Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

What is a good EPUB reader on Linux

If the habit on reading books on electronic tablets is still on its way, reading books on a computer is even rarer. It is hard enough to focus on the classics of the 16th century literature, so who needs the Facebook chat pop up sound in the background in addition? But if for some reasons you wish to open an electronic book in your computer, chances are that you will need specific software. Indeed, most editors agreed with using the EPUB format for electronic books (for "Electronic PUBlication"). Hopefully, Linux is not deprived of good programs capable of dealing with such format. In short, here is a non-exhaustive list of good EPUB readers on Linux. Read more

Qt Licence Update

Today Qt announced some changes to their licence. The KDE Free Qt team have been working behind the scenes to make these happen and we should be very thankful for the work they put in. Qt code was LGPLv2.1 or GPLv3 (this also allows GPLv2). Existing modules will add LGPLv3 to that. This means I can get rid of the part of the KDE Licensing Policy which says "Note: code may not be copied from Qt into KDE Platform as Qt is LGPLv2.1 only which would prevent it being used under LGPL 3". Read more More: Protecting Software Freedom – the Qt License Update

Munich Switching to Windows from Linux Is Proof That Microsoft Is Still an Evil Company

Reports about the city of Munich authorities that are considering the replacement of Linux with Microsoft products mostly comes from one man, the Deputy Mayor of Munich, who is also a long-term self-declared Windows fan. Munich is the poster child for the adoption of a Linux distribution and the replacement of the old Windows OS. It provided a powerful incentive for other cities to do the same, and it's been a thorn in Microsoft's side for a very long time. The adoption of open source software in Munich started back in 2004 and it took the local authorities over 10 years to finish the process. It's a big infrastructure, but in the end they managed to do it. As you can imagine, Microsoft was not happy about it. Even the CEO of Microsoft, Steve Ballmer, tried to stop the switch to Linux, but he was too late to the party. Read more

Dangling the Linux Carrot

Sometimes the direct sell method isn’t the best way to close the deal. How do you think the whole “play hard to get” thing got traction throughout the years? That method is successful in any number of applications. And really, I wasn’t wearing my Linux Advocacy hat that evening…I was just a guy relaxing after a day’s work. Read more