I have been reading Symantec & Kaspersky Labs analysis of the Regin malware.
According to Symantec
[Stage 2] can also hide running instances of Stage 1. Once this happens, there are no remaining plainly visible code artifacts.
As I understand Stage 1 is implemented as a Windows Driver, and there exists no safe way to unload a Windows Driver without requiring a reboot (Even if so Stage 2 itself is another kernel driver as well).
Similarly, from what I can tell there exists no way (nor legitimately should there be) to intercept and manipulate the list of running Kernel drivers, the way a rootkit might for a file on the file system.
So how does Stage 2 hide running instances of Stage 1? There seems little information on this online?
Source: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf - Page 9
Aucun commentaire:
Enregistrer un commentaire