Then if it hooks the PC only on installation, why not download the antivirus AFTE-- Oh. It hooks the browser, so that all antivirus sites are redirected to another place.
blacklight isnt too good i had a r00tkit on my system yesterday and blacklight couldnt detect use unhackme that works a treat and can detect any r00tkit
That's the name of the tool used. It's very common for malware files to have names that make the malware sound as if it's part of a PC's security defenses. For example, the bot asprox drops a malicious file named "Microsoft Security Center Extension." It's just basic social engineering, to try to trick users into leaving malware on their computers.
because masowai its like a rogue virus program so the user may think its either an important process to the computer and wont delete it or if they think it protects them, that is some reasons. Example of a rogue virus would be. winantivirus, winhound, spysheriff, antivirgear. Note antivirgear kind of seems like a typo squatter too because there is a legit antivirus called antivir.
Unlinking EPROCESS utterly fails at hiding anything, AntiVirus detects that shit instantly. Best solution is obvious, don't use fully-fledged processes or drivers, _never_ make registry entries that you will have to hide, and don't put yourself on any lists.
Use anonymous threads in kernel memory and in userland just hijack other processes via PE header infection or APCs.
Or... You could inject yourself into every process and hook NtQuerySystemInformation(), filtering out your name. Or...Direct EPROCESS traversal looking for orphan's, PsCreateProcessNotifyRoutine(),PsSetImageNotifyRoutine(), or hooking KeInitThread()
But why bother with that at all? If you leave no tracks you will have none to hide, and that is a far superior approach to doing something like injecting into every process... that sounds extremely noisy.
Unhook NtSetSystemInformation from userland, then call it to load the driver, and then just have the driver remove itself from PsLoadedModules... the end. You won't have a fully-fledged driver but you will have an anonymous thread in ring0, and that is all that you need.
guys check out combofix, but i suggest you take advangtage of the help available on their website just google "combofix".. i did it without the help but i got scared because it looks like your computer is about to die.. but it removed all the malware and I was impressed.. nothing else got it right. Peace
It's funny you said that. What I really think he is trying to do to be nice, however, it's not working that well. I seen this several times on other videos that were done for training.
when i start my computer system32 pops up and nothing more happens and my computer is getting slower and slower and slower i have like 124 gb room!!! i had a virus that became 12 threats 3 trojan's i deleted it with avg and now all is deleted. after my trial with avg firewall system 32 pop's up!!! before the virus had been deleted the mouse went up to the upper left of the screen and pressed the program(my computer) that waz there!!! please help im going to reboot soon!!!
you need to get these programs pal: comodo firewall, spybot search and destroy, ad aware 2007, SUPER anti spyware, windows defender (if you've got xp. if you have vista you'll already have it), a-squared and avg anti spyware. all trusted programs that ive had loads of success with.
on the other hand you could ditch windows and switch to a linux operating system, you'll never ever have to worry about malware again then.
thats retarded... with that much avp/firewall software the computer will be so fucked up you will barely be able to use it... I would rather have a virus LOL...
Starware is a low risk BHO (Browser Helper Object) for Internet Explorer, it is used to display advertisments at the users expense. This is not another name for malware, it is a form of adware. Adware is what is described as a PUP/PUA (Potentially Unwanted Program/Application) and simply because it is low risk does not make it acceptable and can still be a risk to the users security. Some adware is programmed to send private user information back to it's authors servers.
We have more Malware Analysis videos posted, but they're longer than the 10 minutes YouTube allows. Search Google Video for "Malware Analysis" and you'll see them!
Are you kidding? I am (have been) interested and subscribed to "LiveSecurity" for a long time..I am also hoping MORE videos from them., good quality stuff.
@LiveSecurity: How about encoding the videos to make it much smaller (but SMALLER file-size), then you can post them. I mean theres tons of videos on youtube thats 20-40 Mins long (one video). That should fix the length problem..let us know
Thanks Alanbrit. Our videos are well below YouTube's file size limitations, but if they run even a second over 10 minutes, YouTube's uploader stops them. That's their stated policy. I see longer videos here, too, but I don't know the workaround. For now, we'll subdivide the videos (so the three-part series is five parts, but all under 10 minutes) and get them posted soon. Thanks for your interest!
the other part that available elsewhere --- where can we download them?
mnajem 5 months ago
only fat ugly losers who have no life and never get laid make viruses and rootkits.
