Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

MediaTek launches developer portal, debuts Android SDK

MediaTek announced a Mediatek Labs hacker site, plus a MediaTek SDK for Android and a “LinkIt” RTOS that runs on an ARM-based, IoT-oriented “Aster” SoC. For years, Taiwan-based MediaTek has offered ARM-based system-on-chips for Android, starting with the budget market, but more recently offering powerful SoCs such as the MediaTek MT6595, an octa-core SoC with four 2.5GHz Cortex-A17 cores. Now, the company is extending its development support by launching a MediaTek Labs portal division based in Silicon Valley. The first offerings include a preview release of MediaTek SDK for Android, which provides a set of extensions that build on Google’s Android SDK. Read more

The skinny on thin Linux

Much commotion has surrounded this column in the past few weeks. Not even counting the systemd discussion, my call for a server-only Linux distribution that does not support any desktop applications or frameworks caused a tizzy, mostly from folks who couldn't quite grasp that I wasn't only talking about not selecting desktop packages during installation. Read more

CipherShed: A replacement for TrueCrypt

While the Open Crypt Audit Project, headed by cryptographer Matthew Green and Kenneth White, Principal Scientist at Social & Scientific Systems, has been considering whether to take over the development of TrueCrypt and is working on the second phase of the audit process (a thorough analysis of the code responsable for the actual encryption process), one of TrueCrypt's developers has expressed his disapproval of a project that would fork the software. Read more

Red Hat CEO announces a shift from client-server to cloud computing

Red Hat is in the midst of changing its image from a top Linux company to the future king of cloud computing. CEO Jim Whitehurst told me in 2011 that the Platform-as-a-Service (PaaS) cloud would be Red Hat's future. Today in a blog posting, Whitehurst underlined this shift from Linux to OpenStack. Read more