Zeus removal with RogueKiller

Zeus removal with RogueKiller   How to remove Zeus variants (Citadel) with RogueKiller     Little Analysis   Zeus is a malware with banking/stealer features. The payload (malware file) is injected into several legit processes, even maybe in your antivirus, and loaded at boot time by a RUN key calling the injector. The Malware is […]

rk1

Userland rootkits: Part 1, IAT hooks 11

Userland rootkits: Part 1, IAT hooks   This is the first part of this series about Userland rootkits, I wanted to write on it and demonstrate how some rootkits do to hide files by using IAT hooks.   This post is about a classic trick, known for decades. Malware specialists may know this already, so […]

iattable

Capture

RogueKiller V10 is here!

RogueKiller V10 is here   …With a brand new UI and a Premium version (beta)   No worries, user experience is still the same (fortunately, or unfortunately, it’s up to you :)) Here’s what it looks like:       What’s new?   New UI, based on Qt Framework. All the forms have been redesigned, […]


Poweliks removal with RogueKiller 21

Poweliks removal with RogueKiller   How to remove Poweliks with RogueKiller     EDIT 10/10/2014: Poweliks has a new variant: Now there’s no more RUN key, only a CLSID hijack in HKEY_LOCAL_MACHINE\Software\classes\clsid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32: Your reports should look like this (with your own language text):   ¤¤¤ Processus malicieux : 1 ¤¤¤ [Tr.Poweliks] dllhost.exe — C:\WINDOWS\system32\dllhost.exe[7] -> […]

RogueKillerCMD can read the full content

filesystem filter

KernelMode rootkits: Part 3, kernel filters 9

KernelMode rootkits: Part 3, kernel filters   This is the third part of this series about Kernel Mode rootkits, I wanted to write on it and demonstrate how some rootkits (Ex: Keyloggers) do to intercept keystrokes by using kernel filters.   To understand the basics of kernelmode, drivers, please refer to the first part.   […]


KernelMode rootkits: Part 2, IRP hooks 6

KernelMode rootkits: Part 2, IRP hooks   This is the second part of this series about Kernel Mode rootkits, I wanted to write on it and demonstrate how some rootkits (Ex: TDL4) do to hijack disk access by using IRP hooks.   To understand the basics of kernelmode, drivers, please refer to the first part. […]

IRP hook

Src: Microsoft

KernelMode rootkits: Part 1, SSDT hooks 4

KernelMode rootkits: Part 1, SSDT hooks   This is the first part of this series about Kernel Mode rootkits, I wanted to write on it and demonstrate how some rootkits (Ex: Necurs) do to hide their presence and protect themselves from removal by using SSDT hooks.   I’ll first introduce what is KernelMode (against UserLand), […]