New HaxDoor variant

I picked this one up from the Securiteam blog this evening...it seems there's a new HaxDoor variant out. Symantec's technical write-up contains a lot of detail (useful to forensic analysts...the guys on the FIRST list should take note), and even though they do classify this one as a "backdoor", they do actually use the word "rootkit". For further reading:

• Trend Micro
• Sophos (probably the least useful)
  
• McAfee (click on "Symptoms")

This variant captures keystrokes, steals passwords, allows the attacker to download files, in addition to hiding itself, installing itself as a service, attempting to disable the Windows Security Center, and maintaining additional persistence by adding an entry to the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Here's some info from MS on that Winlogon\Notify entry.

One thing I think that's needed is an understanding of how clear, detailed write-ups on things like this are important to the IR/CF community. This sort of thing is very helpful when you're trying to ascertain the sophistication of an intrusion, and perhaps even develop some next steps. Remember, things such as NTFS ADSs and esoteric Registry key entries may be ho-hum boring to a lot of folks, but they're all pieces of the puzzle if you're doing IR/CF.

If you think you may have a rootkit, check out one of these tools.