This site does not store any files on its server.We only index and link to content provided by other sites. In case of any query/objection regarding copyright or piracy, please inform us at firstname.lastname@example.org.We will immediately respond to you.
"Security is a culture"
Tuesday, April 9, 2013
A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit
Features: - Start of *.exe, *.dll (*.dll is in a pre-alpha stage) and
shellcodes in a context of the chosen process. - Start of files from a disk and from the memory* (start from
memory is in a pre-alpha stage). - Start of files with specified privileges: CurrentUser and
NT SYSTEM/AUTHORITY. - Granting the protected storehouse** for off-site (your)
ring3-solutions for permanent existence in the system without need of
crypt. - Survivability of the bundle, down to a reinstallation of
the system. - All the components are stored outside of a file system and
are invisible to OS. - Intuitively clear interface of admin-panel. - Protection against the abstraction of Admin Panel. - Impossibility of detection of the bundle in the working
system by any of known AV/rootkit scanner, owing to the use of author’s
technologies of concealment. The unique opportunity of detection exists only at
loading with livecd or scanning of a disk from the other computer. Thus the
opportunity of detection is also extremely improbable, as own algorithms of a
mutation are used.
* Start of a file from the memory allows to
bypass all modern proactive protection and AV-scanners, that is, there is no
necessity to crypt a file. ** Protected storehouse is the original ciphered file system
in which the certain quantity of files which will be started from the memory at
each start of the OS can be stored.
The bundle consists of: - Bootkit. It is responsible for the start of the basic modules at
a stage of loading of OS. - Driver. It is responsible for all infrastructure and implements
componential business-logic on the basis of so-called mod (functional unit).
That is, the driver is not a legacy driver (monolithic), and consists of the
set of mods that allows to operate the bundle with maximum of flexibility, and
to protect (hard to reverse), update and expand it. - Dropper. At the current moment it brake out all machines with
the patches till January, 8th, 2011, except for XP x32/x64 where reloading is
initiated. If the systems distinct from XP have latest updates reloading is
initiated as well. - User friendly Admin Panel.
Also I will give support to clients within the subscription fee. I
provide them with: - Development of new functionality and - Development of new exploits for the dropper. - Perfection of algorithms of concealment and penetration of the
High scalability of zerokit allow to develop additional mods and
to complicate business-logic of all infrastructure.
Zer0kit have flexible update subsystem and can live in system as
long as possible. Also zerokit has considered and provable logic to prevent the
lost of bots.
Supported OSes: – Windows XP SP1-SP3 (x32, x64) – Windows Vista SP1-SP2 (x32, x64) – Windows 7 SP0-SP1 (x32, x64)