Author: dlux
Subject: Gpu based paravirtualization rootkit, all os vulne
Posted: 03 February 2013 at 9:12am
WS:
For test #2 are you sure you were looking AFTER you went to a website AND after you closed the browser? You can also test by opening an Excel spreadsheet (an actual file) (Excel 2010) and closing Excel. For Firefox you should see the Unknown Processes instantly grabbing the browser cache files and other things. It will even make a folder called Cache.Trash in the folder where the cache files are. This Cache.Trash will NOT be visible even if you have the explorer window open to try to see it. It's a reparse point (injected) and even if you search deep in the OS it will not be listed. Yes, Firefox STARTING will not create Unknown Procs, closing it will if you went to a website.
Try again with ProcessHacker set to run at boot in the startup folder. If you are infected you will see Unknowns pop up during boot for a few mins. Let me know please, thanks.
Interesting about the task sched jobs. I don't like how that sounds, it shouldn't be that way. In any case let me know about the PH at boot. That one is a clincher.
#1, yes you can make non-exist parents. I know, the procedure you described is correct to create those. No problems there. Power off YES true but also make sure the power cord is removed. The RAM and GPU will retain contents otherwise. Yes, do all tests as first thing.
You mentioned that at first boot you see a clean machine for test #1.
Please give me details about which Process Tree Bases (my own term) show an actual running parent. This is very important to me. I have only seen 1 machine that shows bases with real parents and that machine also passes test #2 with NO Unknowns.
These arent the only 2 tests. There are 6 total but if these first 2 dont pass then I'm pretty sure of infection already. In your case right now I cant make any conclusion. The Unknowns in PH I think should not be there in any circumstance at all. If you tell me you have specific process tree bases with real parents then I will need to contemplate further. ie: it would look good but seeing Unknowns in PH causes some confusion.
Please let me know.
Thanks man
Subject: Gpu based paravirtualization rootkit, all os vulne
Posted: 03 February 2013 at 9:12am
WS:
For test #2 are you sure you were looking AFTER you went to a website AND after you closed the browser? You can also test by opening an Excel spreadsheet (an actual file) (Excel 2010) and closing Excel. For Firefox you should see the Unknown Processes instantly grabbing the browser cache files and other things. It will even make a folder called Cache.Trash in the folder where the cache files are. This Cache.Trash will NOT be visible even if you have the explorer window open to try to see it. It's a reparse point (injected) and even if you search deep in the OS it will not be listed. Yes, Firefox STARTING will not create Unknown Procs, closing it will if you went to a website.
Try again with ProcessHacker set to run at boot in the startup folder. If you are infected you will see Unknowns pop up during boot for a few mins. Let me know please, thanks.
Interesting about the task sched jobs. I don't like how that sounds, it shouldn't be that way. In any case let me know about the PH at boot. That one is a clincher.
#1, yes you can make non-exist parents. I know, the procedure you described is correct to create those. No problems there. Power off YES true but also make sure the power cord is removed. The RAM and GPU will retain contents otherwise. Yes, do all tests as first thing.
You mentioned that at first boot you see a clean machine for test #1.
Please give me details about which Process Tree Bases (my own term) show an actual running parent. This is very important to me. I have only seen 1 machine that shows bases with real parents and that machine also passes test #2 with NO Unknowns.
These arent the only 2 tests. There are 6 total but if these first 2 dont pass then I'm pretty sure of infection already. In your case right now I cant make any conclusion. The Unknowns in PH I think should not be there in any circumstance at all. If you tell me you have specific process tree bases with real parents then I will need to contemplate further. ie: it would look good but seeing Unknowns in PH causes some confusion.
Please let me know.
Thanks man
