태터데스크 관리자

도움말
닫기
적용하기   첫페이지 만들기

태터데스크 메시지

저장하였습니다.

'IceSword'에 해당되는 글 2건

  1. 2009.06.26 [Interviews] ICESWORD 제작자
  2. 2008.02.15 파괴적인 얼음칼 (ICE SWORD) 바이러스
분석도구2009.06.26 10:49


IceSword 제작자 사이트
http://pjf.blogcn.com/index.shtml (개인블로그)
http://mail.ustc.edu.cn/~jfpan/ (중국과학기술대학)


사용자 삽입 이미지

IceSword Author Speaks Out On 'Rootkits'


Computer users in the Western world had better adjust to the fact that excellent software is coming from China and will initially be available only in Chinese.
That's the situation with IceSword, a program I wrote about on May 31 and June 7. IceSword is a remarkably effective tool against "rootkits," virus-type programs that can evade detection by ordinary antivirus products. IceSword is available only in a Chinese-language version. Using several search engines, I was able to find dozens of comments about the program in Chinese-language sites, but not a single mention in English.

The one exception was the site of Hacker Defender, a rootkit package that's sold in a basic version for 20 euros (about $25 USD) and "silver" and "gold" versions for up to 450 euros. The package's author, who calls himself "holy_father," has written on his site that currently the only antirootkit tool that can detect Hacker Defender (HxDef) is IceSword. He called it "such a nice tool, [a] real challenge," adding, "One of my priorities this summer [will be] to beat IceSword."

The author of IceSword is a Chinese programmer who goes by "pjf_" in online postings. I was finally able to track down pjf_ and interview him through an intermediary. (After discovering an e-mail address pjf_ once used in a discussion forum, I sent a message requesting his full name, but my communication went unanswered.)

The following interview was conducted for me in Chinese by Ming Jin, a researcher who works with eEye Digital Security, based in southern California. I had the responses translated into English by Zhen Wang, a professional translator in Beijing.

IceSword's Strengths and Weaknesses

Q: How could a rootkit bypass IceSword?

PJF_: For the newly released version 1.10, it's not known that a rootkit can bypass IceSword. In theory, a rootkit could bypass IceSword, but it has got to get into IceSword's kernel. However, this is not easily done in a short period of coding/programming.

While programming IceSword, I thought of a way a rootkit might bypass it and how to deal with this. However, for IceSword's stability, I didn't add such functionality. IceSword will be upgraded as new rootkits are released.

Actually, it is more reasonable that a rootkit could break IceSword, not just bypass it. Yet, attempting to do so could make a rootkit visible to IceSword. An easier way would be to analyze IceSword completely, and cut down its linking between the kernel and the user interface. This could be done in a new version [of a rootkit].

Detecting Hacker Defender

Q: How does IceSword detect Hacker Defender? (By enumerating services, and finding hidden ones, I would guess.)

PJF_: Hacker Defender is a strong rootkit, and the Gold and Silver Hacker Defender packages are more potent. Many antirootkit programs, such as Rootkit Revealer and BlackLight, can't detect Hacker Defender. (Such statements can be found on the Web site of the author of Hacker Defender.) I haven't got the Gold and Silver packages. But on the author's home page, it is stated that Hacker Defender cannot evade IceSword. And IceSword is continually improving.

Regarding the public version of HxDef, IceSword can detect all the hidden stuff, such as files, register maps, processes, services, and so on. My techniques can detect such a rootkit and quarantine and clean it. In addition, a tool called Ishelp in IceSword version 1.10 is also very helpful in detecting rootkits.

Comparing IceSword with Other Antirootkit Programs

Q: Is IceSword better than Rootkit Revealer or BlackLight?

PJF_: I think that the user is in a position to make such a judgment. In my opinion and after many tests, IceSword looked more stable in many cases. However, each software program has its own unique features and strengths. Some rootkit writers have their own comments and they are in a better position in making judgments.

Other Features of IceSword

Q: Does IceSword do anything else?

PJF_: IceSword also does a pretty good job of breaking the protection of a potent rootkit over processes, files, and register maps. For example, if a rootkit uses a filter driver to disable writing and deleting files, IceSword can detect this and clean it up.

I've developed a new version, which has such features as a firewall, file protection, and driver monitoring. Not all of this is written using publicly documented Microsoft code. This version cannot be released before it has been thoroughly tested on multiple platforms.

F-Secure Responds Regarding BlackLight

I asked F-Secure, the publisher of BlackLight, and SysInternals.com, the publisher of Rootkit Revealer, for their reaction to pjf_'s assertion that IceSword can detect rootkits that their products cannot.

