Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

Mozilla and Add-ons

  • Firefox 40.0.3 Brings Bug-Fixes Only
  • Reactions to Mozilla’s announcement about upcoming Firefox add-on changes
  • Mixed Feelings Greet Mozilla's Add-ons Overhaul
    Also new is a requirement for add-ons to be reviewed and signed by Mozilla before their deployment. Back in April, Mozilla's security lead Daniel Veditz published The Case for Extension Signing, addressing the volume of feedback their announcement had generated from the developer community. Veditz said the internet browsing experience for tens of thousands of people was being shaped by "third party add-ons in ways they did not choose and that benefit third parties, not the user."
  • Please, God, Don't Let Mozilla Ruin Firefox
    A week ago, Mozilla shed some light on its future, laying out a plan on how the browser is going to dramatically change in the upcoming months. While most of us understood "Chrome extensions were coming to Firefox," it is not as simple as we all thought.
  • The future of Firefox Add-ons - Nope
    Once in a while, I must give my sermons, to help you figure out how things work. Why this is not going to be good for us, the users, and why we must duly prepare, in advance. As it happens, Mozilla does not fully understand the market. It truly does not. When you make decisions based on incorrect data, you are bound to make a disastrous choice. Let's try to amend this, if possible.

Leftovers: Ubuntu

today's howtos

Leftovers: Gaming