作者发现了一个名为Uay的强大Rootkit项目,该项目由一名叫做Uay的开发者编写。该Rootkit钩住了内核中网络层的最低级别,使得它对于软件防火墙来说是不可见的。目前它可以提供类似cmd.exe风格的shell,并支持cd、dir、copy和del等命令。
I just spotted a scary looking rootkit project:
http://www.xfocus.net/tools/200602/uay_source.rar
this is written by a guy called Uay, and it has the makings of a powerful rootkit.
He has hooked the lowest level point of networking in the kernel, the ndis layer, which means he is invisible to software firewalls.
The rootkit at the moment will provide a "cmd.exe" style shell that supports commands such as cd, dir copy, del using native api that are exported by ntoskrnl.exe.
I suspect it will also be invisible to most rootkit detectors, as he is not hiding anything like files, ports etc - although a ndis hook detector will find it.
This reminds me of some ideas I had been working on recently - implementing malware purely in the kernel.
I've made a ircbot that runs 100% in ring0 for fun, using Valerino's socket library for the kernel. Perhaps I will post it here some time soon...
Oh and on a closing note, check out Yorn's blog at: http://yorn.wordpress.com/
See ya.
扫一扫
2876
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
