Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

Red Hat After Graphics People

GNOME News

  • Desk Changer is a Wallpaper Slideshow Extension for GNOME
    Have you been looking for a GNOME wallpaper slideshow extension? If so, you can stop. In the comments to our recent post on the way GNOME handles wallpapers a number of readers asked whether GNOME had an image slideshow feature built in, without the need for third-party apps and the like. The answer is yes, GNOME does. Sort of.
  • Minwaita: A Compact Version of Theme Adwaita for Gnome Desktop
    As you may already know that Ubuntu is switching back to Gnome, this is the transition time for Ubuntu to switch back. Some creators are motivated and creating themes for Gnome desktop, which is a good thing and hopefully we shall see plenty of Gnome themes and icons around soon. As its name shows "Minwaita" it is minimal/compact version of Adwaita theme, the theme is available after some enhancements to make Gnome more sleek and more vanilla Gnome experience without moving to away from Adwaita's design. This theme is compatible with Gnome 3.20 and up versions. This theme was released back in November, 2016 and still in continuous development that means if you find any problem or bug in the theme then report it to get it fixed in the next update. Obsidian-1 icons used in the following screenshots.
  • Gnome Pomodoro Timer Can Help You Increase Productivity
    If you are struggling with focus on something, it could be your work or study then try Pomodoro technique, this method developed by Francesco Cirillo in the late 1980s. The technique uses a timer to break down work into intervals, traditionally 25 minutes in length, separated by short breaks. You can read more about Pomodoro here.
  • Widget hierarchies in GTK+ 4.0
    In GTK+3, only GtkContainer subclasses can have child widgets. This makes a lot of sense for “public” container children like we know them, e.g. GtkBox — i.e. the developer can add, remove and reorder child widgets arbitrarily and the container just does layout.

Red Hat News

Leftovers: Ubuntu and Debian