Наш форум переведен в режим работы "только для чтения", публикация новых тем и сообщений недоступна. Мы искренне благодарны вам за то, что были с нами, но пришло время двигаться дальше. После официального ухода компании ESET с российского рынка мы приступили к разработке новых продуктов вместе с новыми партнёрами. Приглашаем вас присоединиться к нашему новому форуму PRO32.
Мы более не являемся эксклюзивным дистрибьютором программных продуктов словацкого разработчика ESET в России, Республике Беларусь, Казахстане, Азербайджане, Узбекистане, Кыргызстане, Таджикистане, Туркменистане, Молдове, Грузии и Армении.
Купить и продлить лицензии ESET на нашем сайте больше нельзя.
Предлагаем вам попробовать новые продукты компании PRO32.
PRO32 — это технологичные решения, надежная защита от киберугроз и максимальная производительность устройств. Для действующих клиентов ESET мы предлагаем промокод на скидку в размере 15% — ESET15. Скопируйте его и после добавления товара в корзину, не забудьте его применить в корзине.
| Цитата |
|---|
| TDL4: new bootkits stepping out My colleague Aleks Matrosov has come across an interesting if uncomfortable post on a Russian language forum, advertising a "Boot loader for drivers" currently under test that doesn't require a Digital Signature driver, which sounds very much like our old friend TDL4. This metamorphic malware (each build generates a fresh binary) loads before the start of PatchGuard. It's claimed to support all versions of Microsoft Windows, since XP including Windows 7 sp1, inclusive, and supports both x86 and AMD64 (EM64T). A mere $9000, which I guess gives you some idea of how much profit there is in this kind of "costly but effective" malcode. More info on TDL4 on the white papers page: The Evolution of TDL: Conquering x64 By Eugene Rodionov and Aleksandr Matrosov Defeating x64: The Evolution of the TDL Rootkit By Aleksandr Matrosov and Eugene Rodionov TDSS part 1: The x64 Dollar Question By Aleksandr Matrosov, Eugene Rodionov & David Harley TDSS part 2: Ifs and Bots By Aleksandr Matrosov, Eugene Rodionov & David Harley TDSS part 3: Bootkit on the other foot By Aleksandr Matrosov, Eugene Rodionov & David Harley Rooting about in TDSS By Aleksandr Matrosov & Eugene Rodionov Article first published in Virus Bulletin, October 2010. Copyright is held by Virus Bulletin Ltd, but is made available on ESET's white papers page for personal use free of charge, by permission of Virus Bulletin. |
| Цитата |
|---|
| TDSS and hacking the hackers Share If you've been following the research we've been publishing (spearheaded by my Russian colleagues Aleksandr Matrosov and Eugene Rodionov) you'll be aware that the TDL rootkit family doesn’t make use of OS’s own file system. Instead, it implements its own hidden storage for the payload, configuration files and so on. The hidden storage is located at the end of the hard drive and encrypted either with RC4 cipher or by XOR-ing with a hex constant. Recently, Aleks and Eugene released a new version of the tool they developed in the course of their research into the TDL family, which gives easy access to these hidden files. It handles TDL versions including TDL3/TDL3+, TDL4 (x86 and x64 versions), and the drivers and binary are all signed by ESET. They've also released a video demonstration of how to make use of the tool, and another video on debugging the bootkit component of TDL4 with IDA and Bochs, as demonstrated at the recent CONFidence 2011 conference in |