TheWaynelds 5 months ago
lol damn this is old
Devorvan 11 months ago
informative
jibi1705 1 year ago
Then if it hooks the PC only on installation, why not download the antivirus AFTE-- Oh. It hooks the browser, so that all antivirus sites are redirected to another place.
will4210 1 year ago
This has been flagged as spam show
ok ppl add my m s n d a r r e n t c b @ l i v e . c o . u k ill help u all
avast pro 4.8 key W2334862R9900D1199-C00CBZYP
Malwarebytes' ID: 7AN25
KEY: WTBK-R285-T6H2-94Q0
key 4 sandboxie name is Team EMBRACE and key is NHF6TB1 hop it help
Power_Suite_2010 ATQWI-KYRAN-CCB6S-IYHTY-DAUS5-
..W59NN-FV6AA
Glary Utilities PRO 4788-61679-5818279
WinUtilities 9.0 name trees YLSOFT.D642FDF76FC446F8.701A64..D764D664D9.AA7308A07B7878F5
helper750 1 year ago
I luv UnHackMe it completely destroyed this Vanquish Rootkit... Idk how I got it. o.O
ZelousGun 2 years ago
Not so bad.. Hmm..
taeyoungchoon 2 years ago
fake!!!!!!!!!!!!! lol george lukas
hamid0401 2 years ago
How effective is F-Secure blacklight at picking this stuff up?
georgetime 2 years ago
blacklight isnt too good i had a r00tkit on my system yesterday and blacklight couldnt detect use unhackme that works a treat and can detect any r00tkit
pulse404 2 years ago
hes my idol
s2g78v9k168 2 years ago
NoShit12 , LOL I DID NOT MEAN IT LIKE THAT! WHAT I MEAN IS IT'S EASY USING THE API IN A WAY THAT REUSLTS IN A CRASH NOT A ROOTKIT!
i am sorry
drfreezepop 2 years ago
is this guy high
Darbytime 3 years ago
i love you :D
NoShit12 2 years ago
make tons of shitty calls to kernal32 that works always.
drfreezepop 3 years ago
That's not an efficient method.
NoShit12 2 years ago
"Hacker Defender" sounds like its a program to protect AGAINST hackers, i.e. some type of security. But its not. Right?
So why the hell do you call it "Hacker Defender"?
Masowai 3 years ago 3
hxdef is one of the original NT open src based rootkits. Who knows why he named it that, creator is dead now anyway.
0xr00t 3 years ago
That's the name of the tool used. It's very common for malware files to have names that make the malware sound as if it's part of a PC's security defenses. For example, the bot asprox drops a malicious file named "Microsoft Security Center Extension." It's just basic social engineering, to try to trick users into leaving malware on their computers.
LiveSecurity 3 years ago 2
because masowai its like a rogue virus program so the user may think its either an important process to the computer and wont delete it or if they think it protects them, that is some reasons. Example of a rogue virus would be. winantivirus, winhound, spysheriff, antivirgear. Note antivirgear kind of seems like a typo squatter too because there is a legit antivirus called antivir.
AkumaADemoncus 2 years ago
Yeah I totally understand now. When I first watched the video I was confused. Cheers mate.
Masowai 2 years ago
Basic info. Not anything special. I think rootkits hide themselves by unlinking EPROCESS.
AES256bit 3 years ago
Unlinking EPROCESS utterly fails at hiding anything, AntiVirus detects that shit instantly. Best solution is obvious, don't use fully-fledged processes or drivers, _never_ make registry entries that you will have to hide, and don't put yourself on any lists.
Use anonymous threads in kernel memory and in userland just hijack other processes via PE header infection or APCs.
Gwydion415 3 years ago
Or... You could inject yourself into every process and hook NtQuerySystemInformation(), filtering out your name. Or...Direct EPROCESS traversal looking for orphan's, PsCreateProcessNotifyRoutine(),PsSetImageNotifyRoutine(), or hooking KeInitThread()
AES256bit 3 years ago
But why bother with that at all? If you leave no tracks you will have none to hide, and that is a far superior approach to doing something like injecting into every process... that sounds extremely noisy.
