0/22/17/61/janv/mbrvirus-1.jpg" />   PART 2: IN THE WILD WITH REAL MALWARES 7) Boot Sector/Bios/MBR protection: MBR virus When a computer is not protected with a Bios password, and neither by an antivirus (only HIPS), an ill-intentioned person can easly boot the computer from external drives and cause damages. This test just<a href="http://security.over-blog.com/article-1633967.html http://security.over-blog.com/article-3740592.html 2007-09-17T18:23:30Z 2007-12-30T22:22:00Z kareldjag http://www.over-blog.com/profil/blogueur-348303.html For some tests, we consider the HIPS as disabled.These tests cover scenario where ill-intentioned person wants to install a malware (backdoor, spy tools like keyloggers etc) in a computer directly with a physical access.We consider that this person:- have no access to the admin. account (logged as<a href="http://security.over-blog.com/article-3740592.html http://security.over-blog.com/article-2210628.html 2007-09-17T18:23:30Z 2007-12-30T22:00:00Z kareldjag http://www.over-blog.com/profil/blogueur-348303.html <img src="http://idata.over-blog.com/0/22/17/61/tests/urlobsvsspguard.jpg" />CLIENT/SERVER SIDE ATTACKS and other tests: here we distinguish attacks which occur via browser from malwares which infect the system:NB.As some vulnerabilities could be patched as soon as possible, the tests are run on Windows XP2 updated until the end of 2005 only.11.URL obfuscation:<a href="http://security.over-blog.com/article-2210628.html http://security.over-blog.com/article-2915915.html 2007-09-17T18:23:30Z 2007-12-30T20:34:00Z Kareldjag http://www.over-blog.com/profil/blogueur-348303.html <img src="http://idata.over-blog.com/0/22/17/61/finfiles/method/executehookvsssm1.jpg" />FIRST PART based on the behaviour (more screenshots here)1a.Execution protection-with the TaskManager launched via Ctrl+Alt+Del-via start and execute menu-with srip32 launched by explorer.exe-with shellcode for running notepad.exe: and calc.exe  (2 toolls used<a href="http://security.over-blog.com/article-2915915.html http://security.over-blog.com/article-4066034.html 2007-09-17T18:23:30Z 2006-10-08T18:00:00Z Kareldjag http://www.over-blog.com/profil/blogueur-348303.html <img src="http://idata.over-blog.com/0/22/17/61/odtest/odtest_odscan09.jpg" />This rootkit is a pure &quot;hider&quot; (intrusion or hacker tool): it acts as an hidden service/driver.But it does not hide its registry keys, that makes it easy to detect for users who know their system well.In this example, we purposefully take the<a href="http://security.over-blog.com/article-4066034.html http://security.over-blog.com/article-3548331.html 2007-09-17T18:23:30Z 2006-08-20T22:10:00Z Kareldjag http://www.over-blog.com/profil/blogueur-348303.html <img src="http://idata.over-blog.com/0/22/17/61/janv/kavkjag/datavol2_kavvssniff.jpg" />Data theft via sniffing:f. with a command line sniffer (currently detected by none antivirus on Virus Total):We run (locally) the sniffer and connect to the web mail.g. with Sniffer (Renamed, not detected by antivirus on Virus Total):We run (locally) the sniffer and connect to the web mail.Here the message hooks of<a href="http://security.over-blog.com/article-3548331.html http://security.over-blog.com/article-3462648.html 2007-09-17T18:23:30Z 2006-08-07T22:28:00Z Kareldjag http://www.over-blog.com/profil/blogueur-348303.html <img src="http://idata.over-blog.com/0/22/17/61/janv/kavkjag/tdemo.jpg" />Here we illustrate some data theft attacks which can really be used in the wild.a. with trojan demo:This demo illustrates an &quot;in the fly data theft attack&quot; : once executed, it launches calc.exe, lists My Documents folder files and reports them (HTML) to<a href="http://security.over-blog.com/article-3462648.html http://security.over-blog.com/article-3088768.html 2007-09-17T18:23:32Z 2006-06-27T18:30:31Z nicM and Kareldjag http://www.over-blog.com/profil/blogueur-348303.html                                                          OVERALL                                                    ________________________Results and Ratings : * First part : 94 %: Excellent.* Second part : 71.5 %: Very good.* Third part : 23.5 %: Not sufficient.Rating<a href="http://security.over-blog.com/article-3088768.html