http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2698#p19147
it is said to bypass HIPS…does it bypass any of the CIS HIPS/Sandbox or any other protection feature?
I have a sample of this rootkit if anyone needs it for testing against CIS.
Did you test it yourself? Where was is stated that it can bypass a HIPS? If so what HIPS and how can it get past it?
That is what was said on kernelmode forum and the advertisement of the rootkit claims to bypass CIS.
don’t worry EricJH rootkits like these can be stopped by any good av that has a good behavior blocker,hips,or sandbox.besides the people who made the rootkit look like beginners that made it.
BB can block it.
013-05-01 22:35:35 C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe Sandboxed As Partially Limited2013-05-01 22:35:42 C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\flimtic
2013-05-01 22:35:42 C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe Load Driver C:\Documents and Settings\Roger\Local Settings\Temp\flimtic.sysflimtic.sys
2013-05-01 22:35:42 C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe Modify Key HKLM\SYSTEM\ControlSet???\Services\flimtic
2013-05-01 22:35:42 C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe Access COM Interface LocalSecurityAuthority.Backup
2013-05-01 22:36:09 C:\WINDOWS\system32\cmd.exe Sandboxed As Partially Limited
2013-05-01 22:36:15 C:\WINDOWS\system32\cmd.exe Modify File C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe
i know that already
This is wrong…there are ways to bypass BB,HIPS also and in fact do some google search on this.
Every layer of protection technology can and will be eventually attacked by malware writers and will be bypassed and there will be no 100% protection ever. 
thanks for showing the data as well btw how did you get this log anywhy
btw can somebody close this topic before it gets out of hand
At the moment this topic does not seem out of hand. Thus, unless malwarekiller would like this topic locked, I see no reason to lock it.
Everyone just needs to stay on topic and refrain from personal attacks, or any remarks which could be interpreted as flaming. As long as everyone does that I see nothing to worry about.
If you suspect that is going to happen, just avoid posting in it. :-
It does not have to be locked to do that, just let common sense prevail.
How about the HIPS any bypass?
Is that just a single rootkit or does it have many variants.
looks a single rootkit but that can change with time just how TDL 3 became TDL 4
btw the rootkit is easily removable are you need to do is use hitman pro kickstart or dr web boot cd to remove it
if anyone needs these two programs feel free to pm me
did anyone check if this bypasses the HIPS?
If you want sample PM me.
Why are you not testing it yourself?
Because I have messed by VM…More ever I am using VBox so test may be a a bit iffy. :embarassed:
If anyone is interested,I will send them the sample for testing.
you made a good point there EricJH
I get it, I was wondering why you would not run it in a vm.
It’s not a point to make. I was just curiously wondering why.
You’re walking a thin line here. This is seen as part of your warfare with malwarekiller. You are trying to diminish his contribution with every opportunity you get. Stop the war or face consequences. You are on our radar for quite a while now.
Don’t reply to this in this topic.