"We have heard of the IceSword tool and have no doubt that it is a capable rootkit detector," says Mikael Albrecht, product manager for F-Secure, which is headquartered in Helsinki, Finland. "The question about what antirootkit tool is the best is hard to answer. We agree with pjf_'s point that rootkit detectors are different and are focused on different use cases and users. It is, in addition to that, worth noting that the Windows rootkit scene is new and rapidly developing.

"Rootkit detection is a cat-and-mouse game. Sometimes the rootkit authors are ahead, sometimes the antirootkit authors. We can at the moment detect all rootkit samples that we have access to, but that may change as soon as a new, more advanced rootkit is published. We will naturally respond with improved detection when that happens. There are still no signs that this race will slow down. This makes it even harder to name the best antirootkit tool. ...

"Rootkit technology is not a big problem at the moment. The number of affected systems is a small fraction compared to the number of virus infections. We must, however, be prepared to handle virus outbreaks that install rootkit technology in a large number of systems. It is important that the security industry has got technology that is mature enough when it happens. Every cycle with improved rootkits and antirootkit tools gives us better ability to handle situations like that."

SysInternals.com did not respond to my request for comment.

Conclusion

IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show. It isn't a "click-here-to-delete-rootkits" product but a sophisticated discovery tool that can protect against sinister rootkits if used before they infect a machine.

IceSword's documentation is entirely in Chinese, but that wouldn't necessarily stop dedicated IT administrators from downloading the software and trying it on a test Windows PC. I encourage security professionals to look into this further and let me know what you learn.

IceSword is downloadable from Xfocus.net, a Chinese security site, in compressed RAR format at Xfocus.net/tools/200505/1032.html.

Update as of 2005-11-15: An English-language version of the program is now available for download from the following Web page:

http://xfocus.net/tools/200509/1085.html

http://itmanagement.earthweb.com/columns/executive_tech/article.php/3512621


Posted by viruslab
신종악성코드정보2008.02.15 08:58


ICESWORD.EXE 라는 파일명으로 자신을 생성시키는 겹쳐쓰기(Overwriting) 바이러스가 발견되었다.
정상적인 ICESWORD 프로그램처럼 위장을 하고 있어 주의가 필요하다.
아래 그림에서 아이콘을 유심히 봐 두면 좋겠다.

바이러스 파일의 크기는 589,942 바이트 이며, FlySFX 로 Packing 되어 있다.

중국에서 제작된 것으로 Autorun.inf 기법을 이용하며 실행파일(EXE)외에도 다양한 형태의 파일을 바이러스파일로 겹쳐쓰기(파괴)해 버린다. 따라서 기존 파일은 치료가 불가능하고 삭제한 후 새로 설치(Install)하여야 한다.

특이한 점은 자신이 설치한 Autorun.inf 파일을 다시 바이러스 코드로 겹쳐써 버린다는 점이다. 아마도 제작자가 예측하지 못한 점인듯 싶다. 따라서 Autorun.inf 기능이 정상적으로 작동하지 않을 수 있으며, C 가 아닌 다른 디스크 드라이브에는 또 다른 이름(ntldr)으로 자신을 설치한다.

시스템 파일들의 손상이 심한 경우 윈도우를 포맷하고 새로 설치해야 한다.

바로가기 (.lnk)
텍스트 (.txt)
인터넷 바로가기 (.url)
데이터 (.dat)
설정파일 (.ini)
등 다양한 형태의 파일이 바이러스에 의해서 파괴된다.

또한 AUTOEXEC.BAT 파일과 CONFIG.SYS 파일도 파괴되는 등 시스템에 큰 피해를 입힌다.

사용자 삽입 이미지

시스템 파일이 파괴되면 아래와 같은 메시지 창이 나타난다.

사용자 삽입 이미지

바로가기 등의 파일이나 빠른실행에 링크되어 있던 파일은 모두 손상이 되어 정상적으로 실행되지 않는다.

사용자 삽입 이미지

사용자 삽입 이미지

유명 (보안)프로그램의 서비스를 종료할려고 시도한다.

\System32\net.exe stop srservice
\System32\sc.exe config srservice start=disabled
\System32\net.exe stop KVWSC
\System32\sc.exe config KVWSC start=disabled
\System32\net.exe stop SharedAccess
\System32\sc.exe config SharedAccess start=disabled
\System32\net.exe stop KVSrvXP
\System32\sc.exe config KVSrvXP start=disabled
\System32\net.exe stop KavSvc
\System32\sc.exe config KavSvc start=disabled
\System32\net.exe stop RsRavMon
\System32\sc.exe config RsRavMon start=disabled
\System32\net.exe stop RsCCenter
\System32\sc.exe config RsCCenter start=disabled
\System32\sc.exe config AVP start=disabled
\System32\sc.exe config RfwService start=disabled

사용자 삽입 이미지

Posted by viruslab