Unhook NtSetSystemInformation from userland, then call it to load the driver, and then just have the driver remove itself from PsLoadedModules... the end. You won't have a fully-fledged driver but you will have an anonymous thread in ring0, and that is all that you need.
Gwydion415 3 years ago
guys check out combofix, but i suggest you take advangtage of the help available on their website just google "combofix".. i did it without the help but i got scared because it looks like your computer is about to die.. but it removed all the malware and I was impressed.. nothing else got it right. Peace
11hani11 3 years ago
p.s, why did they get the guy with the gayest sounding voice ever to do this lol
opensourcethong 4 years ago
It's funny you said that. What I really think he is trying to do to be nice, however, it's not working that well. I seen this several times on other videos that were done for training.
Tom.
polarbear60 4 years ago
when i start my computer system32 pops up and nothing more happens and my computer is getting slower and slower and slower i have like 124 gb room!!! i had a virus that became 12 threats 3 trojan's i deleted it with avg and now all is deleted. after my trial with avg firewall system 32 pop's up!!! before the virus had been deleted the mouse went up to the upper left of the screen and pressed the program(my computer) that waz there!!! please help im going to reboot soon!!!
xXxZiockxXx 4 years ago
you need to get these programs pal: comodo firewall, spybot search and destroy, ad aware 2007, SUPER anti spyware, windows defender (if you've got xp. if you have vista you'll already have it), a-squared and avg anti spyware. all trusted programs that ive had loads of success with.
on the other hand you could ditch windows and switch to a linux operating system, you'll never ever have to worry about malware again then.
opensourcethong 4 years ago
where's the fun in linux?
JangosAgony502 3 years ago
thats retarded... with that much avp/firewall software the computer will be so fucked up you will barely be able to use it... I would rather have a virus LOL...
aztecx 3 years ago
depends what it is
thissnowtastfunny 4 years ago
Any1 ever have starware? I think its another name for malware
aquateam777 4 years ago
Starware is a low risk BHO (Browser Helper Object) for Internet Explorer, it is used to display advertisments at the users expense. This is not another name for malware, it is a form of adware. Adware is what is described as a PUP/PUA (Potentially Unwanted Program/Application) and simply because it is low risk does not make it acceptable and can still be a risk to the users security. Some adware is programmed to send private user information back to it's authors servers.
darkrider53 4 years ago
Corey must be smart because he can follow the camera around the room ...
clearly if he can't do that, the video would be harder to watch.
isilder 4 years ago
THANKS ..for live security
abokaresh 4 years ago 2
Good job of increasing awareness about rootkits... Did you guys pull down part 1?
InfoSecNomad 4 years ago
thank you for your web seminar.
NewDaysWillBegin 5 years ago
Your video's great! I don't know why there's so little people interested in it. Please repost the other parts of the video. Keep going!
I've had enough with 3721 (cnsmin). Can someone tell me how to remove it with, let's say, IceSword?
peaceful1123 5 years ago
We have more Malware Analysis videos posted, but they're longer than the 10 minutes YouTube allows. Search Google Video for "Malware Analysis" and you'll see them!
LiveSecurity 5 years ago
Thanks a lot.
peaceful1123 5 years ago
Are you kidding? I am (have been) interested and subscribed to "LiveSecurity" for a long time..I am also hoping MORE videos from them., good quality stuff.
@LiveSecurity: How about encoding the videos to make it much smaller (but SMALLER file-size), then you can post them. I mean theres tons of videos on youtube thats 20-40 Mins long (one video). That should fix the length problem..let us know
alanbrit 5 years ago
Thanks Alanbrit. Our videos are well below YouTube's file size limitations, but if they run even a second over 10 minutes, YouTube's uploader stops them. That's their stated policy. I see longer videos here, too, but I don't know the workaround. For now, we'll subdivide the videos (so the three-part series is five parts, but all under 10 minutes) and get them posted soon. Thanks for your interest!
LiveSecurity 5 years ago